Regular penetration testing is critical to mitigating security vulnerabilities. Even more critical? Obtaining clear and actionable understanding of your penetration testing results. In this blog, we’ll lay out a step-by-step approach about how to read a penetration testing report.
Penetration testing, sometimes referred to as “white hat hacking” or “ethical hacking,” has become an important – and popular – aspect of cybersecurity. This type of testing allows your cybersecurity firm to try to break into your systems to find vulnerabilities. It’s a more proactive approach to cybersecurity. When they’re done, your cyber team will deliver a detailed penetration testing report that breaks down everything from what type of testing they did to what needs fixing first to suggestions about how to fix them.
The report can be complex and technical, potentially confusing those who aren’t in technical roles or don’t know how to read the report.
Senior management, IT teams, and risk and compliance team members need to understand the key components of your penetration testing report. Once you grasp the results, or at least know where to look for what matters for your team, you can analyze and mitigate risks to keep your organization and your customers safer in the long run.
In this blog, we’ll break down the core components of a penetration testing report and how to determine the appropriate steps to take.
How to Understand the Scope and Methodology of Your Penetration Testing Report
Your penetration testing report will likely be hefty, but it will include several components explaining the findings. Your cyber team should write results clearly and understandably so your nontechnical executives know where to start and what changes to make without getting confused by technical jargon. There will also be a technical section for your administrations and IT teams so they can make the recommended changes.
It’s tempting to flip right back to this section or even to the recommendations and risk assessment section when you initially receive your penetration testing report. However, that would be a mistake. You can’t start making changes and updates without knowing if the penetration testing worked correctly. For that, you need to know the overall summary, scope and testing methods employed.
Executive Summary
In most penetration testing report templates, you’ll see a section for an executive summary. This summary:
- Shares the findings.
- Gives an overview of the direst vulnerabilities.
- Informs you of what security measures failed to stop their simulated attack.
- Provides recommendations to resolve any issues.
It should be short and written so your nontechnical team members can understand it and move forward without confusion.
Scope of Work
The scope of work outlines what systems the team tested and information about the methods – which we cover more below – used to test those systems. It should include things like the particular domains, software or hardware they tested. This section helps you determine if the testing met your needs, if they excluded any resources that you should know about, and whether certain areas they tested need immediate remediation or can wait.
Testing Methodology and Techniques Employed
Your firm should outline the exact testing methodology, approach, tools, and techniques that they used to determine your vulnerabilities. Here are a few of the common testing methods some companies use in a penetration test:
- White box testing: Penetration testers receive extensive information, such as credentials, system and network information. They even have access to source code so they can thoroughly review using a single security factor.
- Grey box testing: Grey box testing reports provide the “attackers” with your average user-level rights with some infrastructure information versus giving them the highest admin-level information.
- Black box testing: Rounding out the color-coded testing, black box testing involves giving the attackers almost no information about the IT infrastructure. The testers then simulate a cyberattack.
- Hardware testing: Pen testers usually reserve hardware testing for Internet of Things (IoT) devices. Otherwise, you might bring hackers on to test an on-site kiosk, credit card machine, or similar hardware you need to secure on site.
- Web application testing: This type of testing focuses on finding weaknesses within the application through authenticated, role-based testing.
Limitations and Assumptions
Within this section of the report, you should answer the following two questions:
- What expectations did you share with the pen tester before or during testing? How did these inform the report?
- What was the pen tester unable to do? What restrictions did they face during testing?
Along with the assumptions and limitations, you must also understand the test frequency. Is this the first time you’re doing a penetration test? Or do you conduct it annually or biannually? If you’ve never done a pen test before, you’ll have more results versus one performed more frequently, and you might have more critical or high-risk vulnerabilities.
When the pen tester clearly understands the testing scope and methodology alongside the limits and assumptions made, you can better interpret the findings and recommendations presented in their report. But before you can start making changes, you need to know the actual results.
Key Narratives Your Penetration Testing Report Should Include
The overall testing report should also include several narratives, which all tell the story of how your pen-tester engaged with your systems. These narratives provide a high-level overview of what your attackers did within each scenario, provide context, and help you absorb what makes their findings significant.
Here are a few common narratives you should find in your report:
- Attack Narrative – Describes everything done to conduct the test.
- Reconnaissance Narrative – Everything done upfront.
- Port and Vulnerabilities Narrative – Includes some of the networking and vulnerability activities the firm performed.
- Exploitation Narrative – Shows you what exploitation attempts the team took.
- Open-Source Intelligence Gathering Narrative – Tells you what publicly available information about your organization could leave you open to attack.
- Social Engineering Narrative – Analyzes email phishing and other team member-based security vulnerabilities.
Breaking up the results in this way helps your security team understand exactly where the highest risks occur. If there’s a pattern with, say, social engineering, then you know that your team might need more frequent security training. And once you know these narratives, you can also gain a deeper understanding of what is coming next: the vulnerability assessment.
Analyzing the Results: Vulnerabilities and Risk Assessment
With the vulnerability or security risk assessment, you should receive a breakdown of which vulnerabilities will impact your system the most. Your pen tester will likely use the Common Vulnerability Scoring System (CVSS). This system assigns a quantitative value to what you should fix first based on the risk severity level.
However, CVSS cannot see how sensitive a specific system is because it’s focused on protecting data. A good pen tester will have a multifaceted risk-scoring system. While CVSS focuses on protecting data, they might use if-then scenarios to determine environmental risk. For example, an if-then scenario might say, “If you fix this security problem, then you’ll also wind up fixing these other four problems.”
By thoroughly analyzing the findings and providing a risk assessment or ranking, the pen tester can help your organization prioritize the most critical vulnerabilities first, maximizing the effectiveness of your remediation efforts.
Implementing Recommendations and Remediation Steps
After reviewing your vulnerability assessment, you can move on to the recommendations portion of the penetration testing report.
Here, you will find suggestions for resolving any security issues along with the short-, medium-, and long-term changes. Recommendations could include a patch, reconfiguration or even outlining a zero day, which is an exploit that has not made its way to Microsoft or Google for remediation yet.
Much of your penetration testing results so far have focused on maintaining a balance between being clear for a nontechnical team member and providing information to your technical teams. Two additional reports highlight this balance the most: The nontechnical, risk-based report and the technical report, which is meant for your operational team. The technical section identifies all of the security risks, penetration points, vulnerabilities, concerns, and threats your pen tester ran into alongside the technical aspects of each finding.
Nontechnical, Risk-Based Report
While not all firms do, several firms will provide a detailed nontechnical, risk-based report so that your nontechnical team members can quickly understand what poses the most risk to your organization and what can wait until later. While the assessment listed above will provide a high-level overview, this report should be more detailed while avoiding the trappings of becoming too technical. When accompanied by the technical report, your company gains a holistic view of your security vulnerabilities.
Technical Report
Your firm might provide much of the technical section in a table format and break down unique and specific advice for each vulnerability. For example, suppose your pen tester broke through a specific router’s security or exposed a weak login in your customer relationship management (CRM) platform that could expose customer’s data. In that case, they should list that in the technical section alongside how to resolve these issues.
The details provided within the technical section not only help your technical teams resolve these issues, but they also help them discover additional vulnerabilities that may have been out of scope for the test. For example, the project’s scope might have been to check single sign-on vulnerabilities, but it might not have been to dive into vendors’ security measures. By discovering potential problems with the CRM login, technical teams might also reevaluate their vendors’ security measures.
When the pen tester clearly explains their recommendations for remediation, you can develop a comprehensive plan to strengthen your security posture and mitigate identified risks effectively.
Your Organization’s Future Security Depends on the Pen Test
Penetration testing reports provide invaluable insights into your organization’s security posture by identifying vulnerabilities, assessing risks, and offering recommendations for remediation. They also play a major role in ensuring compliance with HIPAA, PCI DSS, SOC2, and more.
Understanding the key components of these reports will better equip you and your team to make informed decisions, prioritize remediation efforts, and implement effective strategies to enhance your organization’s overall cybersecurity resilience.
Our on-demand webinar showcases the importance of a comprehensive penetration test – beyond simply meeting compliance requirements – through a live network attack simulation.
If you haven’t done a penetration test or you’d like additional cybersecurity guidance, reach out to our Cybersecurity Consulting Services team. Let’s talk
