Reporting is an essential piece of the penetration testing puzzle. It’s the product your client will be reviewing within their organization, representing you and your company to those you may not have worked with directly. With that in mind, it’s important that your product, the report, strikes a balance between professional tone and cold facts.
Obviously, you don’t want to irritate any client, however, it’s important to customize a report to their needs. If a client is specifically looking for a deliverable that will be a catalyst for change within their organization, it’s okay to be harsher with your presentation. For other clients, sticking to the cold facts and providing a more empathetic technique might be best, assuming the result is that the client understands the risks in the environment fully and responds appropriately to those findings.
Include a Narrative or Walkthrough
When report findings contain more serious issues, including a narrative walkthrough of the testing process will help give a full, realistic picture of an environment and help to establish rapport with your reader. This technique provides a more complete picture of the work performed, especially if it is a new client.
Be Clear and Concise
Short, declarative sentences in a finding description are the best way to make sure your point gets across to a client. This part of the report should be limited to facts, unlike an executive summary, where one could customize the tone to fit the client. By sticking with definitive statements, you can avoid muddling the tone and coming off as too aggressive when outlining an opportunity for improvement.
Know Your Client
Establish the client’s expectations and goals from the very beginning of the engagement. Additionally, understand who the audience is within the client organization. If the report is limited to the technical team, the style of reporting may be different than if the report, or specific pieces of the report, were presented to higher-level offices within the organization.
At the end of the day, the report is what represents you and your work, so you want to make sure you are speaking a language that the audience understands. Understanding how a report will be used allows an easier reporting process, and allows you to provide the most appropriate deliverable possible.