Penetration Test Report
The findings from our penetration test form the core of the report you’ll receive. Key elements include:
- Risk Assessment: The overall risk of the vulnerability, categorized from Low to Critical based on its impact and probability.
- Vulnerability Description: A comprehensive overview of each identified vulnerability, written in a clear and accessible manner for a broad audience.
- Business Impact Analysis: A brief assessment of the potential consequences of a malicious exploit on the business.
- Steps to Reproduce: Detailed instructions for engineers on how to replicate the vulnerability, including the use of publicly available tools whenever feasible.
- Recommendations: Specific guidance on how to address the vulnerability, varying in detail depending on the type of finding. These recommendations can range from granular to high-level.
Before comprehending the remediation process for the vulnerabilities discovered during the penetration test, it’s important to grasp concepts like Finding States, Characteristics, or Overall Risk.
Finding States
| Finding State | Description |
|---|---|
| Open | The initial state of every vulnerability once it becomes visible to you. While it’s open, you can transition to one of the other states. |
| Ready for Review | You mitigated the vulnerability that was ready for retesting. If the penetration tester couldn’t reproduce the steps that led to the initial vulnerability, the finding is marked as resolved. However, if the penetration tester managed to reproduce the steps or discovered a similar way to find the vulnerability, the finding is marked as open. |
| Risk Accepted | You are prepared to accept the risk that comes with the vulnerability. |
| Rejected/Closed | If you deem it appropriate for any reason, the finding will be closed, and further discussions will be held. |
Finding Characteristics
| Characteristic | Description |
|---|---|
| Probability | The probability of the vulnerability being exploited. Three levels of probability: Low, Medium, or High, based on: Ease of vulnerability exploitation; Attack vectors; Business criticality of the affected asset; System and network complexity. |
| Impact | The severity of the vulnerability’s effect. The impact of a vulnerability can range from little to no damage to system compromise. The impact can be at 3 levels Low, Medium or High. |
Risk Levels
| Risk Level | Description |
|---|---|
| Informational | The discovery doesn’t directly impact security. However, it could present an opportunity to enhance security, deviate from best practices, or make a security-relevant observation that may lead to exploitable vulnerabilities in the future. For instance, it could involve missing HTTP security headers or documentation that encourages poor security practices. |
| Low | Low-risk vulnerabilities are more of a nuisance than a genuine threat. These vulnerabilities are usually those where exploitation wouldn’t cause substantial damage, or where the likelihood of exploitation is very low. |
| Medium | Medium-risk vulnerabilities are those that could potentially lead to damage if exploited, or where the likelihood of exploitation is moderate. |
| High | High-risk vulnerabilities are those that pose a significant risk of causing substantial damage if exploited, or where the likelihood of exploitation is high. |
| Critical | Critical risk vulnerabilities are vulnerabilities that have a high potential for exploitation and could lead to data loss or total system compromise. |
Note: Once all remediation efforts have been completed or risks have been deemed acceptable for certain findings, a second report will be generated to reflect the updated status of each individual finding.
For clients conducting a penetration test for compliance purposes, it’s important to address vulnerabilities in line with your organization’s vulnerability management policy. Failure to do so may lead to concerns raised by auditors.
If your organization lacks a vulnerability management policy, don’t hesitate to reach out to us, and we’ll gladly help you establish a reasonable timeline for remediating the identified vulnerabilities.