Recently, I was handed a penetration testing report prepared by a third‐party company. This company hired some consultants to pentest one of the newly deployed web applications in the production environment. The report was a copy‐and‐paste from another security scanner (e.g., Burp Suite, Nessus, etc.) report and full of misestimated severities. I'm telling you this story because if you're the best penetration tester in the world and you don't know how to make a report, then all your efforts will be for nothing. A report is your reputation, and it shows what your level of professionalism is.

In this chapter, you will mainly learn how to do the following:

• Present reports to your clients/employers
• Score the severity of your findings

Overview of Reports in Penetration Testing

A report is not just about the look and feel. Some individuals think an excellent report is filled with words. A good report will have the following criteria:

• Accurate vulnerabilities severity scoring (not exaggerating the severity of a vulnerability)
• No false positives
• Evidence (e.g., screenshots, or PoC) and not just links or definitions
• Instructions for how to remediate the flaw. This is where a security professional will shine. A clear definition of how to fix the issue is a turning point in your reports. (I've seen a lot of reports where the remediation part is just a link to OWASP, a CVE reference, etc.)
• Be clear and not too wordy
• Must be divided into two reports:
  • A technical ...