You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
A penetration test is only as valuable as its report. The report translates technical findings into business risk, provides actionable remediation guidance, and serves as a permanent record of the engagement. This lesson covers professional report writing, risk rating systems, and remediation best practices.
Without a good report:
✗ Technical findings are lost or forgotten
✗ Management cannot understand the risk
✗ Development teams do not know what to fix
✗ There is no baseline for retesting
✗ The engagement has no lasting value
With a good report:
✓ Findings are clear, actionable, and prioritised
✓ Executives understand business risk
✓ Developers have step-by-step remediation guidance
✓ Progress can be tracked through retesting
✓ The report serves as evidence of due diligence
┌─────────────────────────────────────────────┐
│ Penetration Test Report │
├─────────────────────────────────────────────┤
│ 1. Cover Page │
│ 2. Table of Contents │
│ 3. Executive Summary │
│ 4. Scope and Methodology │
│ 5. Summary of Findings │
│ 6. Detailed Technical Findings │
│ 7. Remediation Recommendations │
│ 8. Appendices (raw data, tool output) │
└─────────────────────────────────────────────┘
The executive summary is for non-technical stakeholders (CTO, CISO, board members). It should be 1-2 pages maximum.
| Section | Content |
|---|---|
| Engagement overview | Dates, scope, methodology used |
| Overall risk rating | Critical / High / Medium / Low |
| Key findings count | "5 Critical, 8 High, 12 Medium, 6 Low" |
| Business impact | What an attacker could achieve |
| Top recommendations | 3–5 highest-priority actions |
Executive Summary
─────────────────
Engagement: External Penetration Test
Client: Example Corp
Dates: 1–14 March 2026
Methodology: OWASP Testing Guide, PTES
Overall Risk: HIGH
During the authorised penetration test, the testing team
identified 31 vulnerabilities: 5 Critical, 8 High, 12 Medium,
and 6 Low severity.
The most significant finding was an SQL injection vulnerability
in the customer portal (Finding #1) that allowed extraction of
the entire customer database (200,000+ records). Combined with
weak password hashing (Finding #3), this represents a material
data breach risk.
Immediate actions recommended:
1. Remediate SQL injection in customer portal (Critical)
2. Implement parameterised queries across all applications
3. Upgrade password hashing to bcrypt/Argon2
4. Enable multi-factor authentication for admin accounts
5. Patch Apache servers to address CVE-2023-25690
The Common Vulnerability Scoring System (CVSS) provides a standardised way to rate vulnerability severity.
| Score | Rating | Description |
|---|---|---|
| 0.0 | None | Informational finding |
| 0.1–3.9 | Low | Minor risk, unlikely exploitation |
| 4.0–6.9 | Medium | Moderate risk, requires some conditions |
| 7.0–8.9 | High | Significant risk, readily exploitable |
| 9.0–10.0 | Critical | Severe risk, trivial to exploit, major impact |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ └─ Availability Impact
│ │ │ │ │ │ └────── Integrity Impact
│ │ │ │ │ └─────────── Confidentiality Impact
│ │ │ │ └──────────────── Scope
│ │ │ └───────────────────── User Interaction
│ │ └─────────────────────────── Privileges Required
│ └───────────────────────────────── Attack Complexity
└─────────────────────────────────────── Attack Vector
AV = Attack Vector: N(etwork), A(djacent), L(ocal), P(hysical)
AC = Attack Complexity: L(ow), H(igh)
PR = Privileges Req.: N(one), L(ow), H(igh)
UI = User Interaction: N(one), R(equired)
S = Scope: U(nchanged), C(hanged)
C/I/A = Impact: N(one), L(ow), H(igh)
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.