5 Items You Should Find in a Penetration Testing Report

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

What Items Should You Find in a Penetration Testing Report?

Before committing to a penetration test, companies should ensure that the services delivered to them will provide actionable results for a sound return on their investment. Here are 5 elements you should find in a penetration testing report to ensure success:

1. The executive summary

The executive summary provides an easy-to-understand description of identified risks and their potential impact (financial and otherwise) on the business being tested. Among other things, the summary should provide a description that is comprehensive, incisive and accessible to all stakeholders, including those who are not technically proficient. Upon reading the summary, all stakeholders should have a basic grasp of the extent of the problem and the best solutions to address it.

Your attempt to make your business more secure from cyberattacks will have failed if the results of testing are understood only by your IT team, mainly because they are not in a position to make some of the decisions required to move forward with solutions. In other words, if your leadership team comes out of your penetration testing process confused, with more questions than answers, they will not be able to decide if the proposed solutions are worth the investment of time and money.

Look for an executive summary written in clear and concise language, without the use of insider, technical jargon. Any technical terms used should be clearly defined in ways C-suite executives can understand.  Finally, a strong summary typically includes summary charts and graphs which are useful to all readers.

2. Technical  details of the vulnerabilities

The description of security vulnerabilities necessarily includes technical details without which IT staffers would have insufficient direction to create effective solutions—but those details must be contextualized and clearly explained so that all readers can understand the nature of risks. Often, this section of a penetration testing report will accurately describe risks in technical terms, including evidence of the vulnerabilities and a walk-through to allow the team to replicate and better understand the vulnerabilities.

Vulnerabilities are often broken down in a few categories, such as:

  • Category of the vulnerability
  • Severity and level of priority
  • CVSS Score (Common Vulnerability Scoring System)

For example, if a healthcare company is vulnerable for the files being uploaded through its portal, it’s not enough to describe the technical process by which the attack could take place, with reference to things like the execution of “arbitrary code remotely.” It must also include language which clearly spells out what that means for the business (using concrete examples, such as “this means hackers, operating as administrators, will be able to view the medical records of any user.”) In other words, the description of business impact is critically important to the usefulness of the report.

Want to know how Vumetric's pentest reports have helped 1,000+ organizations improve their cybersecurity?

No matter the size of your business or your industry, our detailed reports are adapted to your specific needs and context. This ensures that our recommendations are realistic for your business and provide the necessary resources to fix your vulnerabilities properly.

3. The potential impact of the vulnerabilities and their associated risk level

This section of the report should describe both the likelihood of the several risks your business faces and the possible impact of each vulnerability on your company (as noted above, the level of risk should be clearly contextualized and presented in a concise language). Regarding the level of risk, each vulnerability should be presented with its respective level of priority so they can be mitigated according to the risk they represent—in other words, some risks are more serious and impactful than others.

4. Solutions to fix the vulnerabilities

The penetration test report should, of course, present a general description of how best to remediate (in other words, fix) each vulnerability. But it’s also important that this description is being tailored to the unique needs of your business.

For example, if your business relies on a given web server, it’s not reasonable for the report to suggest that you simply get rid of it and essentially start from scratch. The presented solutions must consider what is realistic for your business—and what isn’t. An effective penetration test report, for this reason, will present multiple remediation solutions, each of which includes sufficient detail for your IT team to resolve the problem, quickly and efficiently using external resources according to every risk identified.

5. Methodologies used

It’s important, particularly for your IT staff, to understand the methodologies employed in conducting penetration testing. To begin, testing can be either manual or automated.

As its name suggests, manual penetration testing is performed by a human being, specifically an expert engineer. Manual testing generally entails methodologies, including data collection, vulnerability assessment, actual exploit (in which the tester launches an attack to reveal vulnerabilities) and the presentation of the report. Manual testing can be either focused—testing for specific (limited) vulnerabilities—or comprehensive.

Automated penetration testing is faster, more efficient, less time-consuming and generally more reliable.  Automated testing can be done using several renowned standards or internally developed standards.  Among the available standards are:

  • OWASP (the Open Web Application Security Project)
  • OSSTMM (the Open Source Security Testing Methodology Manual) and
  • NIST (the National Institute of Standards and Technology)

In conclusion

When these 5 items are clearly presented and logically organized, then the penetration testing report can effectively accomplish its objectives: Inform executives on whether their company is secure, advise IT managers about risks to mitigate, and guide IT staff members towards actionable solutions. Any reputable company who specializes in penetration testing should provide their clients with a complete report that enables them to repair any security gaps for peace of mind and prevention of potential damaging attacks.

To learn more about the ways our cutting-edge penetration testing, security audits and cybersecurity services can protect your company from cyberattacks, request a consultation with a certified specialist today.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Stay Updated on Cyber Risks!

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

Need a Penetration Test?

or give us a call directly at: