-
Conclusion:
This section wraps up the report. It should include a general summary statement about failures and successes, with supporting evidence that can be written in a sentence or two.
It should also include a statement of the PenTest goals and whether those goals were met. You can get more specific about potential attacks and what assets such an attack could leverage. Identify the areas that are most likely to be compromised and recommend that those be dealt with as soon as possible.
-
Appendix:
Any supporting evidence, or attestation of findings, should be attached to the report. This might include printouts of test results, screenshots of network activity, and other evidence you obtained during testing.
Additionally, it can include full versions of some of the highlights done in the report or a reference to a file if provided as an attachment.
As an example, the full analysis done on findings can be provided as a spreadsheet with vulnerabilities, risk rating, and other details, and only the prioritized findings can be included in the report. This can help offload the report and keep only the most important information, without the client missing any of the issues identified during the penetration test.