Some pentesters struggle to effectively write about pentest results, causing findings and reports to end up in the bin. To create a healthy ecosystem we should share knowledge on what makes a pentest report work. Over the years I have developed my own methods for quickly producing high-quality deliverables. By sharing this knowledge I hope you can improve your writing as well.
Most guide content comes from first-hand experience. Not much research has been done on the effectiveness of these reports, because pentests are performed behind closed doors. Please let me know if parts from this guide have been helpful.
The entire guide is made to take about an hour or two. The goal is to make it digestible, extensible and fun. Questions and improvements are welcome as Gitlab issues or pull requests.
Part 1 - Writing
Humans are story-telling creatures, so we'll first look at basic story structure. Order and symbols weave the structure into shape. Shakespeare acts as the peak on symbolism, and we learn what makes text tick.
The exercises are on creative writing and text aesthetics.
- Story structure
- Logical order
- Archetypes
- Sound and rhythm
- Lazy wording
- Playful proof
- Finding inspiration
Part 2 - Content
Part 2 discusses the content of essential elements that make up a good pentest report.
- Title page
- Assessment details
- Conclusion
- The order of findings
- A Finding
- Dos and don'ts
Part 3 - Communication
We'll see how communication acts as input to our writing, and how we can use that communication to meet the expectations of our clients.
- The intake call
- Report while you pentest
- Asking the devs
- The findings meeting
- Expectation management
- Being proactive
- Positivity
Part 4 - Examples
In these two examples we write a finding and a report conclusion from start to finish.
- Writing a finding
- Writing a conclusion
Part 5 - Exercises
Let's develop our writing with some exercises. Every chapter has exercises to help you get better.
- Chapter 1 - Writing
- Chapter 2 - Content
- Chapter 3 - Communication
- Misc - Self-study