Here is an example Penetration Test Report from Active Defense. We pride ourselves in creating actionable reports for our clients. The goal of a penetration test is not to prove an attack can be successful, but to identify and prioritize remediation actions and strategies.
We understand there are multiple audiences for these reports. Our reports are broken into three sections: (1) Executive Summary, (2) Key Findings, and (3) Attack Methodology. Each is written from a different perspective with different goals and audiences in mind.
Executive Summary: The Executive Summary portion of the report provides a brief overview of critical finds, but more importantly, provides various levers for the executives to pull to improve their security posture. Allowing stakeholders to understand specific actions they can support will help you drive your security program forward.
Key Findings: The Key Findings section contains high level summaries of the vulnerabilities identified and tested in the environment. We provide insight into the vulnerability, why it matters, and how to validate the vulnerability for yourself. This way, when you remediate the issue, you can confirm the vulnerability does not exist anymore.
Attack Methodology: The Attack Methodology is a step-by-step guide on how to reproduce the exact attack our testers have performed. Active Defense meets with the technical teams at the presentation of the report to confirm the teams have the abilities to reproduce the findings. We hope to educate you and your team so you can perform these tests in-house throughout your day-to-day.