The reason most companies conduct a penetration test is to uncover vulnerabilities so that they can remediate or mitigate them, ultimately improving security posture. But in order to do that, one of the key components following any penetration test is the transfer of knowledge from the penetration test team to the organization’s defenders. And taking this a step further, the reports you receive following a penetration test that contain all of the findings and information uncovered during an assessment are key to the effective transfer of this knowledge. So knowing what reports you will get following a penetration test is crucial to improving your security and maturing your program.
The types of reports you will get from a penetration test can also influence your organization’s decision on which penetration testing company you decide to use for your assessments. Some firms provide all testing results in a single document. Others will split results into different documents depending on the intended audiences. And still others will present the reports verbally following an assessment, either in person or via conference call, while some will just hand over the reports and step away. We’re going to cover how Triaxiom delivers assessment findings to make sure you know what to expect and the results of an assessment are going to meet your organization’s needs.
Technical Findings Report
The first document you’ll receive is a full listing of all the vulnerabilities discovered in your environment, broken out line-by-line with the criticality of the issue, a detailed description of the issue (how to recreate the problem, what the risk is), our suggested remediation for the issue, and then any helpful reference links that either help describe the issues or provide more information on a fix. This document is extremely detailed and intended for the folks who need to fix these issues. This document is great for tracking remediation progress, however, as you can update and mark it up as you accomplish fixes.
Executive Summary Report
Besides the Technical Findings Report, the other main document in the report set is the Executive Summary. This document is designed for management-level consumption, acting as an overview or summary of the assessment at “30,000 ft.” In this document, you’ll find the background of the assessment, the scope, an overview of the risk scored on a 1 to 5 scale, a summary of the security strengths observed, any particularly critical or thematic security issues, and technical walkthroughs for important vulnerabilities that include screenshots. This document is much more like a narrative that walks you through and highlights the important parts of an assessment.
The third document you’ll get is a certification letter or certification memo. This document is an even higher-level review of the assessment that is meant to summarize the assessment in a one-page format that can be provided to compliance bodies or third-parties. By using this document, you can prove that your organization has had a penetration test or security assessment performed but not disclose any specific information or weaknesses associated with your environment. While you may be OK providing the full Executive Summary to some organizations or partners, this gives you another option to help protect you privacy and security.
Finally, and maybe most importantly, is the Findings Presentation. After every assessment, Triaxiom will sit down with you and anyone on your team that needs to be involved to present the findings of our assessment, review the formats of all provided documentation, and answer any questions that you or your team may have. This ensures that everything was reported accurately, your team understands each of the findings and the test teams perspective on the issues, and you can take actionable steps to fix the problems following the review. Additionally, it gives us another chance to identify and fix any mistakes or misrepresentations in the report after a collaborative conversation about the findings. We can add important information that we may not know or be able to identify during the original assessment.