What are the different types of reports available?
Overview
In vPenTest, we try to present as many reports as possible to help our partners dissect the information that's necessary for them to take action. The deliverables that are available depend on the type of assessment you've run. The following list provides information as to what kinds of reports are available for which type of assessment:
Consolidated Report
- All reports
Executive Summary/Technical Report/Remediation Report
- External Network Penetration Test
- External Network Security Assessment
- Internal Network Penetration Test
- Internal Network Security Assessment
Prospecting Report (for MSPs only)
- Internal Network Prospecting Test
- External Network Prospecting Test
Supporting Evidence
- All reports
Each report is explained in brief below.
Consolidated Report
The consolidated report is essentially all of the reports combined into one. Rather than downloading separate PDF documents, it may be more useful for your team to review the report in one single consolidated report.
One thing that you should note, however, is that when using the consolidated report, the number of pages can grow significantly due to the vulnerability assessment results.
Executive Summary
The executive summary report is more of a high-level report that talks about the penetration test findings without getting too technical. Using the executive summary, you can find information about the following:
- Overall scope of work
- Engagement statistics (e.g. number of compromised users, overall severity rating, number of activities, etc.)
- Overall number of penetration test and vulnerability assessment findings by severity rating
- Summaries of the penetration test findings
- A remediation roadmap
Technical Report
The technical report contains a significant amount of more details than the executive summary. The technical report is broken up into the following components:
- Penetration Test Narrative: Details about each step of the penetration test, from start to finish.
- MITRE ATT&CK: A list of cross-referenced MITRE TTPs that were executed as part of the penetration test.
- Findings: A break down of each finding, including their description, recommendations, references, supporting evidence, etc.
- Activity Log: A detailed breakdown of each single activity performed on the penetration test, organized by time stamp.
Remediation Report
A remediation test is a follow-up assessment conducted after an internal or external network penetration test to verify that vulnerabilities identified during the original test have been properly addressed and mitigated. During a remediation test, vPenTest will attempt to exploit the same vulnerabilities found previously, ensuring they are no longer exploitable after remediation efforts. Sometimes, fixing vulnerabilities can introduce new weaknesses. A remediation test also checks that no new vulnerabilities have emerged as a result of the changes made. The following is include in the remediation report:
- List of recently remediated findings
- List of findings still present
- New findings
Prospecting Report
This report evaluates an organization’s network security using our pentest methodology. It includes a Pentest Evaluation Summary report with pentest findings listed by criticality, their business impact, and remediation steps. It is not a full penetration test and cannot be used to meet compliance or cyber insurance requirements.
Supporting Evidence
We try to include as much supporting evidence as possible along with all the assessments that we deliver. This includes vulnerability output files, any outputs from all the tools that we've discovered, and more. This is significantly helpful for teams that are interested in diving deeper into the results to understand how we were able to discover some of the findings that we identified.
For more information on the deliverable formats, please visit this topic: What formats are the deliverables in?