✍️Documentation & Reporting

Reporting

A report should consist of the following sections:

Executive Summary

  • They are intended to be read by executives so it needs a high-level overview of the details.

  • Should list what's important to fix immediately.

  • Can include a graphical view based on severity.

Overview of The Assessment

  • Should include the methodology used during the assessment.

  • Should detail the execution of the assessment during the testing

    • Discuss the process and tools used

Scope

  • Scope and duration of the assessment

  • Should include everything that the client authorized:

    • Target scope

    • Testing period

Vulnerabilities and Recommendations

  • Should detail all the findings discovered (once false positives have been eliminated by manual testing)

  • It's best to group findings that relate to each other

  • Each issue should contain:

    • Vulnerability Name

    • CVE

    • CVSS

    • Description

    • References

    • Remediation Steps

    • POC (Proof of Concept)

    • Affected Systems

Always make sure reports are written to cater for all audiences (High-level explanations)

Keep it concise and clear!

Last updated

Was this helpful?