A report should consist of the following sections:
They are intended to be read by executives so it needs a high-level overview of the details.
Should list what's important to fix immediately.
Can include a graphical view based on severity.
Should include the methodology used during the assessment.
Should detail the execution of the assessment during the testing
Discuss the process and tools used
Scope and duration of the assessment
Should include everything that the client authorized:
Target scope
Testing period
Should detail all the findings discovered (once false positives have been eliminated by manual testing)
It's best to group findings that relate to each other
Each issue should contain:
Vulnerability Name
CVE
CVSS
Description
References
Remediation Steps
POC (Proof of Concept)
Affected Systems
Always make sure reports are written to cater for all audiences (High-level explanations)
Keep it concise and clear!
Last updated 1 year ago