Post-Engagement: Report
Review
The six steps/stages of a PenTest…
Pre-Engagement: Planning & Scope
Recon: Information Gathering
Scanning
Exploitation
Post-Exploitation
Post-Engagement: Report
Overview
Outline of the Post-Exploitation Stage:
Prepare the Report
Executive Summary Report (for management)
Technical Report (for IT and InfoSec geeks)
Present the Report
The Report
The six sections of a PenTest report:
Executive Summary
Scope Details
Methodology
Findings & Remediation
Conclusion
Appendix / Appendices
1. Executive Summary
The executive summary is by far the most important section of the report. It is the only section most people will read. It should be written in clear, non-techie language.
Audience: C-Suite Executives
Length: Brief (concise), maybe 1-2 pages on average.
Location: First section of the written report.
Timeing: Last section you actually write (doing it last will help you prepare a concise summary).
2. Scope Details
Document the scope…
The original scope of the Statement of Work (SOW).
Any scope adjustments that were made along the way.
3. Methodology
The methodology sections contains all the nitty-gritty technical details.
Include: types of testing, tools, observations, etc.
Audience: technical staff & developers
Goal/Idea: A security professional should be able to read this section and reproduce your results.
NOT: Do not include all the tedious enumerations, scans, screenshots, etc. Put all that crap in the Appendices. If the reader is interested, he can find it all there.
Here you describe the security issues and offer suggestions for remediation.
5. Conclusion
Summarize your conclusions (wrap it up)
Make recommendations for future work.
Try to identify common themes or root causes discovered during the PenTest.
Help them improve their security.
e.g., common vulnerabilities, best practices, etc.