Report Delivery Guide

The delivery phase is critical to the success of a penetration test. A well-delivered report drives action, while poor delivery can undermine even the most thorough assessment. This guide covers delivery best practices, presentation tips, and handling client feedback.

📋 Preparation 📤 Delivery 🎤 Presentation 💬 Feedback

Pre-Delivery Quality Checklist

Report Quality Checklist

Ensure your report meets professional standards before delivery

Progress: 0/44 (0%)
15 critical remaining17 high remaining
Document Structure: 0%Scope & Methodology: 0%Findings Quality: 0%Evidence Quality: 0%Remediation: 0%Writing Quality: 0%Final Checks: 0%

Document Structure(0/5)

CRITICALReport includes title page with client name, dates, and classification
HIGHTable of contents is accurate and page numbers match
CRITICALExecutive summary is present and self-contained
MEDIUMVersion control/document history included
HIGHConfidentiality/distribution markings on all pages

Scope & Methodology(0/6)

CRITICALAll in-scope assets are clearly listed
HIGHOut-of-scope items are documented
CRITICALTesting dates and times are accurate
MEDIUMTesting methodology is described
HIGHTesting limitations/constraints documented
MEDIUMTester credentials and certifications listed

Findings Quality(0/8)

HIGHEach finding has a unique identifier
CRITICALSeverity ratings are consistent and justified
HIGHCVSS scores calculated correctly (if used)
MEDIUMCWE/CVE references included where applicable
CRITICALAffected assets clearly identified per finding
CRITICALBusiness impact described (not just technical)
CRITICALReproduction steps are clear and complete
CRITICALEvidence supports each finding

Evidence Quality(0/6)

HIGHScreenshots are high resolution and readable
MEDIUMKey elements in screenshots are highlighted
CRITICALSensitive data is properly redacted
HIGHRequest/response pairs included where relevant
MEDIUMTimestamps visible in evidence where relevant
HIGHNo personal/irrelevant information visible

Remediation(0/5)

CRITICALEach finding has specific remediation guidance
CRITICALRemediation is actionable (not vague)
MEDIUMCode samples provided where applicable
MEDIUMReferences to documentation included
HIGHPrioritized recommendations in executive summary

Writing Quality(0/6)

HIGHSpell check completed
HIGHGrammar and punctuation reviewed
MEDIUMTechnical terms defined or explained
MEDIUMConsistent terminology throughout
HIGHProfessional tone maintained
HIGHNo blame or judgmental language

Final Checks(0/8)

CRITICALClient name spelled correctly throughout
CRITICALNo references to other clients
CRITICALAll placeholder text replaced
HIGHPage numbers correct
MEDIUMLinks and references work
HIGHPDF renders correctly
LOWFile size appropriate for delivery
HIGHPeer review completed
⚠️
Critical Items Remaining
15 critical items must be completed before delivery.

📋 Pre-Delivery Preparation

Internal Review Process

  1. 1. Self-review: Re-read entire report after 24 hours
  2. 2. Technical review: Senior tester validates findings
  3. 3. QA review: Editor checks grammar and formatting
  4. 4. Final review: Project lead sign-off

Pre-Delivery Checklist

  • Client name correct throughout
  • No references to other clients
  • Sensitive data properly redacted
  • All findings verified reproducible
  • PDF renders correctly
  • File encrypted if required

Critical: Client Name Check

The most embarrassing mistake is delivering a report with another client's name. Search the entire document for all previous client references. Use find-and-replace carefully.

📤 Delivery Methods

🔒

Secure Portal

Preferred method for most engagements

  • ✅ Access logging and auditing
  • ✅ Time-limited access
  • ✅ Download tracking
  • ✅ Version control
  • ✅ Professional appearance
📧

Encrypted Email

Acceptable with proper encryption

  • ✅ PGP/GPG encryption
  • ✅ S/MIME if available
  • ⚠️ Password-protected ZIP
  • ⚠️ Send password separately
  • ❌ Never send unencrypted
🌐

Client System

Upload to client's preferred platform

  • ✅ Client controls access
  • ✅ Integrates with their workflow
  • ⚠️ Verify security of platform
  • ⚠️ Confirm upload successful
  • ⚠️ Keep your own backup

Encryption Commands

encryption-commands.sh
bash 
# PGP/GPG Encryption (Preferred)
gpg --encrypt --recipient client@example.com report.pdf

# Password-protected ZIP (7-Zip - AES-256)
7z a -tzip -p"StrongPassword123!" -mem=AES256 report.zip report.pdf

# Password-protected PDF (using qpdf)
qpdf --encrypt "userpass" "ownerpass" 256 -- input.pdf encrypted.pdf

# Verifying encryption
gpg --verify report.pdf.sig report.pdf
file encrypted.pdf  # Should show "encrypted"

# Share password via separate channel (Signal, phone call)

Delivery Timing

Best Times

  • Tuesday-Thursday: Maximum attention
  • Mid-morning: After email triage
  • Beginning of week: For critical findings
  • 48 hours before presentation: If scheduled

Avoid

  • Friday afternoon: Gets buried over weekend
  • Holiday weeks: Key people unavailable
  • End of business day: Less immediate attention
  • Same day as presentation: No review time

Delivery Email Template

Subject: [CONFIDENTIAL] Penetration Test Report - [Client Name] - [Date]

Dear [Client Contact],

Please find attached the penetration test report for the [Project Name] engagement 
conducted [Date Range].

**Report Summary:**
- Total Findings: [X]
- Critical: [X]
- High: [X]
- Medium: [X]
- Low: [X]

**Key Observations:**
[2-3 sentence high-level summary of most significant findings]

**Access Information:**
[Include portal link, password instructions, or encryption details]

**Next Steps:**
1. Review the executive summary (pages X-Y) for high-level findings
2. Share technical findings (section X) with relevant IT teams
3. Schedule a debrief call to discuss findings and remediation priorities
4. [If retest included] Submit remediation completion notification when ready

Please confirm receipt of this report at your earliest convenience.

We are available to discuss findings and answer questions. Please don't hesitate 
to reach out.

Best regards,

[Your Name]
[Title]
[Company]
[Contact Information]

---
CONFIDENTIALITY NOTICE: This report contains sensitive security information 
intended only for the named recipient. Do not forward or share without authorization.

🎤 Presentation Best Practices

Know Your Audience

Tailor your presentation to the room. If executives are present, lead with business impact. If it's all technical staff, you can go deeper into technical details. Ask who will attend beforehand.

Recommended Structure (60 min)

  1. 5 min Introduction: Scope, methodology, timeline
  2. 10 min Executive Summary: Key risks, business impact
  3. 25 min Key Findings: Top 5-7 findings with demos
  4. 10 min Recommendations: Prioritized action items
  5. 10 min Q&A: Discussion and clarification

Presentation Tips

  • Start with the "so what" - business impact first
  • Use visuals: attack path diagrams, charts
  • Demonstrate 2-3 key findings live (if possible)
  • Have remediation details ready for tech questions
  • End with clear next steps and timeline
  • Don't read the report verbatim
  • Don't be condescending about findings

Handling Difficult Questions

❓ "Is this really exploitable in the real world?"
Response: "Yes, this attack pattern is actively used. [Reference specific threat intelligence, CVE, or real-world breach]. The proof-of-concept demonstrates the technical feasibility, and the CVSS score reflects the real-world risk factors."
❓ "We think this is a false positive"
Response: "I understand your concern. Let me walk through the evidence again. [Show reproduction steps]. If you'd like, we can attempt reproduction together to confirm. If it turns out to be a false positive, we'll update the report accordingly."
❓ "Why didn't you find [specific vulnerability]?"
Response: "The absence of a finding doesn't guarantee the absence of vulnerability. Our assessment covered [scope] within [time constraints]. We tested for [categories], but [specific area] may benefit from additional focused testing."
❓ "How does this compare to other companies?"
Response: "While I can't discuss specific clients, I can say that the [findings] are [common/uncommon] in organizations of similar size and industry. The important focus is addressing these findings to improve your specific security posture."

💬 Handling Client Feedback

Severity Disputes

Clients may push back on severity ratings. Handle professionally:

  1. Listen to their perspective fully
  2. Explain your rating methodology (CVSS, etc.)
  3. Discuss specific environmental factors
  4. Consider documented mitigating controls
  5. If appropriate, adjust and document reasoning
  6. If disagreement persists, note it in the report

Pushback Responses

"This is too severe"
→ Review with CVSS calculator together, discuss environmental score
"We have compensating controls"
→ Document controls, adjust if they demonstrably reduce risk
"We accept the risk"
→ Document in report, recommend formal risk acceptance process
"Can you remove this finding?"
→ Findings are factual; can adjust wording but not remove valid findings

Post-Delivery Process

📬
Day 1

Confirm receipt, schedule debrief

🎤
Week 1

Present findings, answer questions

📝
Week 2-4

Support remediation questions

🔄
Week 4+

Retest if included in scope

What to Document

Keep Records Of

  • • Delivery date and method
  • • Receipt confirmation
  • • Presentation attendees
  • • Questions raised and answers given
  • • Disputed findings and resolutions
  • • Client feedback
  • • Version history
  • • Retest requests and results

Data Retention

  • Report: Per contract (typically 1-3 years)
  • Evidence: Same as report
  • Raw data: Delete after report delivery unless required
  • Credentials found: Delete immediately after report
  • Client data: Per data handling agreement
  • Verify destruction: Document disposal

Evidence Disposal

After delivering the final report and any retest, securely delete all client data, credentials, and sensitive evidence according to your data handling agreement. Document the destruction for compliance purposes.

Follow-up Email Template

Subject: Re: Penetration Test Report - [Client Name] - Follow-up

Dear [Client Contact],

Thank you for meeting with us to discuss the penetration test findings on [date].

**Action Items from the Meeting:**
1. [Item 1 - Owner - Due Date]
2. [Item 2 - Owner - Due Date]
3. [Item 3 - Owner - Due Date]

**Report Updates:**
[If any changes were agreed upon]

**Retest Information:**
[If applicable: process for requesting retest, timeline, etc.]

**Questions/Clarifications:**
[If any questions came up that need follow-up answers]

Please don't hesitate to reach out if additional questions arise during 
your remediation efforts.

Best regards,

[Your Name]

Related Topics

Report Templates

Templates for the reports you deliver.

Writing Guide

Write clear, professional reports.

Screenshot Guide

Capture compelling evidence.

Retest Report

Verify remediation success.