4.1 Reporting and Communication

Question 1

At then end of a PenTest, what does the report audience usually consist of?

Answer 1

-C-Suite
-Third-party Stakeholders
-Technical Staff
-Developers

Question 2

In a PenTest report, what is an Executive Summary?

Answer 2

An Executive summary is a high-level and concise overview of the penetration test, its findings and their impact.

Question 3

In a PenTest report, what is the Methodology?

Answer 3

The Methodology is a high-level description of the standards or frameworks that were followed to conduct the penetration test.

Question 4

In a PenTest report, what is the Attack Narrative?

Answer 4

The Attack Narrative is a detailed explanation of the steps taken while performing the activities.

Question 5

What is important to include in the findings of a PenTest report?

Answer 5

-Risk Rating: the process of assigning quantitative values to the identified risks(likelihood vs impact)
-Risk Prioritization: the process of adjusting the final rating of vulnerabilities to the client needs
-Business Impact Analysis: estimating the possible effects to the client if the identified issues were to be targeted by a malicious actor.

Question 6

In a PenTest report, what are Metrics & Measures?

Answer 6

-Metrics are quantifiable measurements of the status of results or processes.
-Measures are the specific data points that contribute to a metric.

Question 7

In a PenTest report, what is Remediation?

Answer 7

Remediation is the possible solution to the issue identified during the penetration test.

Question 8

In a PenTest report, what is in the Appendix?

Answer 8

Any supporting evidence or attestation of findings, such as test results, screenshots and other evidence. Sometimes the full vulnerability details are also included in the appendix.