Classroom Glossary Public page

Week 11: Reporting and Client Communication

1,351 words

"Writing a good pentest report is an art that takes practice to master. You'll need to convey your findings clearly to everyone from the IT staff charged with fixing vulnerabilities to upper management who signs off on the changes to external auditors." -- Georgia Weidman, Penetration Testing Primer

Reading (~1.5 hr)

Required:

  • Weidman, Penetration Testing, Penetration Testing Primer, the Reporting section (Executive Summary + Technical Report subsections). ~8 pages. This is the week's primary template; read it before lecture.
  • PTES, Reporting section (pentest-standard.org/Reporting). Read the full section: executive summary, technical report, and findings format.

Supplementary:

  • OffSec PEN-200 Report Writing guidance (offensive-security.com; the public-facing materials on the OSCP report format). The OSCP report format is the industry's most-referenced student-level template.
  • WritersHQ: "How to Write a Penetration Test Report" (any current practitioner blog with a sample report structure). Read for a second perspective on the executive summary format.

Lecture outline (~1 hr)

Part 1: The report's two audiences (20 min)

A penetration test report serves two audiences simultaneously. This is the most common failure mode in student reports: writing for one audience and calling it done.

Audience 1: The technical team -- the people who will fix the findings. They need:

  • Which system is vulnerable (IP, hostname, service, version)
  • Exactly what the vulnerability is (CVE if applicable, the specific misconfiguration)
  • Exactly how to reproduce the finding (to verify after remediation)
  • Specific, actionable remediation guidance (not "apply security patches")

Audience 2: The executive decision-maker -- the person who authorizes the remediation budget. They need:

  • What the risk is in business terms (not "CVSS 9.8 unauthenticated RCE"; instead "an attacker on your network can take full control of your file server and read or delete any customer file")
  • How bad it is relative to peers (are you in normal territory or is this unusual?)
  • What fixing it costs (rough order of magnitude; "patch the software" vs. "replace the architecture")
  • What to fix first

The executive summary is written for Audience 2. The findings sections are written for Audience 1. The two cannot be the same text.

The Weidman test for executive summary quality: "A statement like 'I was able to read your email,' will resonate with almost anyone." If your executive summary requires the reader to know what a Meterpreter shell is, rewrite it.

Part 2: Finding format in depth (25 min)

Every finding follows the same structure. This structure is not optional; it is what separates a finding from a note.

The five-part finding structure:

## Finding [N]: [Title]

**CVSS v3.1:** [Score] / [Severity] / [Vector string]
**Affected system:** [hostname]:[port]/[service]
**CVE:** [CVE-YYYY-NNNNN if applicable, or "N/A (misconfiguration)"]

### Description

[What the vulnerability is and why it exists. 2-4 sentences. No jargon the reader
cannot look up. Do not describe the exploit steps here -- that is Evidence.]

### Evidence

[Numbered reproduction steps. Each step includes the exact command run and the key
output or screenshot. A second tester must be able to reproduce this finding
from this section alone.]

1. Authenticate to Kali and connect to the lab VPN.
2. Run: `python3 psexec.py -hashes :<hash> Administrator@192.168.100.30`
3. The resulting prompt shows `C:\Windows\system32>` with `whoami` confirming
   `nt authority\system`.

[Screenshot: whoami output showing SYSTEM]

### Business Impact

[What an attacker gains. In terms the client executive can evaluate. One paragraph.
Map the technical capability to a business consequence: "access all employee email,"
"modify or delete any customer record," "move money out of any account."]

### Remediation

[Specific. Actionable. Prioritized. Not "apply security patches" but "apply Microsoft
Security Update KB5007186 (November 2021 Patch Tuesday) or later, which addresses
this specific vulnerability. After patching, verify by re-running the exploit test
procedure in the Evidence section above; you should receive a connection refused."]

CVSS vector derivation in the report: Show your work. A score without the vector is unverifiable. A score with the vector is auditable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 (Critical)
AV:N = Network (accessible from the Internet)
AC:L = Low complexity (no special conditions)
PR:N = No prior authentication required
UI:N = No user interaction required
S:U = Scope unchanged (vulnerability stays within the target's security authority)
C:H / I:H / A:H = High impact on all three CIA properties

Part 3: Disclosure ethics and professional responsibility (15 min)

Penetration test findings are sensitive assets. You have found real vulnerabilities in a client's systems. The engagement report is the evidence that:

  • You found the vulnerabilities within an authorized scope
  • The client was informed
  • The client has a remediation path

Three responsibilities follow from the engagement:

1. Report timeliness: A finding that is not communicated to the client promptly is a risk the client cannot mitigate. For critical or exploitable-in-the-wild findings, notify the client verbally or in writing within 24 hours of discovery, even before the full report is complete. This is not standard in all engagements but is professional practice when the risk is immediate.

2. Data handling: Your evidence archive -- screenshots, terminal logs, captured hashes -- contains real sensitive data from the client's systems. Handle it accordingly: encrypted storage, no cloud sync to personal accounts, destroyed per the contract terms (typically 30 days after final report delivery).

3. Post-engagement secrecy: The findings you documented are confidential. The NDA in the SOW is a legal obligation. Discussing client findings in public -- even anonymized -- requires careful judgment. The standard is: if you would not want the client to read this, do not write it.

Lab 11: Report Workshop (~3 hr, graded)

See labs/lab-11-report-workshop.md for the full lab.

No new technical work this week. The lab input is the finding output from Labs 7-10 and the midterm.

Phase 1: Draft the findings (2 hr)

From your Lab 7-10 output and the midterm, select your five best findings (highest CVSS + most clearly documented evidence). Write each finding in the five-part format from Part 2 of the lecture.

At least one finding must be from each of:

  • Infrastructure exploitation (Week 7)
  • Web application exploitation (Week 8)
  • Post-exploitation / privilege escalation (Week 9 or 10)

Phase 2: Draft the executive summary (30 min)

Write a one-page executive summary covering:

  • Engagement purpose (one sentence)
  • Overall risk posture (High / Medium / Low with rationale)
  • The three most significant findings in plain English
  • A recommended remediation priority order

Test your executive summary against the Weidman test: can a non-technical reader understand the risk without knowing what a CVE or a Meterpreter session is?

Phase 3: Peer review (30 min, in-class)

Exchange your five findings and executive summary with a peer. Each reviewer answers three questions:

  1. For each finding: can you reproduce this from the Evidence section alone? If not, what is missing?
  2. For the executive summary: as a non-technical business owner, do you understand what you need to fix and why? If not, what is unclear?
  3. Does any language in the document require security background to understand without explanation? List the terms.

Return the feedback before the end of lab. Revise after receiving it.

Deliverable: The revised five-finding set + executive summary (PDF or well-formatted Markdown).

Independent practice (~3.5 hr)

  • Sample report review (1.5 hr): Search for "penetration test report sample" and find one publicly available sample report (several consulting firms publish anonymized templates). Read it against the Week 11 criteria: Does the executive summary pass the Weidman test? Does each finding have all five parts? Are CVSS scores shown with vector strings?
  • Remediation roadmap draft (1 hr): Using your five Lab 11 findings, draft a two-page remediation roadmap in the three-tier format from CAPSTONE.md: immediate (Days 1-7), short-term (Weeks 1-4), long-term (Quarter+). Sequence the findings and estimate remediation effort (Low / Medium / High LoE).
  • Reflection (1 hr): Write the reflection prompts below.

Reflection prompts

  1. You found a Critical finding (CVSS 9.8) in the lab: unauthenticated remote code execution on a legacy host. You also found a Medium finding (CVSS 5.3): default credentials on a web admin panel that provides full configuration access to the same host. In the remediation roadmap, which do you place in the "Immediate (Days 1-7)" tier, and why? Does your answer change if the legacy host is running an end-of-life operating system that cannot receive the patch for the Critical CVE?

  2. Your peer reviewer told you that the Evidence section for one finding was not reproducible from your notes alone -- you had the screenshot but not the exact command that produced it. You did not save the terminal session log for that exploit run. What is your obligation in the professional context? Can this finding go in a client report? What is the lesson for your evidence-preservation workflow?

  3. A client receives the final report and asks you to remove one finding -- a high-severity misconfiguration -- because fixing it would require replacing a system that is "politically difficult" to replace. What do you do? What language does the final report use if the finding is removed? What is your professional obligation?

Toolchain Diary: Week 11 additions

  • Pandoc -- Command-line document conversion tool. Converts Markdown + LaTeX + HTML to PDF. pandoc report.md -o report.pdf --pdf-engine=xelatex produces a professionally typeset report from Markdown source. The capstone requires a PDF; Pandoc is the recommended path.
  • The five-part finding structure -- Not a software tool but a practitioner framework. CVSS vector + affected system + description + evidence + remediation. Used in every professional engagement report; used in the capstone rubric.
  • PTES Reporting section -- pentest-standard.org/Reporting. The public standard against which professional reports are measured.

What's next

Weeks 12-13 are the capstone: a five-day simulated engagement against an instructor-built network with a client-style report and 20-minute oral debrief. Everything in the course -- ROE drafting, OSINT, active recon, vuln analysis, exploitation, post-exploitation, and reporting -- is exercised in a single sustained engagement. Read CAPSTONE.md in full before Day 1.