2. CONTENT
Documentation and Report Writing
Significance of a Penetration Testing Report
Phases in Report Writing
Report Format
Example of a Penetration test report
3. Documentation and Report
Writing
• A penetrating testing report plays a significant roles as it does the job of
identifying the loopholes in the system and also outlines
recommendations to address these issues.
• “A report is a statement of the result of an investigation or of any matter
on which define information is required.”
• Ethical hacking, being the systematic study of vulnerabilities present in a
system, consists of different phases such as footprinting, scanning and
enumeration.
• A penetration test report involves reporting facts from each of these
stages.
4. Significance of a Penetration Testing
Report
A penetration testing report can be considered as a valuable product of your
hard work and serves as a great source for clients to complete the task that
has been started, strengthening the security posture of their systems.
Facts indicated in the penetration report forms the basis for corrective
measures to be taken up by organisations towards securing their systems.
Hence, it is important for a report to reflect the actual scenario in simple
words.
There is a level of dependency between the various departments of an
organisation such as Software Development, Database Handling, Information
Security and Quality Assessment.
Sometimes it so happens that the vulnerabilities in a team may be the cause
for a possible attack on the system in another team, within the same
organisation.
6. Report Planning
a) Stating the objective
b) Setting a time frame
c) Analysing the target audience
1-Why does the company need this report ?
2-What is their position in the organisation ?
3-Does the report’s objective make sense to the company’s scope of
work?
4-What is the individual’s role in implementing an action recommended in
the report?
8. Collecting Information
Information is collected at every stage of penetration testing such as
footprinting, scanning and assessing vulnerabilities.
A significant amount of information also comes from tools run on computers
and networks during tests.
This information may be in the form of text or images such as screen shots.
At the end of each stage of ethical hacking, the tester may collect
information and keep it in a file only to be collated with the remaining data in
the final report.
For penetration testing that is performed by not just an individual, but by a
whole team, it is critical to have a central location where each one of them
can store their information and share it with the others, for the final report.
9. First Draft
The penetration testing report that you develop is not only a proof for
your skills as an ethical hacker, but also reflects on your writing and
comprehensive skills.
Your ability to articulate and write in a manner that is easily understood
by others, complements your professionalism.
It is advised to start writing your first draft as soon as you are done with
collecting information.
The first draft is merely a primitive look of your report and you need not
worry about formatting styles or proofreading.
For your reference, you may insert comments in sections that need
reworking.
10. Review and Final Report
Once the draft is ready, it can be shared with your peers for review and
other team members involved in testing.
Suggestions and improvements will follow and when the final report is
ready, it is to be sent to the Quality Analysis team of the organisation.
As the report will be an official announcement from the organisation, it
must adhere to certain norms framed by the company, just like any other
report.
11. Report Format
• Style, Font, Color, and other format of report like header and footer.
• Table Of Contents or TOC.
• Executive Summary:-
Scope of work
Objective
Any assumptions made
Timeframe of the assessment
• Properties of document Like-tester, name of reviewer & approver,
version
• Version Control on critical process like same data on different versions.
14. Example of a Penetration test
report
Some general rules and framework for preparing a Penetration test report
that is normally followed by every tester.
In practical scenarios, however, a slight deviation from these foundation
principles is allowed as long as they convey correct information to the client.
The deviations occur due to the testing environments and conditions that
tester faces in a site.
It takes times and effort to master the art of report writing and is an
achievable goal for all.
Here are some of the samples of Penetration test reports that you can view
online to get more comfortable with idea, before you start writing one on
your own.