Communicating Penetration Testing Results to Third-Parties

Many of our clients are getting penetration tests not only to improve their security posture, but also to use the results to satisfy a client’s requirements or integrate the results into their sales materials. We get asked quite often how other organizations handle communicating penetration testing results, while avoiding divulging sensitive information. Below, we highlight how to effectively communicate your penetration testing results.

Communicating Penetration Testing Results To Outside Organizations

All business-to-business relationships are different, and it is ultimately a business decision what level of detail you ultimately share with your clients. At Triaxiom, we provide a couple different documents following the completion of an assessment, including a Technical Findings Report, an Executive Overview, and upon request, a Certification Letter.

  • Technical Findings Report – This is the most granular report that lists out any vulnerabilities discovered line by line. This document is primarily aimed at assisting the team(s) that will be working on remediation of the findings, and includes things like a detailed breakdown of how to recreate the issue, the risk associated, remediation steps, helpful reference links, priority/severity, applicable standards requirements, and much more. Generally, we would recommend this not be shared with anyone outside of your organization, or even anyone without an explicit need-to-know within your organization.
  • Executive Overview – This report is tailored towards an audience that needs a high-level overview of the assessment and includes important findings, thematic/widespread issues, key risks, and any noted security strengths. Oftentimes, this is leveraged internally to discuss results of a penetration test with senior leadership teams. This document can be shared with third-parties depending on the results of the test and your relationship with the outside party, however in many cases, this is still too much detail.
  • Certification Letter – This letter is a high-level memo that details the type of testing performed, the scope of the assessment, and an overview of how your organization performed. This document is specifically designed to be provided to an external organization or client, and discloses no sensitive internal information or specifics on vulnerabilities discovered.

What Should I Use To Show Security Posture In Sales Materials?

The approaches we’ve seen here vary drastically. Some firms provide our certification letter as evidence of security assessments being performed, others simply state that they have done testing, and others offer full Executive Overviews from our tests, if requested. All businesses are different, so ultimately it should be an internal decision on what your firm deems acceptable to provide to outsiders and how you want to show your dedication to security.

As a partner to our clients, Triaxiom is happy to assist your firm at every step along the way, from the initial testing, analysis of the results, remediation, and even communicating those results outside of your organization. If you want to get started, reach out today!