Reporting

The reporting stage is the final stage of the penetration testing process and involves reporting each and every vulnerability found on the target (in-scope). The reported vulnerabilities will be listed according to the severity level defined by the Common Vulnerability Scoring System (CVSS), which is a free and open standard that is used to assess the vulnerabilities. 

As pen testers, we need to understand how important this stage really is for the client. All the work that has been done by the testers on the client system should be reported in a structured format. The report should include a short introduction to the test, the scope of work, the rules of engagement, a short and crisp summary, the vulnerabilities found, and the proof of concept for each vulnerability, with some recommendations and patching techniques from the reference links.

There are some publicly available tools, such as Serpico, Magic Tree, BurpSuite, and Acunetix that can be used to ease the process of reporting. As this is an important stage of pen testing, all the details that were found during the test should be included in the report.

We can provide two different kinds of report: an executive report for management and a technical report for the technical team in place. This could help both the management and the technical team of an organization to understand and fix the vulnerabilities found by the penetration testers.