Why Reporting Matters
A well-structured report is the most critical deliverable in any penetration test. It serves as both technical documentation and a strategic advisory for your client. This page outlines how to create professional, clear, and actionable reports that resonate with both technical and executive audiences.
📦 Report Structure Overview
1. Executive Summary
A high-level overview for non-technical stakeholders. Summarize the most critical findings, business impact, and remediation priorities.
2. Scope and Methodology
Define what was tested, what wasn't, and describe the techniques used: black-box, gray-box, white-box, OWASP Top 10, etc.
3. Findings Summary
Present a vulnerability matrix with severity levels and affected assets. Include CVSS scores and references.
4. Detailed Findings
Each vulnerability should include:
- Title & Severity
- Description
- Impact
- Proof of Concept (PoC)
- Remediation Advice
- References
5. Conclusion & Recommendations
Summarize overall security posture, common issues found, and suggest roadmap for improvements.
6. Appendices
Include: tool output (Nmap, Burp, Gobuster), payloads, screenshots, and notes. Keep it clean and referenced.
📘 Step-by-Step: Writing a Report
Step 1: Gather All Findings
Review your notes, Burp Suite history, scan logs, and screenshots.
Step 2: Prioritize Vulnerabilities
Use CVSS or OWASP Risk Rating to prioritize based on impact and exploitability.
Step 3: Document Clearly
Write each finding with enough detail for reproducibility, but keep the language clear and jargon-free.
Step 4: Tailor Executive Summary
Focus on risks, not raw data. Use visuals or charts when applicable.
Step 5: Review and Sanitize
Ensure grammar, clarity, and remove internal testing data or tools unless necessary.
📄 Sample Finding Template
Title: Stored XSS in /user/profile
Severity: High
CVSS Score: 8.2
Description:
A stored cross-site scripting vulnerability exists in the profile editing functionality. User input in the 'bio' field is not properly sanitized.
Impact:
An attacker can execute arbitrary JavaScript in the context of other users' sessions.
Proof of Concept:
1. Log in and navigate to /user/profile/edit
2. Inject payload: <script>alert('XSS')</script>
3. Save changes and reload another user's view of the profile
Remediation:
Implement proper output encoding and input validation for all user-supplied content.
References:
- OWASP XSS Prevention Cheat Sheet
- https://owasp.org/www-community/attacks/xss/
💡 Reporting Tips
- Use consistent formatting (markdown or docx templates)
- Write for multiple audiences: technical teams and managers
- Include screenshots and step-by-step PoCs
- Use tables for summaries and matrix views
- Avoid jargon unless explained