The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_6_post-engagement
method_6_post-engagement

Table of Contents

Post-Engagement: Report

Review

The six steps/stages of a PenTest…

  1. Pre-Engagement: Planning & Scope
  2. Recon: Information Gathering
  3. Scanning
  4. Exploitation
  5. Post-Exploitation
  6. Post-Engagement: Report

Overview

Outline of the Post-Exploitation Stage:

  1. Prepare the Report
    1. Executive Summary Report (for management)
    2. Technical Report (for IT and InfoSec geeks)
  2. Present the Report

The Report

The six sections of a PenTest report:

  1. Executive Summary
  2. Scope Details
  3. Methodology
  4. Findings & Remediation
  5. Conclusion
  6. Appendix / Appendices

1. Executive Summary

The executive summary is by far the most important section of the report. It is the only section most people will read. It should be written in clear, non-techie language.

  • Audience: C-Suite Executives
  • Length: Brief (concise), maybe 1-2 pages on average.
  • Location: First section of the written report.
  • Timeing: Last section you actually write (doing it last will help you prepare a concise summary).

2. Scope Details

Document the scope…

  1. The original scope of the Statement of Work (SOW).
  2. Any scope adjustments that were made along the way.

3. Methodology

The methodology sections contains all the nitty-gritty technical details.

  • Include: types of testing, tools, observations, etc.
  • Audience: technical staff & developers
  • Goal/Idea: A security professional should be able to read this section and reproduce your results.
  • NOT: Do not include all the tedious enumerations, scans, screenshots, etc. Put all that crap in the Appendices. If the reader is interested, he can find it all there.

4. Findings & Remediation

Here you describe the security issues and offer suggestions for remediation.

  • This is the “meat and taters” of the report.
  • Findings should include:
    1. Risk Rating (e.g., from CVSS, etc.)
    2. Risk Prioritization *based on likelihood and impact)
    3. Business Impact Analysis (organization specific)

5. Conclusion

  1. Summarize your conclusions (wrap it up)
  2. Make recommendations for future work.

Try to identify common themes or root causes discovered during the PenTest.

  • Help them improve their security.
  • e.g., common vulnerabilities, best practices, etc.
method_6_post-engagement.txt · Last modified: 2023/01/12 00:47 by gman