Quiz: Writing Effective Pentest Reports

Test your understanding of report structure, finding documentation, risk ratings, and professional communication.

Question 1. What is considered the most important section of a penetration testing report for senior leadership?

A) Detailed Technical Findings B) Executive Summary C) Scope and Methodology D) Appendices

Question 2. According to the standard finding template, which of the following is NOT a required component of a technical finding?

A) Steps to Reproduce B) Business Impact C) Source Code Patch D) CVSS Score

Question 3. A CVSS 3.1 base score of 7.2 falls into which severity category?

A) Medium B) High C) Critical D) Low

Question 4. When documenting evidence for a SQL injection finding, which approach is most appropriate?

A) Dump the entire database and include it as an appendix B) Extract a small sample of records to prove access, then redact sensitive data C) Include only the vulnerability scanner output showing "SQL Injection Detected" D) Describe the vulnerability theoretically without testing it

Question 5. What is the recommended maximum length for an executive summary in a standard penetration testing report?

A) Half a page B) 1-2 pages C) 5 pages D) 10% of the total report length

Question 6. Which of the following is an example of poor remediation advice?

A) "Implement parameterized queries using the pg library's prepared statement syntax" B) "Apply security patch KB5028185 to address CVE-2023-XXXXX" C) "Implement better security" D) "Configure the firewall to deny traffic from 10.10.50.0/24 to 10.10.30.0/24 on all ports except TCP/443"

Question 7. In the four-stage report QA process, who should review the report for technical accuracy and reproducibility?

A) The author (self-review) B) A peer tester (peer review) C) The technical lead D) A non-technical editor

Question 8. When a client disagrees with a finding's risk rating and asks you to lower it, what should you do?

A) Lower the rating to maintain the client relationship B) Remove the finding from the report entirely C) Maintain your professional assessment and document their risk acceptance decision separately D) Change the rating but add a footnote explaining the original assessment

Question 9. What is the primary purpose of including a remediation roadmap in a penetration testing report?

A) To increase the report page count B) To help the client prioritize and plan their remediation efforts C) To demonstrate the tester's knowledge of defensive security D) To justify the cost of the penetration testing engagement

Question 10. Which risk rating approach best accounts for client-specific business context?

A) CVSS base score only B) DREAD model C) A risk matrix combining technical severity with business impact D) Number of affected systems

Question 11. When delivering a penetration testing report, what is the recommended approach for transmitting the document?

A) Send as an unencrypted email attachment B) Upload to a public file sharing service with a download link C) Encrypt the report and send the decryption password via a separate channel D) Mail a printed copy via standard postal service

Question 12. Which of the following is a common report deficiency identified by CREST assessors?

A) Reports that are too long B) Findings with missing business impact analysis C) Using too many screenshots D) Including remediation recommendations that are too detailed

Question 13. How should a penetration tester handle the situation where they discover a vulnerability but do not have time to fully exploit it?

A) Omit it from the report since it was not proven B) Document it as a confirmed vulnerability with full exploitation evidence C) Document the vulnerability with the evidence gathered and note that full exploitation was not performed D) Mark it as a false positive

Question 14. A debrief presentation for MedSecure is best structured with which sequence?

A) Technical deep-dive first, then executive summary B) Executive overview first for C-suite attendees, then technical deep-dive for the operations team C) Remediation roadmap first, then findings D) Appendix review first, then executive summary

Question 15. What information should a finding's "Steps to Reproduce" section contain?

A) The CVSS vector string and score B) Numbered, sequential instructions detailed enough for someone else to independently verify the finding C) A list of automated tools that detected the vulnerability D) The remediation steps in reverse order

Question 16. Why should penetration testing reports include both positive observations (controls that worked) and negative findings (vulnerabilities)?

A) To make the report longer and more impressive B) To provide a balanced view and acknowledge effective security controls C) Because compliance frameworks require positive observations D) To make the client feel better about paying for the engagement

Question 17. When writing findings for a report, which tone is most appropriate?

A) "The client failed to implement even the most basic security measures" B) "We absolutely destroyed their network --- game over" C) "The testing team identified a SQL injection vulnerability in the patient portal search function that allows unauthenticated data access" D) "It is shocking and inexcusable that this vulnerability has been present for years"

Question 18. What is the recommended approach when a penetration test reveals zero critical or high-severity findings?

A) Artificially inflate medium findings to high severity to justify the engagement cost B) Report the results honestly, noting the positive security posture and focusing on areas for improvement C) Recommend that the client never needs to test again D) Suggest that the testing was not thorough enough and recommend a longer engagement

Answer Key

  1. B) Executive Summary. The executive summary is often the only section that senior leadership reads and must communicate the overall security posture and key risks.

  2. C) Source Code Patch. While code-level remediation examples are helpful, a full source code patch is not a required finding component. Required components include description, business impact, technical detail, steps to reproduce, evidence, remediation guidance, and references.

  3. B) High. CVSS 3.1 scores of 7.0-8.9 are classified as High severity.

  4. B) Extract a small sample of records to prove access, then redact sensitive data. This demonstrates the vulnerability's impact while respecting data minimization principles and protecting sensitive information.

  5. B) 1-2 pages. The executive summary should be concise enough for busy executives to read completely, typically one to two pages.

  6. C) "Implement better security." This is vague, non-actionable, and provides no guidance for the remediation team. Good remediation advice is specific, actionable, and realistic.

  7. B) A peer tester (peer review). The peer review stage focuses on technical accuracy, reproducibility, and completeness from another tester's perspective.

  8. C) Maintain your professional assessment and document their risk acceptance decision separately. Your risk rating is your professional assessment. The client may choose to accept the risk, but your report should reflect the actual risk.

  9. B) To help the client prioritize and plan their remediation efforts. The roadmap provides prioritized, actionable guidance that maps findings to teams, timelines, and effort estimates.

  10. C) A risk matrix combining technical severity with business impact. CVSS measures technical severity but does not account for business context. A combined matrix provides the most appropriate risk assessment for the specific client.

  11. C) Encrypt the report and send the decryption password via a separate channel. This ensures confidentiality of the sensitive report contents during transmission.

  12. B) Findings with missing business impact analysis. Technical findings without business impact analysis are useless to executive decision-makers and are a frequently cited report deficiency.

  13. C) Document the vulnerability with the evidence gathered and note that full exploitation was not performed. Transparency about the extent of testing is important. Omitting a finding because exploitation was incomplete would leave the client unaware of a risk.

  14. B) Executive overview first for C-suite attendees, then technical deep-dive for the operations team. This structure allows executives to attend only the first portion and the technical team to get the detailed information they need.

  15. B) Numbered, sequential instructions detailed enough for someone else to independently verify the finding. Steps to reproduce must be clear, complete, and independently verifiable.

  16. B) To provide a balanced view and acknowledge effective security controls. Positive observations demonstrate thoroughness and give credit where security controls are working effectively.

  17. C) "The testing team identified a SQL injection vulnerability in the patient portal search function that allows unauthenticated data access." This is professional, objective, specific, and factual --- the appropriate tone for a professional report.

  18. B) Report the results honestly, noting the positive security posture and focusing on areas for improvement. Honest reporting maintains credibility. Focus on medium/low findings, areas for defense hardening, and recommendations for maintaining the strong security posture.