12 Writing a solid pentest deliverable

 

This chapter covers

  • The eight components of a pentest deliverable
  • Closing thoughts

The final piece of the puzzle that you need to create is your engagement report--or, as it’s more commonly referred to in the industry, your deliverable. In this chapter, I go over all the components that make up a solid pentest deliverable. There are eight of them, and I explain the purpose of each section and what it should contain. Appendix D is an example of a complete standalone INTP deliverable, which I would present to Capsulecorp if it had been a real company that hired me to perform a pentest engagement. You can and should feel free to use this example report as a template or framework when creating your own deliverables.

After you’ve produced a few, you’ll start to come up with your own style and adjust things to your liking. I don’t bother covering the style or look and feel of a deliverable because that’s completely up to the company you work for and their corporate branding guidelines. It’s important to point out that a pentest deliverable is the work product of an individual company that sells pentesting services. For that reason, deliverables differ in size, structure, color, fonts, charts and graphs, and so on from company to company.

12.1 Eight components of a solid pentest deliverable

12.2 Executive summary

12.3 Engagement methodology

12.4 Attack narrative

12.5 Technical observations

12.5.1 Finding recommendations

12.6 Appendices

12.6.1 Severity definitions

12.6.2 Hosts and services

12.6.3 Tools list

12.6.4 Additional references

12.7 Wrapping it up

12.8 What now?

Summary