What to Expect From a Penetration Test Report

Let’s face it. There are a lot of bad actors out there, and they are working to breach yet another organization’s infrastructure every day. That’s why you can no longer operate your system without routine penetration tests.

Last month, the media reported that hackers used phishing emails to break into a Virginia bank via two separate cyber intrusions over eight months. The thieves stole more than $2.4 million.

Once you have identified a penetration test provider, consider your expectations for a penetration test report. Here’s a brief look at the information you can expect following a penetration test. Information security providers who perform penetration testing typically provide a detailed technical report on the nature of the vulnerabilities found on your system. Some even provide an executive summary as a management tool for understanding the vulnerabilities, risks, and recommended actions.

Critical outcomes that you can typically expect from a penetration testing provider:

  • Vulnerabilities should be explained in layman’s terms so senior management can easily understand them.
  • The test’s outcome should be explained in business risk terms, not just the associated technical risks and how to address them.
  • Short-term (tactical) recommendations should be identified.
  • The findings should define the ‘root cause’ and long-term recommendations (strategic).
  • A security improvement action plan should be recommended.
  • The provider should be able to offer help with remediation.
  • The penetration test findings should be explained in technical terms that can be acted upon and non-technical terms relevant to the business context. Corrective actions and their justifications must be understood by a range of people, not just the IT team.
  • The report should describe the vulnerabilities found and include the test narrative, which details the tester’s process to achieve specific results, and the test evidence, including the results of automated testing tools and screenshots of successful exploits.

Penetration testing evaluates the effectiveness of information security controls and assures customers, clients, and management about their efficacy. The information provided by a properly conducted penetration test can better prepare your business against the threat of cyber attacks.

Security and compliance have been our core business for decades. Let us help you with your next penetration test. Contact us for a free estimate.

Laurie Head is a co-owner of AIS Network.