Deciphering the Code: How to Get Real Value from Your Pentest Report

Whether you are a veteran security executive who has received hundreds of penetration testing reports, or a part-time security manager whose primary roles lay in traditional business management, it can be difficult to decipher the encrypted text held within some reports.

The problem exists because there is not a standard for penetration testing reporting inside of the industry. I’ve seen literary works that range anywhere from Dr. Seuss to William Shakespeare. I have peer-reviewed reports for associates whose bad grammar could make a first grader wince. The goal here is to identify what makes a penetration test report good, how to interpret the results, and finally how to put them to use in your strategic planning to improve organizational security.

Understanding Business Impact

There are many frameworks for the penetration testing report, and this is not a discussion of which ones are best. However, an important conversation to have is what elements make a report valuable to the people reading it.

As penetration testers, we have to remember we could potentially have every level of an organization reading our reports—from the tactical level where technicians will fix our findings, to the leadership level where they need to take responsibility for the security of their organization.

First and foremost, the report you receive should tell you the impact a breach on your network would cause. We, as penetration testers, must speak to the business impact. A well-conducted test should tell you exactly what data and information was successfully compromised. This information should be directly relevant to your business; for example, if you store payment card information, the report should indicate what card data was accessed and how many systems were compromised.

The "Kill Chain" and Visual Validation

A second, critical section of any penetration report should be a detailed “kill chain.” This explains how your organization was compromised, how the data was accessed, and how that information was used to perpetuate additional compromises.

This section can be more tactical and should speak to the technicians tasked with remediating the findings. Crucially, this section should be riddled with screenshots used as validation. We often joke about how executives only understand pictures, but there is a far more practical reason for including them: they illustrate the compromise so that technicians cannot “snowball” leadership with confusing jargon to hide the severity of a finding.

Identifying a "Good" Report

The two elements outlined above represent the “must-haves” of a good penetration testing report. While other elements may be included, you should weigh them based on how they directly help your organization.

It is also important to remember that a penetration test is a “demonstration of exploitability.” This means that if you receive a report that lists vulnerabilities but doesn’t have any demonstrative examples or validation, you should challenge those who conducted the test.

Turning Results into Strategy

Now that you have your report, you need to execute your strategic goals using those results as direction. Use the findings to show the immediate need for security changes.

Well-rounded organizations conducting regular vulnerability management and patching should consider those measures as “good hygiene.” The successful results of a penetration test should highlight security issues that fall outside the identification capabilities of your vulnerability scanner. This allows you to prioritize penetration test results ahead of your normally identified vulnerabilities.

Final Thoughts

Penetration testing can be an integral part of your security strategy when the results are presented in a way that helps your organization visualize and prioritize. Never be afraid to challenge the results of your vendor if you do not understand them or feel the information isn’t presented in a way that helps you strategically. You paid for this information, and you should be able to utilize it.