14 KiB
14 KiB
Penetration Testing Reporting Cheatsheet
General Report Structure Elements
| Section | Purpose | Key Components | Tips |
|---|---|---|---|
| Cover Page | Formal introduction to report | Client name, test dates, report date, classification | Include security classification (Confidential) |
| Executive Summary | High-level overview for leadership | Key findings, risk rating, strategic recommendations | 1-2 pages, non-technical, business impact focus |
| Scope & Methodology | Define what was tested and how | Systems tested, approach used, tools employed | Be specific about what was in/out of scope |
| Findings Overview | Summarize discovered vulnerabilities | Risk ratings chart, vulnerability count by severity | Use visual aids (charts, graphs) |
| Detailed Findings | Technical details of each vulnerability | Title, severity, description, impact, reproduction steps, remediation | Include screenshots, code samples when helpful |
| Risk Rating Methodology | Explain how risk was calculated | Scoring system (CVSS), impact vs likelihood matrix | Ensures transparency in severity ratings |
| Remediation Roadmap | Prioritized fix recommendations | Short/medium/long-term actions, effort estimates | Help client prioritize fixes |
| Conclusion | Wrap-up and final thoughts | Overall security posture assessment, improvement trajectory | Positive but realistic tone |
| Appendices | Supporting technical details | Raw scan data, testing evidence, methodological details | Keep detailed logs here, not in main report |
External Network Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Scope Definition | External IP ranges, domains, exposed services | Clear network boundaries, exclusions |
| Reconnaissance Findings | Exposed information, digital footprint | OSINT results, information leakage assessment |
| Network Findings | Discovered vulnerabilities by host/service | Port scan results, service enumeration |
| Perimeter Security Assessment | Firewall, VPN, remote access evaluation | Configuration weaknesses, unnecessary exposure |
| External Service Vulnerabilities | Web, email, DNS, etc. vulnerabilities | Version information, misconfigurations |
| Access Control Testing | Authentication bypass attempts | Brute force results, credential findings |
| Exfiltration Testing | Data leakage test results | DLP effectiveness, unmonitored channels |
| Social Engineering Results | Phishing campaign results (if in scope) | Click rates, credential capture statistics |
| Internet-Facing Application Findings | Public application vulnerabilities | API security, exposed dev environments |
| Threat Modeling | Attack vectors assessment | Most likely attack paths |
Internal Network Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Network Architecture Review | Overview of internal design | Segmentation assessment, trust relationships |
| Active Directory Assessment | Domain security findings | Group Policy, privilege management issues |
| Lateral Movement Findings | Ability to move between systems | Successful pivoting techniques, trust exploitation |
| Privilege Escalation Paths | Routes to elevated access | Local to domain admin paths, misconfigurations |
| Internal Service Vulnerabilities | File shares, internal applications, databases | Access control issues, sensitive data exposure |
| Password Policy Evaluation | Password strength assessment | Password spray results, policy compliance |
| Data Access Controls | Sensitive data protection assessment | Unauthorized access findings, excessive permissions |
| Endpoint Security Findings | Workstation/server vulnerabilities | Missing patches, AV evasion success |
| Network Device Security | Switch, router, wireless findings | Management interface issues, protocol weaknesses |
| Post-Exploitation Results | Actions taken after initial compromise | Data accessed, persistence established |
Web Application Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Application Overview | Description of tested application | Functionality, technologies, architecture |
| Authentication Mechanisms | Login security assessment | Brute force, account recovery, session management |
| Authorization Controls | Access control evaluation | Vertical/horizontal privilege issues, IDOR |
| Input Validation Findings | Injection vulnerabilities | SQL, XSS, CSRF, XXE, command injection |
| Business Logic Flaws | Workflow/process vulnerabilities | Logical bypasses, process sequence issues |
| Sensitive Data Exposure | Data protection assessment | Encryption issues, exposure in transit/at rest |
| API Security Findings | API endpoint vulnerabilities | Authentication, rate limiting, RBAC issues |
| Client-Side Security | Browser-based vulnerabilities | DOM XSS, client-side validation bypass |
| Security Headers & Configuration | Server/application configuration | Missing headers, dangerous settings |
| Third-Party Component Analysis | Vulnerable dependencies | Outdated libraries, known CVEs |
| OWASP Top 10 Coverage | Mapping to OWASP categories | Comprehensive coverage confirmation |
Mobile Application Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Application Architecture | App design and components | Client-server interactions, technologies |
| Reverse Engineering Results | App code analysis findings | Obfuscation effectiveness, hardcoded secrets |
| Local Data Storage | Data storage security | Sensitive data in local storage, encryption issues |
| Authentication & Session Management | Login security, session handling | Token security, biometric implementation |
| Network Communication | API calls, data transmission | Certificate validation, encryption in transit |
| Platform-Specific Issues | iOS/Android security concerns | Permissions, intents/URL schemes, jailbreak detection |
| Code Quality & Implementation | Implementation vulnerability | Memory corruption, native code issues |
| Privacy Concerns | User data handling | Excessive data collection, tracking |
| Backend API Security | Server-side endpoint security | Same issues as web API testing |
| OWASP MASVS Coverage | Mobile security verification | Mapping to MASVS requirements |
Cloud Security Assessment Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Cloud Architecture Review | Cloud infrastructure design | Service models (IaaS/PaaS/SaaS), deployment model |
| Identity & Access Management | IAM configuration security | Permissions, roles, privilege management |
| Cloud Configuration Review | Service configuration assessment | Misconfigurations, insecure defaults |
| Storage Security | Cloud storage evaluation | Bucket permissions, data classification issues |
| Compute Security | VM/container/serverless security | Patch management, hardening issues |
| Network Security | Cloud network controls | VPC design, security groups, NACLs |
| Logging & Monitoring | Visibility assessment | Log coverage, alerting configuration |
| Key Management | Encryption implementation | Key rotation, access controls |
| Multi-Tenancy Risks | Isolation effectiveness | Potential cross-tenant vulnerabilities |
| Compliance Alignment | Regulatory requirement gaps | Standards/framework alignment (e.g., CSA CCM) |
| Provider-Specific Findings | AWS/Azure/GCP specific issues | Service-specific vulnerabilities |
AI System Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| AI System Architecture | System design and components | Model types, training pipeline, deployment |
| Prompt Injection Findings | LLM vulnerability assessment | Direct/indirect injection, jailbreaking success |
| Model Security Testing | Model-specific vulnerabilities | Adversarial examples, data extraction attempts |
| Training Pipeline Security | Development process security | Supply chain, data poisoning vectors |
| API Security Assessment | Interface security issues | Rate limiting, authentication, input validation |
| Output Filtering Evaluation | Safety mechanism assessment | Filter bypass success, content policy violations |
| Data Privacy Analysis | PII/sensitive data handling | Training data leakage, inference attacks |
| Infrastructure Security | Deployment environment security | Model hosting, vector database security |
| MITRE ATLAS Mapping | Tactic/technique correlation | Mapping findings to ATLAS framework |
| MLOps Security | Operational security issues | CI/CD, monitoring, update mechanisms |
| Prompt Management Security | System prompt protection | Prompt extraction success, prompt injection |
IoT/OT Penetration Test Report
| Section | Specific Content | Important Elements |
|---|---|---|
| Device Inventory | Tested device details | Firmware versions, communication protocols |
| Hardware Security | Physical security findings | Debug ports, physical attack vectors |
| Firmware Analysis | Firmware security assessment | Extracted secrets, backdoors, update mechanisms |
| Communication Protocol Security | Protocol vulnerability findings | Encryption, authentication, protocol flaws |
| Communication Interception | Traffic analysis results | Cleartext data, weak encryption |
| Device API Security | Interface security issues | Authentication, authorization flaws |
| OT Network Segmentation | Isolation effectiveness | IT/OT boundary controls, zone separation |
| Human-Machine Interface Security | HMI vulnerability assessment | Access controls, input validation |
| Control Systems Security | ICS/SCADA specific findings | Protocol vulnerabilities, logic controllers |
| Safety System Assessment | Safety mechanism evaluation | Safety override possibilities, physical impact |
| Operational Impact Analysis | Business/safety implications | Real-world consequences of vulnerabilities |
Remediation Guidance Best Practices
| Component | Description | Example |
|---|---|---|
| Clear Issue Title | Descriptive vulnerability name | "Stored XSS in User Profile Comments" |
| Severity Rating | Risk level with justification | "High - Allows account takeover via stored payload" |
| Detailed Description | Technical explanation | "The application fails to sanitize HTML in user comments..." |
| Proof of Concept | Step-by-step reproduction | Numbered steps to reproduce the issue |
| Evidence/Screenshots | Visual documentation | Redacted screenshots showing vulnerability |
| Affected Systems | Scope of vulnerability | "All user profile pages across the application" |
| Business Impact | Real-world consequences | "Attackers could steal user credentials or perform actions as the victim" |
| Remediation Steps | Specific fix instructions | Code examples, configuration changes |
| References | Supporting information | CWE numbers, OWASP references, vendor docs |
| Validation Method | How to confirm the fix | Test cases to verify remediation |
Reporting Tips by Audience
| Audience | Focus Areas | Format Tips | Language Considerations |
|---|---|---|---|
| Executive Leadership | Business risk, cost implications | Brief summary, visual aids | Non-technical, business terms |
| IT Management | Resource planning, implementation strategy | Prioritized roadmap | Semi-technical, project management terms |
| Security Team | Technical details, security architecture | Comprehensive findings | Technical, security terminology |
| Developers | Implementation guidance, code examples | Specific remediation steps | Programming language-specific guidance |
| Compliance Team | Regulatory impact, compliance gaps | Mapping to requirements | Compliance framework terminology |
| Third-Party Disclosure | Responsible disclosure format | Minimal necessary details | Clear timeline expectations |
Risk Rating Frameworks
| Framework | Components | Calculation | Best For |
|---|---|---|---|
| CVSS v3.1 | Base, Temporal, Environmental | Score 0-10 from metrics | Standardized vulnerability rating |
| OWASP Risk Rating | Likelihood × Impact | Produces Low/Medium/High/Critical | Web application vulnerabilities |
| DREAD | Damage, Reproducibility, Exploitability, Affected users, Discoverability | Average of 5 factors (0-10) | Application security assessment |
| Custom Severity Matrix | Impact × Likelihood | Typically 3×3 or 5×5 matrix | Organizational alignment |
| Qualitative Rating | Professional judgment | Low/Medium/High/Critical | When metrics are difficult to apply |
Report Quality Checklist
| Aspect | Check | Common Pitfalls |
|---|---|---|
| Accuracy | Verified findings, tested recommendations | False positives, untested remediation advice |
| Clarity | Clear, concise language | Excessive jargon, ambiguous descriptions |
| Completeness | All required sections, comprehensive coverage | Missing methodology, incomplete findings |
| Professionalism | Proper formatting, no typos | Spelling errors, inconsistent formatting |
| Actionability | Clear remediation steps | Vague recommendations, missing context |
| Evidence Quality | Proper screenshots, redacted sensitive data | Unclear evidence, over-redaction |
| Business Context | Practical impact explanation | Missing real-world consequences |
| Technical Depth | Appropriate level of detail | Too shallow or overly complex explanations |
| Executive Value | Clear risk communication | Missing business context for executives |
| Scope Alignment | Findings within agreed scope | Out-of-scope issues without clarification |