Writing penetration testing reports is a critical skill. Reporting occupies a considerable portion of your time on an assessment, it's a required skill on your career path, and reports are the primary deliverable to a customer on every engagement. In this course, Writing Penetration Testing Reports, you'll learn how to write penetration testing report. First, you'll discover how to report on the results from a penetration test. Next, you'll explore tips to become more effective at the reporting process. Finally, you'll learn how to save time while reporting. By the end of this course, you'll have a better understanding on how to write penetration testing reports.
Will is a Principal penetration tester at a small consulting firm. He enjoys Web Application Security and external attack vectors. Will has previously spoken at a number of security conferences including Blackhat, DEFCON, and TROOPERS.
Course Overview Hi everyone. My name is Will Vandevanter, and welcome to my course, Writing Penetration Testing Reports. Writing penetration testing reports is a critical skill. Reporting occupies a considerable portion of your time on an assessment, it's a required skill on your career path, and reports are the primary deliverable to a customer on every engagement. In this course, you'll learn how to report on the results from a penetration test, learn tips to become more effective at the reporting process, I'll discuss required and optional components you can add into the report, and my ultimate goal is to save you time while reporting. When finished with this course, you should feel more confident with your report writing skills. Before beginning the course, you should have at least one year of experience of penetration testing or vulnerability assessments. I hope that you'll join me in this Pluralsight course on writing penetration testing reports.
Scaffolding to Create Better Reports In this module, you will learn about building the initial structure of the report. This module is very important because at this point I start to write the report for this engagement. I'll introduce two major topics, the report template and the findings. Both of these are partially written before the assessment even begins. The first topic is the report template which is the foundation of every report. Every report begins with a report template. Second, you'll learn about the report findings. These are issues you discovered and exploited during the assessment. They are critically important to the story you're telling. Last, I'll show demos from two different reporting tools that illustrate using a report template and adding findings. Both of these should help you speed up your reporting process. At the end of this section, you should be comfortable and ready to write the rest of the report. Let's get started.
Building on to the Scaffold In the previous module, you learned about putting together the structure of the report, that is creating or choosing a report template and adding the findings into it. At this point, you should have a partially completed report with the stock language and most, if not all, of your findings. But our report is far from complete. In this section, you'll learn about building the executive summary and the attack narrative. These two sections are critically important because they're custom written for every assessment and they're targeted at different levels of management. My goal is to prepare the report such that educated decisions can be made at the business level and my customer's security in maturity is improving over time. Finally, we'll also cover building a great proof of concept and adding an appendices.
Optional Components of the Deliverable In this module, you will learn about some optional components of the report. My goal from this module is to distill aspects of different reports that I really like that are somewhat unique and that add value. These don't need to go into every report, but I hope they give you ideas for things you could add into your reports. I'll cover three topics, positive findings, graphing and charts, and comparative analysis.
After the Draft Is Written In this module, I'll focus on the steps after the report draft has been written. This starts with verifying that the draft you've written is complete and meets the standards for your organization. Next, your draft needs to go through a peer review process. I'll talk about what's involved in that process. After the peer review cycle is complete, the report is delivered to the customer. Finally, I want to talk about some recommendations I have to improve your reporting process. This should hopefully give you a step up in your career. Congratulations, you're almost done with the report. Now I want to finish strong.