5 Items You Should Find in a Penetration Testing Report | Vumetric

5 Items You Should Find in a Penetration Testing Report

Penetration Testing Report
Share on linkedin
Share on facebook
Share on twitter

Table of Contents

What Items Should You Find in a Penetration Testing Report?

Before committing to a penetration test, companies should ensure that the services will provide actionable results for a sound return on investment. Here are 5 elements you should find in a penetration testing report to ensure success:

1. The executive summary

The executive summary provides an easy-to-understand description of identified risks and their potential impact (financial and otherwise) on the business being tested.  Among other things, the summary should provide a description which is comprehensive, incisive and accessible to all stakeholders, including those who are not technically proficient.  Upon reading the summary, all stakeholders should have a basic grasp on the extent of the problem and the best solutions to address it.

Your attempt to make your business more secure from cyberattacks will have failed if the results of testing are understood only by your IT team, principally because they are not in a position to make the some of the decisions necessary to move forward with solutions. Said differently, if your leadership team comes away from your penetration testing report confused, with more questions than answers, they will not be able to decide if proposed solutions are worth the investment of time and money suggested.

Look for an executive summary written in clear and concise language, without the use of insider, technical jargon.  Any technical terms which are used should be clearly defined in ways C-suite executives can understand.  Finally, a strong summary typically includes summary charts and graphs which are useful to all readers.

2. Technical vulnerability details

The description of security vulnerabilities necessarily includes technical details without which IT staffers would have insufficient direction to create effective solutions—but those details must be contextualized and clearly explained so that all readers can understand the nature of risks.  Often, in other words, this section of a penetration testing report will accurately describe risks in technical terms, including evidence of the vulnerabilities and a walk-through to allow the team to replicate and better understand the vulnerabilities.

Vulnerabilities are often broken-down in a few categories, such as:

  • Category of the vulnerability
  • Severity and level of priority
  • CVSS Score(Common Vulnerability Scoring System)

For example, if a healthcare company is vulnerable to files being uploaded through its portal, it’s not enough to describe the technical process by which the attack could take place, with reference to things like the execution of “arbitrary code remotely.”  It must also include language which clearly spells out what that means to the business (using concrete examples, such as “this means hackers, operating as administrators, will be able to view your medical records of any user.”)  In other words, the description of business impact is critically important to the usefulness of the report.

3. The potential impact of the vulnerabilities and the associated risk level

This section of the report should describe both the likelihood of the several risks your business faces and the possible impact of each vulnerability on your company (as noted above, the level of risk should be clearly contextualized and presented in a concise language). Regarding the level of risk, each vulnerability should be presented with its respective level of priority so they can be mitigated according to the risk they represent — in other words, some risks are more serious and impactful than others.

4. Solutions to fix the vulnerabilities

The penetration test report should, of course, present a general description of how best to remediate (in other words, fix) each vulnerability. But it’s also important that this description is tailored to the unique needs of your business.

For example, if your business relies on a given web server, it’s not reasonable for the report to suggest that you simply get rid of it and essentially start from scratch.  The presented solutions must consider what is realistic for your business—and what isn’t.  An effective penetration test report, for this reason, will present multiple remediation solutions, each of which includes sufficient detail for your IT team to resolve the problem, quickly and efficiently using external resources according to every risk that was identified.

5. Methodologies used

It’s important, particularly for your IT staff, to understand the methodologies employed in conducting penetration testing.  To begin, testing can be either manual or automated.

As its name suggests, manual penetration testing is performed by a human being, specifically an expert engineer.  Manual testing generally entails methodologies including data collection, vulnerability assessment, actual exploit (in which the tester launches an attack to reveal vulnerabilities) and the presentation of the report.  Manual testing can be either focused, testing for specific (limited) vulnerabilities or comprehensive.

Automated penetration testing is faster, more efficient, less time-consuming and generally more reliable.  Automated testing can be done using several renowned standards or internally developed standards.  Among the available standards are:

  • OWASP (the Open Web Application Security Project);
  • OSSTMM (the Open Source Security Testing Methodology Manual); and
  • NIST (the National Institute of Standards and Technology)

In conclusion

When these 5 items are clearly presented and logically organized, then the penetration testing report can effectively accomplish its objectives: to inform executives about whether their company is secure, to advise IT managers about risks to mitigate, and to guide IT staff members towards actionable solutions. Any reputable company who specializes in penetration testing should provide their clients with a complete report which enables each of them to repair any security gaps so they can gain peace of mind and prevent potentially damaging attacks.

To learn more about the ways our cutting-edge penetration testing, security audits and cybersecurity services can protect your company from cyberattacks, get a consultation with a certified specialist today.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.


A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.


These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:
  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.
All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

The time required to successfully execute a penetration test depends on the scope and type of test. Most penetration tests can be performed within a couple of days, but some can span over several weeks, sometimes even months depending on the complexity of the project.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Need a Penetration Test?

or give us a call directly at:

Recent Vumetric Blog Posts

Top 5 Cyber Threats in 2020

What’s a Cyber Threat? Cyber threats can be defined as any type of offensive action that targets computer information...

What is Penetration Testing?

Penetration testing is an authorized simulation of a cyberattack on a company’s technologies. You may have also heard it...

Assess Your Cybersecurity Risks

A specialist will reach out in order to:

Mailbox Icon
stay informed!
Subscribe to stay on top of the latest trends, threats, news and statistics in the cybersecurity industry.