Once we have tested all the test cases and collected evidence, it’s time to prepare the report. The report should fulfill the following purpose:
All the findings should be detailed and easy to understand.
Navigation through the report should be easy.
A VAPT report should contain following components:
Table Of Contents – This index of the report provides links to sections and subsections of the same document along with page number which makes it easy to navigate through the document.
Introduction and Background - The section contains a brief description about the client along with scope which is agreed upon for VAPT.
Scope – This contains the scope of testing i.e. list of all the assets which the client has agreed upon to pentest.
Executive Summary – Keeping in mind that all the people involved are not security professionals, we must provide an executive summary of the pentesting report for the management level. The executive summary does not cover technical details or terminology but the overview of the major findings is explained in simple terms. The executive summary should be well-formatted, short and crisp. The executive summary contains the following sub-section:
Summary of Findings - This lists down the count of all the vulnerabilities found filtered using severity. This gives a brief overview of the VAPT assessment which can be converted into graphs for better visualization.
Key Findings - All the severe findings are explained in simple language for clients to understand who don’t have Information Security background. This gives an overview of how vulnerabilities are impacting their business.
Recommendations - This subsection contains recommendations in simple terms which should be implemented by the client for better security posture.
Approach and Methodology – Depending on the asset, the approach and methodology is listed in steps which explains how the entire process works.
Tools Used - this contains a list of all the tools used while conducting VAPT assessment. For Eg - Burpsuite, nessus, OWASP ZAP for web application.
List of Test Cases and Outcomes - This section contains a list of all the test cases performed along with the outcome i.e. whether it’s vulnerable or not. Additionally, comments are also added to explain why the test case is vulnerable or not vulnerable.
Limitations - VAPT might not always provide ideal conditions for assessment, so it’s important to list all the limitations which might arise due to environment issue, deadline issue, scope of testing issue, etc.
Detailed Findings - This section provides detailed information about the vulnerabilities found which include vulnerability description, impact, severity, solution, steps to reproduce and Proof Of Concept (POC).
Automated Scan Results – All the automated scan results are mentioned in this section, this gives a proof to the client that we have used automated tools. Additionally, these tools save us a lot of time by finding vulnerabilities which can be easily automated.
Risk Severity Criteria – This contains the categorization of severity based on risk and the reason why a particular vulnerability belongs to a particular severity.
To get a better understanding of how a VAPT report looks like, below referenced is a VAPT report by TCM Security.
