DOs and DON’Ts of Pentest Report Writing

Melisa Wachs//

The first day of school starting soon for your school-age kiddos. What better time to run through some of our basic reporting guidelines with y’all? Here is a short list of points I’ve learned after ten years of reading and editing pen test reports here at Black Hills Information Security.

  • DO: Set up a shared place where your team can communicate consistencies. If you have more than one author, it’s good to have one “voice” to your report. At BHIS the testers write in 3rd person, past tense, etc.
  • DON’T: Be a lone wolf. If you work as a team you will all improve and get better.
  • DO: Remember that the report is the deliverable for all the awesome testing you’ve done, but it’s of no value unless you can communicate with the customer. You can make the report educational, informative and fun for your readers.
  • Don’t: Offend your customer. Take your ego out of the equation. The report is not a personal platform for you to show off how great you are, or boast about how weak a customer’s environment may be.

A Solid Report is a Key to Earning Returning Customers

  • DO: Remember that it is your role to help improve the entire industry by educating each customer you have. It is our goal to have returning customers, and that happens by having an educator’s attitude with charity toward your customers.
  • DON’T: Don’t have a condemning or demeaning attitude in your reports. Your customers came to you for a reason. What does this look like and how do you watch for it? Look at your descriptive adjectives and adverbs. Are you over emphasizing with emotion? If so, you’re likely delivering a toned report.
  • DO: Start with a fresh reporting document each time.
  • DON’T: Copy/pasting from an old report. This is not acceptable, and easily leads to including information from a previous customer. Identifying other customers in a report is bad. Very, very bad.
  • DO: Remember your audience, and executives need a section that speaks to them. The tech personnel needs their own methodology.
  • DON’T: Don’t speak only to the tech people, or to the execs. Simply put, make sure you’re bringing value to all facets of the company.
  • DO: Take ratings seriously. You’re the expert, after all. Be sure to give your reasons for the rating.
  • DON’T: Take ratings too seriously. If a customer feels like the rating should shift because of some political or specific situation within their environment, let them. They’re experts on their environment, after all.
  • DO: If you haven’t already done so, consider implementing a tech review and a grammatical review before delivering a report to the customer. This ensures two lines of defense before a report goes to a customer.
  • DON’T: Reviewers are asset, not a threat. Don’t be combative within your team over having a report edited. If you’re new to pentesting (or even new to a company) they are likely going to want to have your reports edited and watched closely at first.
  • DO: Take notes and screenshots while you test. I promise that this will make your life so much easier when you sit down to write a report.
  • DON’T: Procrastinate. Write the report as soon as you can, preferably as you actually test. If you’re unclear or sloppy, you will likely be called out by the customer to explain further. Also, the fresher the information is in your mind, the better the report will be. Imagine you have to defend your test to lawyers, via only the report. That line of thinking is a solid way of ensuring a detailed and swift reporting process.

From the Archives, yr 199-
Strand Last Day of Summer, First Day of School Pic

Here’s to another school year beginning, and a continuation of lifelong learning!