Security · Topic 22 of 23 · Part IV — From findings to value

Reporting: structure & fundamentals

The report is the engagement — not the testing. What gets fixed is determined by what gets written.

Syllabus: § Reporting (6.4) — Developing a catalog of vulnerabilities and potential remediations + Standard structure of a report
Topic 22 · Report craft

The document that changes things

By the end of this topic you can:
  • State why the report is the engagement's primary deliverable and what that implies for the effort it deserves
  • Describe the standard report structure and the purpose of each section
  • Write each section for its intended audience — executive, technical, regulatory
  • Compose individual findings to a consistent standard: severity, evidence, impact, remediation
  • Build a finding catalogue that supports prioritization and remediation tracking

Why the report is the deliverable

Clients pay testers to change what gets fixed — the report is the artefact that produces the change.

PurposeAudience
Operational inputEngineering teams doing the fixing
Decision inputManagement allocating resources, accepting residual risk
Evidence of workClient showing they commissioned and received a test
Compliance artefactAuditors and regulators
Legal / contractual artefactWhat was done, found, and recommended
Historical recordFuture retests, next year's engagement, incident review

A well-structured report routes different content to different sections — serving all audiences simultaneously.

The standard report structure

  1. Cover page and metadata
  2. Document control / versioning
  3. Executive summary
  4. Scope and methodology
  5. Key findings overview
  1. Detailed findings
  2. Attack narrative
  3. Recommendations summary and prioritization
  4. Appendices
  5. Signatures / approvals
Conventional, not mandated Variations exist. A small engagement may produce 15 pages; a large red team 80+. Length is not a virtue — quality is.

Executive summary — the most important section

Read by everyone, including readers who will read nothing else. Typically 1–2 pages. Strict.

Belongs here

  • What was tested — one paragraph, non-technical
  • What was found — headline numbers and narrative
  • What it means — business interpretation, not restatement
  • What should be done — top 3–5 priorities, one sentence each
  • Overall risk posture — a defensible assessment

Anti-patterns

  • Restating the contract scope as findings
  • Listing every finding (that is the detailed section's job)
  • Filler phrases ("as is standard industry practice…")
  • Jargon executives need a glossary for
  • Hedging beyond what the evidence requires

The executive summary often determines whether action follows. Treat it as the most important writing of the engagement.

Scope & methodology — the legal anchor

  • In-scope assets, explicit exclusions
  • Test types performed; methodology references (PTES, OWASP WSTG, NIST 800-115)
  • Engagement window, tester identification, tools used
  • Limitations and caveats — explicitly stating what was not covered
Auditors read this The scope statement here is what regulators scrutinize. Make it precise and conservative.

Key findings overview: a bridge before detailed findings — typically a table of title, severity, one-line summary, affected asset. Lets a technical reader skim the landscape first.

Detailed findings — per-finding structure

  • Title — conveys location and impact, not just technique
  • Severity — CVSS vector + score + qualitative band
  • Affected asset(s) — specific
  • Description — what the vulnerability is in this system; not a CWE paste
  • Evidence — curated request/response, screenshots, command output
  • Impact — technical capability translated to business meaning
  • Likelihood — ease and reliability of exploitation
  • Remediation — specific and actionable
  • References — CVE, CWE, OWASP, ATT&CK
  • Reproduction steps — a developer can follow and confirm
Grouping By severity (dominant) · by component · by theme. Pick one; apply consistently. The TOC should reflect the choice.

Attack narrative & recommendations summary

Attack narrative

For chained findings — tells the end-to-end story:

  1. Initial access path
  2. Escalation and movement sequence
  3. Objective reached
  4. Detection / response observations

Each step references a finding ID. ATT&CK tags enable direct blue-team coverage analysis. Many engagements live or die in the perceived quality of this section.

Recommendations summary

Consolidated, prioritized view:

  • Top priorities (with effort estimates)
  • Medium priorities
  • Longer-term and architectural
  • Things accepted or out of scope to fix

A table or matrix is typically most usable. Each entry references underlying finding(s).

Per-finding writing principles

  • Lead with impact — don't make the reader work to understand what's at stake
  • Be specific — real URLs, real parameters; "the /checkout endpoint", not "the application"
  • Distinguish observation from inference — "server returned DB error" (obs.) vs. "indicates SQL injection" (inference)
  • Sanitize sensitive data — redact real credentials and personal data; use synthetic placeholders
  • Avoid CWE definition dump — reference CWE; don't paste CWE text
  • Be defensible — write to the bar of an independent reviewer
Reproducibility test Read the finding, open the system, follow the steps, observe the same result. If this fails — the finding is incomplete.

Common gaps: pre-state not stated, implicit configuration, timing dependence, required tools not listed.

Severity and impact discipline

Inconsistent severity — Criticals that don't justify the rating, Lows that should be Highs — erodes trust with every reader.

Inflation Not how to make findings look valuable. Thorough analysis is.
Deflation under pressure Rarely justified. Honest framing is.
  • The CVSS vector is in the finding — justify each metric choice explicitly
  • The impact statement must match the severity; a Critical claim needs Critical-level local impact
  • When compensating controls reduce local impact, adjust and document — don't leave a base 9.8 unexplained

Style, audience & confidentiality

Style

  • Plain language; jargon only when precise
  • Active voice: "the application accepts", not "it is accepted"
  • Consistent terminology throughout
  • Numbered findings (F-001, F-002)
  • Tables for repeated structure; code blocks for code

Audience routing

  • Layered: exec summary → key findings → detailed → appendices
  • Impact field translates technical for management
  • Some engagements produce both a technical report and a separate executive briefing

Confidentiality

  • Classification on the cover
  • Distribution list — who may receive
  • Watermarking for high-sensitivity reports
  • Secure delivery channel
  • Retention policy after delivery

Catalogue, tooling & retest reports

Vulnerability catalogue

Findings from the report become entries in the client's tracker: status (open / in-progress / fixed / accepted), owner, due date, remediation evidence. A well-formed finding transfers cleanly into a ticket. Some engagements deliver findings directly into the tracker; the report is then a summary over those tickets.

Tooling

Document generators (Word, LaTeX, Markdown-to-PDF); engagement platforms (Plextrac, Faraday, AttackForge, Dradis, Serpico). Tooling decisions are organizational — the principles apply regardless.

Retest report

A delta document over the original:

  • Original finding (referenced) + original severity
  • Remediation observed
  • Result: fixed / partially fixed / unfixed / regressed
  • Updated severity if relevant; new evidence
Self-contained Should not require the original report alongside it — but should be much shorter than the original.

Check — finding title critique

Critique & rewrite

A finding's title is "XSS". What is wrong with this, and what makes a good title? Propose two improvements.

Reveal answer

Bad: names only the technique. The client cannot assess priority from the title alone. Better (1): "Reflected XSS in product-search parameter" — adds location. Better (2): "Reflected XSS enables session hijacking" — adds impact. Best: "Reflected XSS in product-search parameter enables session hijacking of authenticated users" — combines location and impact; the client can decide priority without opening the body.

What you take home

  • The report is the deliverable — a brilliant compromise written up badly produces no change
  • Standard structure routes content to each audience; all readers are served simultaneously
  • The executive summary is the highest-leverage writing in the engagement — 1–2 pages, jargon-free, business-framed
  • Each finding needs: specific title (location + impact), CVSS vector, impact statement, evidence, reproducible steps
  • Severity must be consistent and defensible — inflation and deflation both erode trust
  • The attack narrative makes chains readable for executives; detailed findings provide the technical depth
  • Well-formed findings transfer cleanly into the client's vulnerability tracker after the engagement closes

Next: Topic 23 — Bad vs. good reporting. What separates a report that produces change from one that doesn't.

END · TOPIC 22

Write what changes things

Review a public pentest report before Topic 23 — note structure, executive summary, and the completeness of one finding.