βοΈDocumentation & Reporting
Reporting
A report should consist of the following sections:
Executive Summary
They are intended to be read by executives so it needs a high-level overview of the details.
Should list what's important to fix immediately.
Can include a graphical view based on severity.
Overview of The Assessment
Should include the methodology used during the assessment.
Should detail the execution of the assessment during the testing
Discuss the process and tools used
Scope
Scope and duration of the assessment
Should include everything that the client authorized:
Target scope
Testing period
Vulnerabilities and Recommendations
Should detail all the findings discovered (once false positives have been eliminated by manual testing)
It's best to group findings that relate to each other
Each issue should contain:
Vulnerability Name
CVE
CVSS
Description
References
Remediation Steps
POC (Proof of Concept)
Affected Systems
Last updated
Was this helpful?