Reporting

Reporting & Documentation

A professional penetration test report communicates findings, demonstrates risk, and provides actionable remediation guidance. Documentation throughout the engagement ensures comprehensive and accurate reporting.

Tip

Start documenting from day one. Collecting evidence and notes during testing is far easier than trying to reconstruct steps after the fact.
flowchart TD A[Reporting] --> B[Evidence Collection] A --> C[Finding Templates] A --> D[Executive Reports] A --> E[Technical Reports] B --> B1[Screenshots / Logs / Notes] C --> C1[CVSS Scoring / Templates] D --> D1[Business Language / Risk] E --> E1[Attack Chains / Remediation] style A fill:#22c55e,stroke:#000,color:#000 style B fill:#10b981,stroke:#000,color:#000 style C fill:#10b981,stroke:#000,color:#000 style D fill:#10b981,stroke:#000,color:#000 style E fill:#10b981,stroke:#000,color:#000

Reporting Components

📸

Evidence Collection

Screenshot tools, terminal logging, note-taking workflows, and evidence organization systems.

Screenshots Logging Obsidian tmux
📋

Finding Templates & CVSS

Standardized finding documentation, CVSS 3.1 scoring guide, and severity rating consistency.

CVSS 3.1 Templates Severity CWE
👔

Executive Reports

Writing effective executive summaries using business language and risk quantification.

Executive Summary Business Impact Risk $$$ Priorities
"
🔧

Technical Reports

Detailed attack chains, step-by-step reproduction, remediation guidance, and appendices.

Attack Chains Reproduction Remediation Appendices

Report Structure Overview

Section Audience Focus Length
Executive Summary C-Suite, Management Business risk, priorities, costs 1-2 pages
Findings Summary Security Leaders All findings by severity 2-5 pages
Technical Details Security Engineers Reproduction, attack chains 10-50+ pages
Remediation IT/DevOps Teams Fix steps, validation Per finding
Appendices Deep Dives Raw data, tool output As needed

Severity Ratings Quick Reference

Critical

CVSS 9.0-10.0

Immediate action

High

CVSS 7.0-8.9

1-2 weeks

Medium

CVSS 4.0-6.9

1-3 months

Low

CVSS 0.1-3.9

3-6 months

Info

CVSS 0.0

Best practice

Quick Reference

Documentation Tools

  • • Obsidian / Notion
  • • Flameshot / ShareX
  • • tmux logging

Key Standards

  • • CVSS 3.1
  • • MITRE ATT&CK
  • • CWE/OWASP

Report Components

  • • Executive Summary
  • • Technical Details
  • • Remediation Plan

📚 Recommended Reading

The Pentester BluePrint

The Pentester BluePrint

Phillip Wylie & Kim Crawley

Covers the full pentesting lifecycle including how to write effective reports that communicate risk to technical and non-technical audiences.

 PTFM: Purple Team Field Manual

PTFM: Purple Team Field Manual

Tim Bryant (2020)

Bridges red and blue team perspectives — invaluable for writing reports that map attacks to detection and remediation.

Related Topics

Post-Exploitation

Privilege escalation and lateral movement

Red Team Operations

Advanced adversary simulation

Reporting Templates

Report templates and examples

As an Amazon Associate I earn from qualifying purchases.