The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_6_post-engagement
method_6_post-engagement

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

method_6_post-engagement [2022/09/24 16:10] – created gmanmethod_6_post-engagement [2023/01/12 00:47] (current) gman
Line 20: Line 20:
  
 ---- ----
 +
 +====== The Report ======
 +
 +The six sections of a PenTest report:
 +  - Executive Summary
 +  - Scope Details
 +  - Methodology
 +  - Findings & Remediation
 +  - Conclusion
 +  - Appendix / Appendices
 +
 +===== 1. Executive Summary =====
 +
 +The executive summary is by far the most important section of the report. It is the only section most people will read. It should be written in clear, non-techie language.
 +  * **Audience:** C-Suite Executives
 +  * **Length:** Brief (concise), maybe 1-2 pages on average.
 +  * **Location:** First section of the written report.
 +  * **Timeing:** Last section you actually write (doing it last will help you prepare a concise summary).
 +
 +===== 2. Scope Details =====
 +
 +Document the scope...
 +  - The original scope of the Statement of Work (SOW).
 +  - Any scope adjustments that were made along the way.
 +
 +===== 3. Methodology =====
 +
 +The methodology sections contains all the nitty-gritty technical details.
 +  * **Include:** types of testing, tools, observations, etc. 
 +  * **Audience:** technical staff & developers
 +  * **Goal/Idea:** A security professional should be able to read this section and reproduce your results.
 +  * **NOT:** Do not include all the tedious enumerations, scans, screenshots, etc. Put all that crap in the Appendices. If the reader is interested, he can find it all there.
 +
 +===== 4. Findings & Remediation =====
 +
 +Here you describe the security issues and offer suggestions for remediation.
 +  * This is the "meat and taters" of the report.
 +  * **Findings** should include: 
 +    - Risk Rating (e.g., from CVSS, etc.)
 +    - Risk Prioritization *based on likelihood and impact)
 +    - Business Impact Analysis (organization specific)
 +
 +===== 5. Conclusion =====
 +
 +  - Summarize your conclusions (wrap it up)
 +  - Make recommendations for future work.
 +
 +Try to identify common themes or root causes discovered during the PenTest.
 +  * Help them improve their security.
 +  * e.g., common vulnerabilities, best practices, etc. 
 +
 +
 + 
  
method_6_post-engagement.1664035851.txt.gz · Last modified: by gman