Penetration tests are an extremely useful exercise to mitigate risks and patch your security gaps. However, some businesses get the report just to meet compliance standards, then forget about it.
Often, these corporations neglect their pentesting results less often because they don't have the time or resources to make the changes, but more so because they aren’t sure how to take actionable results away from the report.
With a better understanding of what’s included in a penetration test report, you can apply its key takeaways to improve your security posture. Here is what’s typically found in a pen test report and a few ways to use its contents to your advantage, beyond compliance:
An executive summary.
Penetration test reports typically begin with a high-level summary of the pentester’s findings. This executive summary is often intended to be a concise overview of the results meant for company executives— who are looking for actionable takeaways without needing to dig into the entirety of the report.
This summary reveals where the pentesters bypassed your security controls and what they were able to uncover within your systems. The best part? It’s all explained without deep technical language, accessible to any reader.
It also spells out recommendations for security improvements, including what they advise you secure first, followed by other short, medium and long-term goals for enhancing your enforcements.
A breakdown of what happened throughout the attack.
This part of your penetration test report details a walkthrough of the pentester’s engagement. It describes each phase of their attack process and how the pentester went about compromising your system.
The section will explain how the pentester was able to perform all of their activities. For instance, if they implored social engineering tactics, the report will reveal where they acquired the information they used (let’s say, on your website and through their LinkedIn page, etc.) to trick someone on your team. Pentesters also share exactly how they got into your system (say, through a series of phishing emails to build rapport and trust before sending a malicious link). It’s all there that you’ll see the full narrative, to understand the context of how the attack was surmised and the resulting gaps in your security.
The breakdown of your report will also explain the full scope of the outcome. This may show, for instance, that the pentester was able to inject simulated malware onto your employee’s computer, packaged in an all-too-seemingly-normal software update installation. From there, the pentester will reveal the path they took to acquiring login credentials, accessing data, or whatever other information or systems they acquired after infiltrating your environment.
Recommendations for mitigating the risks.
After walking through the details of the attack, you’ll get what you really want: the real value of the report. The next section will clearly define the vulnerabilities the pentesters uncovered as well as potential threats against each risk.
Every risk will be labeled by the pentesters as critical, high, medium, or low in priority— ranked by impact and the risk threshold each falls into. Recommendations will vary and should be customized based on the findings of your test. For example, you may find that there are some critical technical changes needed to resolve glaring issues and that increasing your investment in security awareness training is a long-term strategy for improving security.
Your pentesting partner should provide a road forward, but may not recommend specific products or software, as the tech (and the threat) landscape is always changing and evolving; be wary of a company that does this.
Finding a trusted partner
It’s important to note that pentestering partners are not created equal and will not all offer the same results. Too many pentesting companies leave the hands-on work of cyber security testing to entry-level employees and interns. Mitnick Security employs only senior-level pentesters with expert skills and a deeper breadth of experience than other cyber security teams.
A great pentesting company will fully engineer a test customized to your employees and organization. This level of detail and dedication in test design and planning will make the engagement more realistic than one that starts with broad phishing emails, which are less likely to be used by an actual hacker. Remember, pentesting isn’t just a process, it’s an in-depth service that should be built around your needs. It’s much deeper than a vulnerability scan or assessment.
Curious to learn more about how we do this at Mitnick Security? Explore our pentesting services for an introduction to Kevin Mitnick and his Global Ghost Team.