# Penetration Testing Reporting Cheatsheet

## General Report Structure Elements

| Section | Purpose | Key Components | Tips |
|---------|---------|----------------|------|
| **Cover Page** | Formal introduction to report | Client name, test dates, report date, classification | Include security classification (Confidential) |
| **Executive Summary** | High-level overview for leadership | Key findings, risk rating, strategic recommendations | 1-2 pages, non-technical, business impact focus |
| **Scope & Methodology** | Define what was tested and how | Systems tested, approach used, tools employed | Be specific about what was in/out of scope |
| **Findings Overview** | Summarize discovered vulnerabilities | Risk ratings chart, vulnerability count by severity | Use visual aids (charts, graphs) |
| **Detailed Findings** | Technical details of each vulnerability | Title, severity, description, impact, reproduction steps, remediation | Include screenshots, code samples when helpful |
| **Risk Rating Methodology** | Explain how risk was calculated | Scoring system (CVSS), impact vs likelihood matrix | Ensures transparency in severity ratings |
| **Remediation Roadmap** | Prioritized fix recommendations | Short/medium/long-term actions, effort estimates | Help client prioritize fixes |
| **Conclusion** | Wrap-up and final thoughts | Overall security posture assessment, improvement trajectory | Positive but realistic tone |
| **Appendices** | Supporting technical details | Raw scan data, testing evidence, methodological details | Keep detailed logs here, not in main report |

## External Network Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Scope Definition** | External IP ranges, domains, exposed services | Clear network boundaries, exclusions |
| **Reconnaissance Findings** | Exposed information, digital footprint | OSINT results, information leakage assessment |
| **Network Findings** | Discovered vulnerabilities by host/service | Port scan results, service enumeration |
| **Perimeter Security Assessment** | Firewall, VPN, remote access evaluation | Configuration weaknesses, unnecessary exposure |
| **External Service Vulnerabilities** | Web, email, DNS, etc. vulnerabilities | Version information, misconfigurations |
| **Access Control Testing** | Authentication bypass attempts | Brute force results, credential findings |
| **Exfiltration Testing** | Data leakage test results | DLP effectiveness, unmonitored channels |
| **Social Engineering Results** | Phishing campaign results (if in scope) | Click rates, credential capture statistics |
| **Internet-Facing Application Findings** | Public application vulnerabilities | API security, exposed dev environments |
| **Threat Modeling** | Attack vectors assessment | Most likely attack paths |

## Internal Network Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Network Architecture Review** | Overview of internal design | Segmentation assessment, trust relationships |
| **Active Directory Assessment** | Domain security findings | Group Policy, privilege management issues |
| **Lateral Movement Findings** | Ability to move between systems | Successful pivoting techniques, trust exploitation |
| **Privilege Escalation Paths** | Routes to elevated access | Local to domain admin paths, misconfigurations |
| **Internal Service Vulnerabilities** | File shares, internal applications, databases | Access control issues, sensitive data exposure |
| **Password Policy Evaluation** | Password strength assessment | Password spray results, policy compliance |
| **Data Access Controls** | Sensitive data protection assessment | Unauthorized access findings, excessive permissions |
| **Endpoint Security Findings** | Workstation/server vulnerabilities | Missing patches, AV evasion success |
| **Network Device Security** | Switch, router, wireless findings | Management interface issues, protocol weaknesses |
| **Post-Exploitation Results** | Actions taken after initial compromise | Data accessed, persistence established |

## Web Application Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Application Overview** | Description of tested application | Functionality, technologies, architecture |
| **Authentication Mechanisms** | Login security assessment | Brute force, account recovery, session management |
| **Authorization Controls** | Access control evaluation | Vertical/horizontal privilege issues, IDOR |
| **Input Validation Findings** | Injection vulnerabilities | SQL, XSS, CSRF, XXE, command injection |
| **Business Logic Flaws** | Workflow/process vulnerabilities | Logical bypasses, process sequence issues |
| **Sensitive Data Exposure** | Data protection assessment | Encryption issues, exposure in transit/at rest |
| **API Security Findings** | API endpoint vulnerabilities | Authentication, rate limiting, RBAC issues |
| **Client-Side Security** | Browser-based vulnerabilities | DOM XSS, client-side validation bypass |
| **Security Headers & Configuration** | Server/application configuration | Missing headers, dangerous settings |
| **Third-Party Component Analysis** | Vulnerable dependencies | Outdated libraries, known CVEs |
| **OWASP Top 10 Coverage** | Mapping to OWASP categories | Comprehensive coverage confirmation |

## Mobile Application Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Application Architecture** | App design and components | Client-server interactions, technologies |
| **Reverse Engineering Results** | App code analysis findings | Obfuscation effectiveness, hardcoded secrets |
| **Local Data Storage** | Data storage security | Sensitive data in local storage, encryption issues |
| **Authentication & Session Management** | Login security, session handling | Token security, biometric implementation |
| **Network Communication** | API calls, data transmission | Certificate validation, encryption in transit |
| **Platform-Specific Issues** | iOS/Android security concerns | Permissions, intents/URL schemes, jailbreak detection |
| **Code Quality & Implementation** | Implementation vulnerability | Memory corruption, native code issues |
| **Privacy Concerns** | User data handling | Excessive data collection, tracking |
| **Backend API Security** | Server-side endpoint security | Same issues as web API testing |
| **OWASP MASVS Coverage** | Mobile security verification | Mapping to MASVS requirements |

## Cloud Security Assessment Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Cloud Architecture Review** | Cloud infrastructure design | Service models (IaaS/PaaS/SaaS), deployment model |
| **Identity & Access Management** | IAM configuration security | Permissions, roles, privilege management |
| **Cloud Configuration Review** | Service configuration assessment | Misconfigurations, insecure defaults |
| **Storage Security** | Cloud storage evaluation | Bucket permissions, data classification issues |
| **Compute Security** | VM/container/serverless security | Patch management, hardening issues |
| **Network Security** | Cloud network controls | VPC design, security groups, NACLs |
| **Logging & Monitoring** | Visibility assessment | Log coverage, alerting configuration |
| **Key Management** | Encryption implementation | Key rotation, access controls |
| **Multi-Tenancy Risks** | Isolation effectiveness | Potential cross-tenant vulnerabilities |
| **Compliance Alignment** | Regulatory requirement gaps | Standards/framework alignment (e.g., CSA CCM) |
| **Provider-Specific Findings** | AWS/Azure/GCP specific issues | Service-specific vulnerabilities |

## AI System Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **AI System Architecture** | System design and components | Model types, training pipeline, deployment |
| **Prompt Injection Findings** | LLM vulnerability assessment | Direct/indirect injection, jailbreaking success |
| **Model Security Testing** | Model-specific vulnerabilities | Adversarial examples, data extraction attempts |
| **Training Pipeline Security** | Development process security | Supply chain, data poisoning vectors |
| **API Security Assessment** | Interface security issues | Rate limiting, authentication, input validation |
| **Output Filtering Evaluation** | Safety mechanism assessment | Filter bypass success, content policy violations |
| **Data Privacy Analysis** | PII/sensitive data handling | Training data leakage, inference attacks |
| **Infrastructure Security** | Deployment environment security | Model hosting, vector database security |
| **MITRE ATLAS Mapping** | Tactic/technique correlation | Mapping findings to ATLAS framework |
| **MLOps Security** | Operational security issues | CI/CD, monitoring, update mechanisms |
| **Prompt Management Security** | System prompt protection | Prompt extraction success, prompt injection |

## IoT/OT Penetration Test Report

| Section | Specific Content | Important Elements |
|---------|------------------|-------------------|
| **Device Inventory** | Tested device details | Firmware versions, communication protocols |
| **Hardware Security** | Physical security findings | Debug ports, physical attack vectors |
| **Firmware Analysis** | Firmware security assessment | Extracted secrets, backdoors, update mechanisms |
| **Communication Protocol Security** | Protocol vulnerability findings | Encryption, authentication, protocol flaws |
| **Communication Interception** | Traffic analysis results | Cleartext data, weak encryption |
| **Device API Security** | Interface security issues | Authentication, authorization flaws |
| **OT Network Segmentation** | Isolation effectiveness | IT/OT boundary controls, zone separation |
| **Human-Machine Interface Security** | HMI vulnerability assessment | Access controls, input validation |
| **Control Systems Security** | ICS/SCADA specific findings | Protocol vulnerabilities, logic controllers |
| **Safety System Assessment** | Safety mechanism evaluation | Safety override possibilities, physical impact |
| **Operational Impact Analysis** | Business/safety implications | Real-world consequences of vulnerabilities |

## Remediation Guidance Best Practices

| Component | Description | Example |
|-----------|-------------|---------|
| **Clear Issue Title** | Descriptive vulnerability name | "Stored XSS in User Profile Comments" |
| **Severity Rating** | Risk level with justification | "High - Allows account takeover via stored payload" |
| **Detailed Description** | Technical explanation | "The application fails to sanitize HTML in user comments..." |
| **Proof of Concept** | Step-by-step reproduction | Numbered steps to reproduce the issue |
| **Evidence/Screenshots** | Visual documentation | Redacted screenshots showing vulnerability |
| **Affected Systems** | Scope of vulnerability | "All user profile pages across the application" |
| **Business Impact** | Real-world consequences | "Attackers could steal user credentials or perform actions as the victim" |
| **Remediation Steps** | Specific fix instructions | Code examples, configuration changes |
| **References** | Supporting information | CWE numbers, OWASP references, vendor docs |
| **Validation Method** | How to confirm the fix | Test cases to verify remediation |

## Reporting Tips by Audience

| Audience | Focus Areas | Format Tips | Language Considerations |
|----------|-------------|------------|------------------------|
| **Executive Leadership** | Business risk, cost implications | Brief summary, visual aids | Non-technical, business terms |
| **IT Management** | Resource planning, implementation strategy | Prioritized roadmap | Semi-technical, project management terms |
| **Security Team** | Technical details, security architecture | Comprehensive findings | Technical, security terminology |
| **Developers** | Implementation guidance, code examples | Specific remediation steps | Programming language-specific guidance |
| **Compliance Team** | Regulatory impact, compliance gaps | Mapping to requirements | Compliance framework terminology |
| **Third-Party Disclosure** | Responsible disclosure format | Minimal necessary details | Clear timeline expectations |

## Risk Rating Frameworks

| Framework | Components | Calculation | Best For |
|-----------|------------|-------------|----------|
| **CVSS v3.1** | Base, Temporal, Environmental | Score 0-10 from metrics | Standardized vulnerability rating |
| **OWASP Risk Rating** | Likelihood × Impact | Produces Low/Medium/High/Critical | Web application vulnerabilities |
| **DREAD** | Damage, Reproducibility, Exploitability, Affected users, Discoverability | Average of 5 factors (0-10) | Application security assessment |
| **Custom Severity Matrix** | Impact × Likelihood | Typically 3×3 or 5×5 matrix | Organizational alignment |
| **Qualitative Rating** | Professional judgment | Low/Medium/High/Critical | When metrics are difficult to apply |

## Report Quality Checklist

| Aspect | Check | Common Pitfalls |
|--------|-------|-----------------|
| **Accuracy** | Verified findings, tested recommendations | False positives, untested remediation advice |
| **Clarity** | Clear, concise language | Excessive jargon, ambiguous descriptions |
| **Completeness** | All required sections, comprehensive coverage | Missing methodology, incomplete findings |
| **Professionalism** | Proper formatting, no typos | Spelling errors, inconsistent formatting |
| **Actionability** | Clear remediation steps | Vague recommendations, missing context |
| **Evidence Quality** | Proper screenshots, redacted sensitive data | Unclear evidence, over-redaction |
| **Business Context** | Practical impact explanation | Missing real-world consequences |
| **Technical Depth** | Appropriate level of detail | Too shallow or overly complex explanations |
| **Executive Value** | Clear risk communication | Missing business context for executives |
| **Scope Alignment** | Findings within agreed scope | Out-of-scope issues without clarification |