Reporting & Remediation

A penetration test is only as valuable as its report. The report translates technical findings into business risk, provides actionable remediation guidance, and serves as a permanent record of the engagement. This lesson covers professional report writing, risk rating systems, and remediation best practices.

---

Why Reporting Matters

Without a good report:

• Technical findings are lost or forgotten
• Management cannot understand the risk
• Development teams do not know what to fix
• There is no baseline for retesting
• The engagement has no lasting value

With a good report:

• Findings are clear, actionable, and prioritised
• Executives understand business risk
• Developers have step-by-step remediation guidance
• Progress can be tracked through retesting
• The report serves as evidence of due diligence

---

Professional Pentest Report Structure

Penetration Test Report

1. Cover Page
2. Table of Contents
3. Executive Summary
4. Scope and Methodology
5. Summary of Findings
6. Detailed Technical Findings
7. Remediation Recommendations
8. Appendices (raw data, tool output)

---

Executive Summary

The executive summary is for non-technical stakeholders (CTO, CISO, board members). It should be 1-2 pages maximum.

What to Include

Section	Content
Engagement overview	Dates, scope, methodology used
Overall risk rating	Critical / High / Medium / Low
Key findings count	"5 Critical, 8 High, 12 Medium, 6 Low"
Business impact	What an attacker could achieve
Top recommendations	3–5 highest-priority actions

Example Executive Summary

Executive Summary

Field	Value
Engagement	External Penetration Test
Client	Example Corp
Dates	1–14 March 2026
Methodology	OWASP Testing Guide, PTES
Overall Risk	HIGH

During the authorised penetration test, the testing team identified 31 vulnerabilities: 5 Critical, 8 High, 12 Medium, and 6 Low severity.

The most significant finding was an SQL injection vulnerability in the customer portal (Finding #1) that allowed extraction of the entire customer database (200,000+ records). Combined with weak password hashing (Finding #3), this represents a material data breach risk.

Immediate actions recommended:

1. Remediate SQL injection in customer portal (Critical)
2. Implement parameterised queries across all applications
3. Upgrade password hashing to bcrypt/Argon2
4. Enable multi-factor authentication for admin accounts
5. Patch Apache servers to address CVE-2023-25690

---

CVSS Risk Ratings

The Common Vulnerability Scoring System (CVSS) provides a standardised way to rate vulnerability severity.

CVSS v3.1 Severity Ratings

Score	Rating	Description
0.0	None	Informational finding
0.1–3.9	Low	Minor risk, unlikely exploitation
4.0–6.9	Medium	Moderate risk, requires some conditions
7.0–8.9	High	Significant risk, readily exploitable
9.0–10.0	Critical	Severe risk, trivial to exploit, major impact

CVSS Vector Components

CVSS:3.1 Vector — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Metric	Code	Meaning / Values
Attack Vector	AV	N(etwork), A(djacent), L(ocal), P(hysical)
Attack Complexity	AC	L(ow), H(igh)
Privileges Required	PR	N(one), L(ow), H(igh)
User Interaction	UI	N(one), R(equired)
Scope	S	U(nchanged), C(hanged)
Confidentiality / Integrity / Availability Impact	C/I/A	N(one), L(ow), H(igh)

---