After the end of a Hybrid Pentest, you will be asked to submit a report for the customer, detailing at a high level the work done throughout the test window. This should be a short summary of the main findings, as well as the methods used to achieve these and any outstanding observations that you did not submit during this window.
Do's and don'ts
Here are some general do's and don'ts to help you write the report:
Make the most of markdown formatting! A few formatting changes to the headers and text could really make the report pop.
Use this as an opportunity to highlight any underlying issues that have led to several vulnerabilities.
Provide a high-level summary of the more important findings, without delving too deep into the details.
Explain how you tackled the specific focus areas of the program.
Be concise. Remember that this is a high-level summary, so there is no need for you to extend it unnecessarily.
List all the different vulnerabilities found. The customer will get a more detailed Letter of Attestation, so don't feel like you need to explain every single finding in detail.
Use this section to provide feedback about the program (save it for the feedback form!)
Repeat unnecessary information already listed on the program details such as exact scope.
Make any assumptions regarding the security posture of the assets in scope. Remember, there could be other underlying vulnerabilities that have not been discovered!
Below is a short template to help you structure this section. Please remember that the suggestions below are just a template. If there is something you need to add/remove, such as some advice or nice words, feel free to add those in this section too!
Provide an executive summary with a small overview of what the main findings were.
Were there particular assets that proved more vulnerable?
Were all assets vulnerable to a particular technique?
Are there any underlying security issues in how the assets are configured?
A summary of all the vulnerability classes and categories you have tested for, and what user roles have been used for the testing.
A summary of all the assets covered. Where did you invest most of your time during the testing period? Where did you not spend as much?
Explain the overall investigation process. What areas did you tackle first? Did you use any automated tools?
Additional observations or leads that did not generate submissions
Use this section to detail any additional findings that did not warrant a submission, but are notable enough to mention or findings that could have potentially led to more severe issues.
Were there any avenues you'd have liked to explore?
Is there any additional attack surface that should be in the scope of future programs run by this customer?