Write Good Pentest Report
As Pentester, your job is not only find vulnerabilities. You must also write a clean report to explain your finding to technical and no technical user. So how to do that correctly !?
In this article, we will learn how to write a good pentest repor
Introduction
Write a good report is an essential part of your pentest contrat. At the end, your work will be determinate based on this report. Even if you find a lot of vulnerabilities and you wirte a bad report, your work will be misundertood maybe considere as bad work. Many bigginer pentester don’t take care of this big mistake. Remember the CEO and other no technical users don’t know what is xss. so if you don’t have a methodology to explain it in clear terme and proof the impact, your xss will not be take care. To do that, your report must be organise to many sections.
Below, we will explain the purpose of each section and what to include on theme.
Let gooooooooo !!!!
Executive Summary
The first part of your report must be your work summary.
This part has purpose to show a resume of your work. It must not contain technical details.
The no technical person (CEO for example) who take your report will try to understand all your work by reading just this part. So you must be bref, clean and avoid to use a lot of technical terms on this part.
This part must also contain the risk impact of all vulnerabilities you found during your pentest
Execution summary must contain:
- Audience
- Purpose: Give a high level overview of your work result
- scope: what was tested
- key finding
- business impact
- brief recommandation
Methodology
The methodology part of your report must show the methodology you used during your pentest. It must include:
- What type of test was permormed (black, gray, white box testing,…?)
- Tools and attack technical used
- Timeline of the test
Finding detail
Here is the part that many pentesters realy like. Here we considere that the person who read the report is a technical personne and can undertand technicall detail of your work. It is the part where you can explain you Blind sqli and how/why you encode your payload. To be understood, this part must be organize. Bellow is the structural of this part
For each vulnerability you found, you must explain it in those lines
- Title:
The explainning title of the vulnerability. Exemple Blind SQL injection on login for
- Severity:
Critical, High, Medium, Low — with a risk rating.
It must be determinate based on the business impact of this vulnerability and the compexity/constraint of it exploitation.
- Affected target:
domain , api, apk, exe, server, …
- Description:
A detail description of the vulnerability is attended here. Have fun to explain your good finding here.
- Exploitation steps:
Considere as proof of concept, you need to show how you malicious user can exploit this vulnerability by making an attack simulation. Screenshot and screenrecord can be added here to explain well
- Recommandation:
you found bug, what to do know?? Here you need to give some recommandation to the developers or other team that they will follow to fix the vulnerability. Make sure that you include all the best recommandation and test that your recommandation can fix the vulnerability. System / software updatre
code modification
Access control implementation
Firewall IDS/IPS setup
Anti-virus installation
and so one
Conclusion
Summary of the test’s overall risk posture
Any systemic issues (e.g., outdated libraries everywhere, bad patching policies)
Next steps: patching, re-testing, policy updates
Others tricks
Make sure that your document is well formated. It is a professionnal document not just a note. !!!!