Summary  
This chapter covers organizing and formatting a professional technical report by defining key sections—executive summary, scope, findings with risk levels, recommendations, and appendices—and using clear, non-technical language to communicate vulnerabilities and remediation steps effectively.  

General domain of usage  
Penetration testing documentation

## Why Reporting Matters

A penetration test is only valuable if you clearly communicate what you discovered. A professional report helps your audience—often non-technical stakeholders—understand the risks and how to fix them. Your report bridges the gap between technical details and business decisions.

## Key Sections of a Penetration Test Report

- **Executive summary**: Gives a high-level overview of what was tested, the main findings, and the overall security posture;
- **Scope and methodology**: Explains what systems were tested, what was out of scope, and the approach used;
- **Findings**: Lists each vulnerability or issue found, its risk level, and supporting details;
- **Recommendations**: Provides clear, actionable steps for fixing or mitigating each finding;
- **Appendices**: Includes technical evidence, such as screenshots or logs, supporting your findings.

## Communicating Findings Effectively

Use simple, direct language. Avoid jargon unless you define it. For each finding, answer three questions:

1. **What is the issue?**
   - Example: "The login page does not enforce strong passwords."
2. **Why does it matter?**
   - Example: "Weak passwords make it easier for attackers to gain unauthorized access."
3. **How can it be fixed?**
   - Example: "Require passwords to be at least 12 characters and include a mix of letters, numbers, and symbols."

## Presenting Risks and Recommendations

Assign a risk level to each finding, such as **High**, **Medium**, or **Low**. Support your assessment with clear reasoning. For instance:

- **High risk**: "Sensitive customer data is accessible without authentication. Immediate action is required."
- **Medium risk**: "Outdated software may allow attackers to exploit known vulnerabilities. Plan to update as soon as possible."
- **Low risk**: "Error messages reveal minor information about the server. Consider adjusting settings when time allows."

Always pair each risk with a specific recommendation. Use bullet points for clarity.

## Practical Example: Reporting a SQL Injection

**Finding:** The search feature allows SQL injection.

**Risk:** High. Attackers could access or modify the database.

**Recommendation:** Use parameterized queries in all database calls to prevent injection.

**Evidence:** Screenshot showing a successful injection and the returned database information.

Which statement best describes a key best practice when writing a professional penetration test report?

A hands-on course guiding learners through the essentials of web application and API penetration testing, from foundational concepts to exploitation techniques and professional reporting. Includes real-world scenarios, practical tasks, and review questions to reinforce learning.

Covers the foundational knowledge required for web application and API penetration testing, including methodologies, ethics, and reconnaissance.

Focuses on identifying and exploiting common vulnerabilities in web applications and APIs through practical, hands-on tasks.

Covers the process of documenting findings, creating professional reports, and recommending remediation steps.

Writing a Professional Penetration Test Report

Why Reporting Matters

Key Sections of a Penetration Test Report

Communicating Findings Effectively

Presenting Risks and Recommendations

Practical Example: Reporting a SQL Injection