Writing a Killer Penetration Test Report
You crafted an irresistible spear phishing email, which provided initial access to an unprivileged account. You rapidly gained persistence on your beachhead host, then escalated privileges through application shimming. You fired up a little Kerberoasting and grabbed the creds you needed to move laterally, picking your way through the network until you landed on the crown jewels. You dropped a calling card, erased your tracks, and then popped a cold beverage. Easy days’ work — time to get paid … but the most important part is still ahead of you.
Hacking is a blast, but many (okay, most) pentesters loathe writing the report. But like it or not, the report is why you were hired. It is the single document upon which you will be judged by your clients and indirectly by your future clients. Your ability to author an effective report is just as important as your hacking skillz when it comes to your bottom line. Yet very few pentesters spend even a fraction of the time honing their report writing skills as they spend learning and practicing new tactics.
At PlexTrac, we know a thing or two about reporting, both from experience in our roles as practitioners and from the extensive work we’ve done with our customers. We’ve seen a lot of reports in various templates and formats. We’ve also helped numerous customers convert their report templates into a PlexTrac compatible format. As a part of that work, we’ve seen a lot of great report formats, and we’ve also had the opportunity to provide recommendations to customers on areas for improvement in their templates. Based on that knowledge and expertise, we will highlight some of the good and bad that we’ve seen when it comes to reporting. This paper will begin by discussing a few tenets that should form the foundation for an amazing penetration test report. We will then discuss report layout, with an in-depth discussion of how content can be effectively presented to provide maximum knowledge transfer.
It’s best to plan your report strategy before you ever start writing. Thinking in advance about the purpose, context, and audience of the penetration test results and the report you will write about will save you time and energy later.
