Deliverables of pen-testing

What is this blog about?

This blog explores the world of penetration testing, providing insights, techniques, and trends in cybersecurity. You’ll find information on identifying vulnerabilities, understanding security protocols, and implementing defense strategies. We cover case studies, tool reviews, and guides to enhance your penetration testing skills and protect digital landscapes.

Structure and content of a pen-testing progress status update

The pen-testing project is initiated, the requirements including the testing-environment are agreed and the pen-testing team has started the actual testing.

The actual pen-testing can take from 7 up to 20 days to be concluded depending on the selected scope and its complexity in combination with the system(s) to be tested.

Business users would like to get some insight also during the pen-testing and not wait till the results report is delivered. There are 2 major methods to keep the business informed:

1. Weekly status emails (push)

For this an email is sent out at the end of every week outlining the overall agreed scope of testing, information which particular pen-tests were completed and which of those are still due. The picture below captures the possible format and content of such an email.

2. Online status internet page (pull)

Additionally to weekly status updates via email there is a possibility to review the information and details via an internet site which is updated daily, as the pen-testing progresses.

For this, business users get access information to enter a webpage, protected by very strong authentication and access control so only the defined users can access those pages. The information they find there outlines:

  • agreed testing environment
  • agreed scope
  • particular pen-tests according to that scope
  • Whether a particular pen-test is completed or in work
  • How many open vulnerabilities were found per pen-testing category and their severity categorisation
  • status update timestamp

Structure and content of a pen-testing results document

The final pen-testing results document created after completing the pen-testing is delivered to business users in the most secure way possible as it can contain very sensitive information about open vulnerabilities to be absolutely avoided to get public.

The results document is encrypted and can only be accessed by the authorized users by business responsibles.

The document contains 3 major chapters:

1. Pen-testing summary

The pen-testing summary section contains a consolidated overview of the results and can also be considered as a management summary. It outlines on a single page which open vulnerabilities categories were detected, what are the  severities of the particular open vulnerabilities per category and how many of them are existing per severity. Following table displays an example of such a summary one-pager.

Additionally the general information is provided in this section about the timeframe of the pen-testing, its environment, utilized prioritization methodology as well as the used risk assessment system description.

2. Open vulnerability details

Each detected open vulnerability is described in detail in this chapter, providing information about

  • Categorization
  • Severity
  • Risk assessment / CVSS Score
  • Impact / Proof of concept
  • How to reproduce / Attacking Scenario
  • Remediation recommendations.

Following screenshot provides an example of one of the detected open vulnerabilities in a real life results report delivered to a customer.

3. Pen-testing methodology description

This section provides information about the overall flow of the executed and completed pen-testing project, from initiation to completion and outlining the utilized frameworks, tools and methods in detail, for business users as a reference.

You may also like...

Top Ten Security Insights: OWASP’s Essential Guide

Using a cybersecurity framework as a basis for pentesting ensures standardized, comprehensive and efficient security assessments by leveraging industry best practices and guidelines. It helps in managing risks effectively, ensuring regulatory compliance, and...

Your Security, Our Priority: Hear What Our Clients Say!

Trusting your pen-testing team is the key component of successful and effective cooperation as well as getting best results to improve your cybersecurity environment. One of the aspects to fostering trust in the cooperation is the feedback of customers working...

In ethical hackers for pen-tests we trust

When it comes to improving the IT security environment, pen-testing serves as a major tool to identify possible threats and vulnerabilities without an immediate negative impact on the business. Ethical hackers, also known as white-hat hackers, are cybersecurity...