How to Create a Penetration Test Report

Share this post:

In the realm of cybersecurity, one of the more exciting jobs is that of a Penetration Tester. You get to legally hack real production networks looking for vulnerabilities and hopefully gaining rootsystem/nt authority, or DomainAdmin(DA) access.  

This can conjure up images of firing off your latest exploits to pop a reverse shell, then running your best privesc scripts, and finally issuing that whoami command to reveal your admin level access. What a job! But… 

The job isn’t over yet, now you need to write up your findings into a professional-looking report for the client. This, after all, is ultimately the final product you sold them when bidding on the job.  I’m going to show you what many clients are looking for in reports and give you a sample report that I created.

The importance of penetration test reports

A quick job posting search reveals the importance of being able to write a professional report. Here are a few excerpts from the “required skills” portion of real job posts for a “Penetration Tester”.  

  • “Creating detailed, professional documentation/reports that clearly communicate vulnerabilities, mitigation strategies, and remediation steps.” 
  • “Ability to support technical analysis and documenting and presenting reports” 
  •  “Prepare technical reports containing information security test results and analysis.” 
  • “Develop comprehensive and accurate reports and presentations for both technical and executive audiences.”  

Seeing the importance of being a skilled report writer, I realized that it is a skill where experience may be the best teacher, but unless you’re performing pentests regularly, you’re probably not getting much experience with them. It’s the same old paradox for people trying to break into the biz. Job A requires Skill X, but the only way to get Skill X is to have worked in Job A  

How I created my pentest report

When faced with this type of dilemma, you have to get creative to gain useful experience in the skill(s) you need. With that in mind, I thought a good idea would be to take one of the vulnerable virtual machines found on Vulnhubtreat it as if I had been hired to perform a pentest for a company, and then write a professional-looking report for the “client”.  

I found it to be quite the challenge as you have to write the report for C-levels as well as IT support staff. You also need to lead the client in the right direction as to why they were vulnerable and what they can do to mitigate those vulnerabilities. You will also need to effectively communicate the steps that were taken to compromise their system(s) so that they can verify and better understand your findings. I’ve put a link at the end of this blog so you can download my sample report for free.

Download my sample report

You can download my sample report here for free

I explain how I created this report and breakdown what’s included in this video.

Resources for creating your own report

A great way to showcase this skill for potential employers is through GitHubYou can display your report writing skills by uploading PDFs of your “example reports” giving said employers a real idea of your abilities in that area.  

There are tons of report templates and examples for you to see what a professional report should look like and the good news is that office productivity suites like Microsoft Word, have all the necessary tools to give them that professional look and feel. 

Here are a few reports that I took queues from… 

Red Siege Sample Report 

OSCP/PWK Sample Pentest Report 

The cybersecurity community is also attempting to put forward a standard for pentest reports. 

I hope these resources help to inspire you to create and share your own sample reports with the cybersecurity community.  

If you’re looking for security training, check out my courses on ITProTV.