So, you've decided to run a penetration test against your organization. But now... what do you do with the results?
With so many vulnerabilities exposed, where should you even start? As a matter of fact, how do you even read this technical report?
Here's some advice straight from the pentesting experts at Mitnick Security on how to prioritize your pentesting results:
What You'll Receive in a Pentesting Report
First thing’s first. What type of pentest did you get?
There are six main penetration tests:
- External network
- Internal network
- Social engineering
- Physical
- Wireless
- Application
Although the content in the report may vary depending on which type of penetration test your organization opts to have performed, the basic structure of the pentesting report will stay the same.
The structure of the pentesting report will include an executive summary, a breakdown of the attack, and recommendations for mitigating risk.
The executive summary provides a high-level review of the pentester's findings. The breakdown of the attack goes into far more detail, including the technical aspects of how the testing is conducted. Finally, the report outlines what steps the organization can take to mitigate the risks found during the pen test.
Start with Your Highest Risk Ratings
Upon receiving and reviewing the pentest report, the number of risks and vulnerabilities may seem overwhelming. However, it's important to remember that not all risks are created equally, and tackling threats with a higher severity first, can make the list of vulnerabilities seem less daunting.
The pentesters label every risk as critical, high, medium, or low in priority, and these severity levels are displayed in the report.
But why are some risks more important than others? The severity levels are determined by the ease with which an attacker could exploit the threat and the likelihood of an attacker doing so. For example, vulnerabilities are marked as critical when an attacker could potentially abuse the vulnerability to instantly obtain code execution or compromise highly sensitive assets and information within the organization. On the other hand, a low-risk vulnerability is highly unlikely to be exploited individually and is generally used in conjunction with medium or higher risks to gain access to highly sensitive information.
You can learn more about all of the severity levels by reading this Anatomy of a Penetration Testing Report blog.
Creating Your Strategy for Mitigation
Once you've received your penetration testing report and reviewed all of the risks and their risk ratings, it is time to create a strategy for mitigating those risks. We know that organizations can't fix/mitigate every single vulnerability immediately, which is why Mitnick Security provides short-term, medium-term, and long-term goals in every pentesting report we provide.
Short-term goals should aim to be completed within three months of receiving the report, while medium-term goals should aim for completion within six months following the report. Long-term goals are recommended to put your organization in line with industry expectations and should strive to be completed within six months to two years of receiving the report.
By focusing on the goals first, rather than trying to dig directly into each vulnerability, the workload seems more manageable and cost-effective. Review the short-term and medium-term goals with the technical staff and stakeholders to find the best course forward.
Each vulnerability listed in the pentesting report comes with a comprehensive and easy-to-follow remedial action. This way, you know exactly what steps you’ll need to take to mitigate the risk. Although Mitnick Security doesn't remediate the vulnerabilities for your organization, we provide your team with enough information to mitigate the risks.
One Pentest, One Time is Not Enough
Once your team and organization feel that all of the issues found in the penetration test have been remediated, you should schedule a follow-up penetration test. The follow-up test will ensure that all of the previously identified vulnerabilities have indeed been remediated, and in doing so, no new vulnerabilities have been created.
A penetration test on its own is useful in helping to determine what security holes lie within your organization's infrastructure, but ultimately, regularly scheduled penetration tests should be conducted at least annually and be a permanent part of your organization's security plan and risk management plan. Additionally, it is best practice to perform a penetration test any time significant changes are made to the infrastructure, such as new applications are developed, or new network equipment is installed.
Attackers are always learning new techniques to target organizations and their users, while new vulnerabilities are being discovered every day. Routine pentests help and the reports developed from them provide a way to keep organizations a step ahead of attackers.
Real Pentesting Results in Action
A pentesting report can seem like a long list of recommendations with no real context, especially if you've never had to mitigate any risks before.
It can help to see the results of a real penetration testing report in action, used by an organization just like yours to make highly impactful security changes.
See how our team helped the World Surf League strengthen its security posture after a penetration test to guide your remediation plan, today. 
