Exercises: Writing Effective Pentest Reports

Exercise 39.1: Executive Summary Writing

Write a two-page executive summary for a penetration test of ShopStack's e-commerce platform. The test discovered the following findings:

  • Critical: IDOR vulnerability allowing access to any customer's order details (including payment info)
  • Critical: Hardcoded AWS access keys in the public GitHub repository
  • High: Admin panel accessible without authentication from internal network
  • High: Redis instance exposed without authentication
  • Medium: JWT tokens with excessively long expiration (30 days)
  • Medium: Missing rate limiting on login endpoint
  • Low: Verbose error messages exposing stack traces
  • Low: Missing Content-Security-Policy header

Write for a non-technical audience (the CEO and board). Include overall risk assessment, key risks in business terms, and strategic recommendations with timelines.

Exercise 39.2: Technical Finding Write-Up

Using the finding template from Section 39.3.1, write a complete technical finding for the following vulnerability:

During testing of the ShopStack API, you discovered that the endpoint GET /api/v1/orders/{order_id} does not validate that the authenticated user owns the requested order. By changing the order_id parameter, any authenticated user can retrieve any other user's order details, including: - Customer name and email - Shipping address - Order items and prices - Last four digits of payment card

Include: description, business impact, technical detail with request/response examples, steps to reproduce, remediation (with code examples for Node.js/Express), and references.

Exercise 39.3: Risk Rating Calibration

Rate the following ten vulnerabilities using both CVSS 3.1 and a business impact risk matrix. For each, provide the CVSS vector string and a brief justification for your business impact assessment:

  1. SQL injection in a public-facing login form (healthcare application)
  2. Cross-site scripting (stored) in an internal wiki used by 50 employees
  3. Default credentials on a network printer
  4. Missing patches (CVE with CVSS 7.8) on an internet-facing web server
  5. Open S3 bucket containing marketing materials (no sensitive data)
  6. Open S3 bucket containing database backups with customer PII
  7. Weak password on a domain administrator account
  8. TLS 1.0 enabled on a legacy internal application
  9. CSRF vulnerability on an account settings page
  10. Unrestricted file upload allowing web shell deployment

After rating all ten, rank them by overall priority and explain any cases where CVSS and business impact ratings diverge.

Exercise 39.4: Evidence Documentation Practice

Set up DVWA (Damn Vulnerable Web Application) in your lab and find three vulnerabilities. For each vulnerability, create professional evidence documentation including:

  1. An annotated screenshot showing the vulnerability
  2. The full HTTP request/response (captured from Burp Suite or browser developer tools)
  3. Steps to reproduce (numbered, detailed enough for someone else to follow)
  4. Proof of impact (demonstrate what an attacker could achieve)

Focus on evidence quality: clear screenshots, proper annotation, consistent formatting.

Exercise 39.5: Report Rewrite Exercise

The following is a poorly written finding from a real (anonymized) penetration test report. Rewrite it to meet the professional standards described in this chapter:

"We found SQL injection on the website. The login page is vulnerable. We used sqlmap and got the database. This is critical and should be fixed immediately. Use prepared statements."

Your rewrite should include all sections of the finding template (description, business impact, technical detail, steps to reproduce, evidence placeholders, remediation, references).

Exercise 39.6: Writing for Different Audiences

Take the MedSecure F-005 finding (Inadequate Network Segmentation between Medical Device Network and Payment Processing Network) and write three versions:

  1. Executive version (2-3 sentences): For the CEO, explaining business risk without technical jargon
  2. Management version (1 paragraph): For the CISO, connecting the finding to compliance and risk
  3. Technical version (full finding): For the network engineering team, with specific firewall rules and remediation steps

Exercise 39.7: Report Template Creation

Create a complete penetration testing report template in Markdown format. Include:

  • Cover page layout
  • Document control section
  • Table of contents structure
  • Executive summary template with placeholder prompts
  • Scope and methodology section template
  • Finding template (reusable for each finding)
  • Remediation roadmap table
  • Appendix sections

The template should include instructional comments (e.g., "[Replace with client name]") to guide a tester in filling it out.

Exercise 39.8: CVSS Scoring Practice

Calculate the CVSS 3.1 Base Score for each of the following vulnerabilities. Provide the full vector string and explain your reasoning for each metric:

  1. A buffer overflow in a network service that allows remote code execution without authentication
  2. A reflected XSS vulnerability that requires user interaction (clicking a link)
  3. An IDOR vulnerability in an API that allows reading other users' data (requires authentication)
  4. A privilege escalation from local user to SYSTEM on a Windows server
  5. A denial-of-service vulnerability in a web application's search function

Use the FIRST CVSS calculator (https://www.first.org/cvss/calculator/3.1) to verify your scores.

Exercise 39.9: Remediation Recommendation Writing

Write detailed remediation recommendations for each of the following findings. Each recommendation must include the primary fix, defense-in-depth measures, and detection/monitoring suggestions:

  1. Kerberoastable service account with a weak password in Active Directory
  2. Server-Side Request Forgery (SSRF) in a web application's URL preview feature
  3. Exposed .git directory on a production web server
  4. Unrestricted outbound network access from the DMZ

For each, specify the team responsible (development, operations, security) and estimated effort.

Exercise 39.10: Report QA Checklist

Create a comprehensive report quality assurance checklist with at least 25 items organized into the following categories:

  1. Technical accuracy (at least 5 items)
  2. Evidence quality (at least 5 items)
  3. Writing quality (at least 5 items)
  4. Formatting and consistency (at least 5 items)
  5. Completeness (at least 5 items)

For each item, write a brief description of what the reviewer should check and what constitutes a pass/fail.

Exercise 39.11: Report Delivery Presentation

Create an outline for a 30-minute report delivery presentation for MedSecure. The presentation should include:

  1. Executive overview (5 minutes) --- suitable for C-suite attendees
  2. Key findings walkthrough (15 minutes) --- demonstrate the most critical findings
  3. Remediation roadmap (5 minutes) --- prioritized action plan
  4. Q&A (5 minutes) --- anticipated questions and prepared answers

For each section, list the key points, the visual aids you would use (charts, screenshots, diagrams), and the target audience in the room.

Exercise 39.12: Comparative Report Analysis

Find two publicly available penetration testing report examples (several are available from public repositories and security firms' sample reports). For each report:

  1. Evaluate the executive summary against the best practices in Section 39.2.1
  2. Assess the finding template quality against Section 39.3.1
  3. Review the evidence quality against Section 39.4
  4. Evaluate the remediation recommendations against Section 39.5
  5. Identify three strengths and three weaknesses of each report
  6. Explain which report you consider more effective and why

Exercise 39.13: Machine-Readable Output Design

Design a JSON schema for machine-readable penetration testing findings that could be imported into a vulnerability management platform. Your schema should include:

  • Finding metadata (ID, title, severity, CVSS, dates)
  • Affected systems (IP, hostname, URL, port)
  • Description fields (technical and business)
  • Evidence references (file paths, hashes)
  • Remediation recommendations
  • Status tracking (open, remediated, accepted, retested)

Write the schema definition and provide a sample JSON object for the MedSecure F-001 finding.

Exercise 39.14: Report Anti-Pattern Identification

Identify the problems in each of the following report excerpts and rewrite them:

  1. "The server was pwned using a well-known exploit. The admin should have patched this months ago."
  2. "Multiple critical vulnerabilities were discovered across the environment."
  3. "CVSS: 10.0. This is the worst possible score and the organization is at extreme risk of a catastrophic breach."
  4. "Remediation: Implement better security."
  5. "As shown in the attached screenshot [screenshot not included]."

Exercise 39.15: Trend Analysis Report

You are conducting MedSecure's third annual penetration test. Previous results were:

Year 1: 3 Critical, 5 High, 8 Medium, 12 Low (28 total) Year 2: 1 Critical, 4 High, 10 Medium, 8 Low (23 total) Year 3 (current): 2 Critical, 3 High, 3 Medium, 2 Low (10 total)

Write a trend analysis section for the report that: 1. Presents the data visually (describe the chart you would create) 2. Identifies positive trends 3. Identifies areas of concern (the increase in Critical from Year 2 to Year 3) 4. Provides context for the changes 5. Makes recommendations based on the trend

Exercise 39.16: Collaborative Report Writing

This exercise is designed for pairs or teams. Each person independently writes up the same finding (choose a vulnerability from your lab environment). Then exchange reports and conduct a peer review using the QA process from Section 39.6.1. Document:

  1. Differences in how each person described the same vulnerability
  2. Which version is more effective and why
  3. Specific feedback items for improvement
  4. A final "best of both" merged version

Exercise 39.17: Report Generator Tool Design

Design (but do not code) a penetration testing report generation tool. Specify:

  1. Input format (how findings are entered --- CLI, YAML/JSON, web form)
  2. Template system (how the report layout is defined)
  3. Output formats (PDF, DOCX, Markdown, HTML)
  4. Features: CVSS auto-calculation, screenshot embedding, finding sorting, executive summary generation
  5. Integration points: vulnerability scanners, Burp Suite, Nmap

Draw a high-level architecture diagram and list the key functions/modules the tool would need.

Exercise 39.18: Sensitive Data Handling Protocol

Draft a protocol for handling sensitive data encountered during penetration testing. Address:

  1. Types of sensitive data that may be encountered (PII, PHI, PCI, credentials, trade secrets)
  2. What to document vs. what to redact
  3. How to store sensitive evidence securely during the engagement
  4. Data retention and destruction policies
  5. Client notification procedures for sensitive data discovery
  6. Legal considerations (HIPAA, GDPR, state breach notification)

Your protocol should be suitable for adoption by a penetration testing firm.