What to Look For In A Penetration Test Report

Providing a comprehensive review of your organisation's information security, Penetration Testing is a deep dive into your network, designed to discover areas of concern and highlight where improvements could be made in infrastructure, procedures and policies.

Although Penetration Testing methodology can vary from supplier to supplier, the essential element common to all Penetration Tests is the written report, key to guaranteeing the maximum value from the overall process. 

When undergoing supplier selection, reviewing sample Penetration Test reports provides invaluable insight into: 

  • Level of detail you’ll be able to expect
  • How accessible the language used will be for both technical and non-technical stakeholders 
  • How the Penetration Testing process can subsequently help inform and guide cybersecurity improvements

What Should A Penetration Test Report Include?

Executive Summary

Focusing on the key findings from the testing process, this should be clear, concise and provide essential insight, and high level recommendations, particularly useful for non technical business leaders.

Project Scope and Technical Approach

IP addresses and the type of attack used, methodology (black, grey or white box) as well as the number of attempted exploits by type.

Results

A well written report gives an account of each detected vulnerability, how this it was detected, and how it could be exploited – rather than simply pasting in large sections of scanner output data. Remediation advice which is understandable and actionable is critical in ensuring the Penetration Testing process results in positive outputs, improving your organisation’s security.

Risk-based Scoring

By using a standardised scoring system, for example CVSS (Common Vulnerability Scoring System) threats and vulnerabilities can be ranked in order of criticality, to ensure resources are allocated accordingly.

Report Delivery

How will the report be delivered to you? Ensure basic requirements are met, ie the report is delivered in an encrypted format. You may also require that the report is presented to key stakeholders in person, which can be discussed at the scoping stage of the process.

Sample Penetration Testing Report

Chess are certified by CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market. 

Download Chess’s Penetration Test Sample Report for a comprehensive view of the Chess methodology and Penetration Testing approach, or contact us on 0330 107 7860.