What is a Pentest?
This article will cover a few key areas in a quality pentest report, but first we should outline what a pentest is. A penetration test is often referred to as ethical hacking or a pen test. A penetration test is a simulated cyberattack that attempts to safely attack a company’s computer systems, similar to how a cybercriminal would. The purpose of this is twofold: One goal is to determine what the business impact would be to the company and the other is to help fix any gaps in their security posture. Do not confuse a penetration test with a vulnerability assessment. A vulnerability assessment doesn’t exploit vulnerabilities, meaning you don’t get a full understanding of the business impact a vulnerability has. Whereas a penetration test identifies the weaknesses and vulnerabilities but then goes on to exploit them to determine what can be accomplished by an attacker.
Why is a Pentest Report Important?
In our opinion, a pentest report is the most important aspect of a penetration test. The reason for this is because at the end of the day, the report is what customers are left with. If that report doesn’t help the customer take action to improve their security posture then the overall value of the pentest should, and will, come under scrutiny.
If you’re part of the channel community and are evaluating partners for pentesting then the report is also crucial to you and your business. A pentest report can be used for both sales and marketing. We’ve seen large enterprise customers switch pentest firms because of the quality of the report. You should also consider the fact that executives are also likely to review the reports as they make strategic decisions about technology and budgets – which is an opportunity to make a good impression with a well structured pentest report.
One last consideration, for both customers and partners, is what other use cases a business will leverage the report for. In addition to being used internally to improve security posture, penetration testing reports might also be given to 3rd parties for a variety of reasons. If that third party deems that the report is inadequate, it can delay the business in accomplishing goals that were set or can even require additional assessments to be performed.
Overall, the pentest report is the tangible item a client receives after a penetration test. That means it can leave a lasting impression that can be positive or negative. Providing a document that isn’t actionable, or that appears to be put together in word, should be frowned upon. Now that we’ve determined what a penetration test is and why the pentest report is critical – lets move on to a few key aspects that we believe must be included in pentest reports.
1. Executive Summary
An executive summary should be tailored to leadership members that might not be technical but are essential to the strategy and direction of the company. Often, penetration testing companies are composed of highly technical team members. While that in and of itself isn’t an issue, we’ve seen many reports that have great technical content but fail at translating that information for non-technical readers. This may lead to leadership teams that are frustrated a both the time and financial investment required for a pentest.
In general, a good executive summary should be succinct while focusing on the business impact of a cyber-attack. The use of graphs and charts may help make information easily digestible where appropriate. There are a few critical pieces that the executive summary should have, which we have outlined below:
- Overall Security Posture: Leadership and executives want to be able to understand the state of their security posture from a mile high view. That means providing a single rating and providing context as to why that rating was given. Technical-minded team members on both sides of the equation (trust us – the testing team often argues over this) might pick this overall rating apart but it’s important to remember that this is meant for leadership teams. It’s important that the pentest team emphasizes to leadership that this isn’t a pass/fail grade, but just a general rating.
- Industry Comparison: While no official methodology or strategy exists for comparing the pentest results to other companies in the same industry, pentesting companies that have a large database of pentesting projects should have the data to provide a high-level comparison. This can help executives understand how they compare to others in their industry without providing sensitive or detailed information.
- General Strengths & Weaknesses: While the purpose of a pentest is to help identify technical weaknesses in a company’s security posture, it’s also helpful for leadership to understand overall strengths and weaknesses. By highlighting strengths, you can help non-technical team members see the benefits of having a security conscious culture company wide. An example of a general strength might be the use of MFA on all critical services. By highlighting weaknesses, you provide leadership with items that they can help push forward without being highly technical. An example of a general weakness is if a company has a poor password policy across the organization.
- Business Impact and Attack Narrative: A critical piece of the executive summary, and ultimately the entire pentest report, is the ability to point towards the business impact of each finding. We’ll go into more detail later in this post as we want to keep the focus on the executive summary section. A good way to show the overall business impact is to incorporate an attack narrative into the executive summary when possible. An attack narrative highlights the most likely attack path a cybercriminal would take to get their hands on the most valuable information. This avoids going into the technical weeds, but instead focuses on what an assessor was able to do & ultimately what an attacker may have been able to walk away with: employee SSN’s, customer credit card information, or critical intellectual property. This helps leadership teams grasp just how severe the findings are without having to understand the technical nuts and bolts.
- Prioritized Next Steps: One detail that technically falls outside of the executive summary section but is worth emphasizing is providing actionable and prioritized next steps. Non-technical leadership will want to see that the output of the assessment is actionable and helpful. That means that you help their team understand what their first action item is after the test, how to fix it, and what to do next. The report should serve as a guide for improving their security posture after the penetration test.
There are a lot of details that go into the executive summary of a good pentest report but this is often overlooked by highly technical pentest firms. We believe that pentest reports must consider all audiences, including executive leadership, to ultimately ensure that the technical team is aligned with the business.
2. Technical Findings
When looking at pentest reports, the technical findings are often what one would consider the ‘meat and potatoes’ of the report. It’s where an assessor can show their work & how they were able to do it. There are a few important details that every pentest report should have in their section containing technical findings. While basic and obvious for someone familiar with pentest reports, it’s still important to cover in this post.
- Vulnerability Details: All reports will have information about the vulnerability but look out for reports that simply pull this info from a template database. While great for efficiency, vuln information that is pulled from a template can contain outdated or irrelevant information to your assessment.
- Business Impact: One of the largest indicators of a quality pentest compared to a poor pentest is the ability to identify and report the business impact. An automated vulnerability scanner may alert you of a vulnerability, but without exploiting it you won’t know how it effects the company or how severe it is. We’ll cover this in more depth below, but it’s important that the technical findings highlight the business impact.
- Steps to recreate: A pentest should not only document the vulnerabilities that were found throughout the assessment, but it should also show the exact steps taken to exploit the vulnerability so that a company’s technical team can recreate it. The reason that this is important is because it aids the team in confirming that a fix has removed the vulnerability.
3. Business Impact
If you haven’t noticed a theme, business impact is a critical piece of a good pentest report. While we might sound like a broken record at this point, it’s the hill we’re willing to die on! In all seriousness, it’s important that the pentest report ties everything back to the business impact. Consider the below comparison:
- Report A claims you have a critical SQL Injection vulnerability in your web application, which would allow an attacker to modify or interfere with a SQL query which revealed information from the database.
- Report B claims you have a critical SQL Injection vulnerability in your web application that enabled our assessor to submit a UNION input. This allowed us to retrieve the full contents of the table titled ‘California Patients’ with four columns titled ‘First’ ‘Last’ ‘Address’ and ‘SSN’.
While an application security architect likely understands how severe a SQL Injection vuln can be – even his direct manager, let alone the company’s executives, might not understand the importance of fixing that vulnerability ASAP is. As you can see, outlining the impact to the business provides context to all audiences of the customer.
4. Remediation Recommendations
A good remediation step for each vulnerability is a must have in pentest reports. Circling back to our point about executives wanting clear next steps – remediation steps must be clear, prioritized, and actionable. Pentest reports should use business impact to determine what the highest priorities are. Additionally, a good pentest firm will provide multiple options for each vulnerability when applicable. The reason for multiple options is that every business has different abilities and needs; so what might work for customer A might not be the best choice, or even possible, for customer B.
5. Third Party Summary Report
While not technically part of the pentest report, a separate 3rd party summary report should also be available. The reason for this is simple; penetration testing reports contain highly sensitive information that can be abused & therefore should only be shared with trusted parties within the company. A 3rd party summary report should provide some high-level information such as who performed the pentest, what the scope of the pentest was, when it was performed, and the quantity of findings (categorized by severity). For companies who need to prove that they perform regular pentesting, this provides them with a way to demonstrate that they do perform pentesting without sharing any sensitive information.
Below are example business cases where a 3rd party summary report would be useful.
- SOC-2 Type 2 Audit: A common compliance certificate that service providers (e.g SaaS companies) pursue to send a powerful message to customers that they take data security seriously. While SOC-2 Type 2 audits don’t require penetration testing to pass, according to COSO Principle 16 it does require ongoing evaluations to ensure that internal security controls are present and working properly. It also goes on to state an area to focus on is ongoing penetration testing or other certifications. In other words, while it might not be required for receiving your certification, the auditor is looking for ongoing evaluations similar to pentesting to determine that the security controls are properly functioning. Instead of providing a pentest report full of company vulnerabilities to the auditor, it’d be best to provide them with an attestation letter.
- Customer Requirement: Third-Party Cyber Risk Management is a growing area of concern for many large enterprises. If you want to read more about why, here’s a good article that goes into depth about the topic. Now that enterprises are trying to better manage their third-party cyber risk, they are increasing the security requirements to be on-boarded and remain as an approved vendor. One of those common requirements is the performance of regular (annual) penetration testing. Similarly, you don’t want to hand over a detailed pentest report to a 3rd party so it’s best to be able to provide them with a high-level attestation letter.
Bonus – Option to White Label the Pentest Report
If you’ve made it this far, thank you. We’d give you a badge of honor but instead we’ll add in a bonus. Admittedly, this bonus is primarily for the channel community & is more of a thinly veiled sales pitch – but nonetheless – here we go.
If you’re an MSP or part of the channel community then you might be thinking about selling pentest services. There are a lot of reputable pentest firms out there that might allow you to resell their services, but we’re confident that none of them have been built with the channel at their core like we have. While you’re evaluating their services and reports, we think it’s important to ask if you can white label their pentest reports. Since X Security was built to only sell our pentest services via the channel – we can get you quality reports that are branded with your company’s information. Our services become your services, and our quality reports become your quality reports. If you’re interested in learning about us, feel free to reach out below or check out more about us on our site.
At the end of a penetration test, the client is left with one tangible item and that is the pentest report. For pentest firms, the report is a key way to stand out from the competition and build long lasting trust with customers. For clients, the pentest report not only helps improve their security posture and guide strategic direction but it also helps win deals with enterprise clients and obtain critical certifications.
If you’d like to read more about pentest reporting, PTES (Penetration Testing Execution Standard) provides good info on the pentest reporting standards.
Most importantly, a pentest report needs to provide actionable next steps for both non-technical and technical clients.