What's in a Pentest Report

Here’s what you can expect in a Pentest Report.

Our pentest reports include what you need to further secure your systems.

We provide the following types of pentest reports:

  • For Agile pentests:
    • Automated Report
  • For Comprehensive and In-House pentests:
    • Customer Letter
    • Attestation Report
    • Attestation Letter
    • Full Report
    • Full Report + Finding Details

The report type determines its contents. If you’ve purchased an appropriate PtaaS tier, you can customize the contents of some reports.

Select a report section to navigate to it. Available sections depend on the report type.

Report sections

Target

The Pentest Target, which indicates the location of your asset.

Test Period

The dates of the pentest engagement.

Test Performed By

Pentesters who tested your asset. Each pentester name includes a link to their Cobalt profile.

Executive Summary

The executive summary includes:

  • A high-level summary of the tests that pentesters performed
  • A table with the number of findings that pentesters identified, categorized by different severity levels
  • Highlights of any significant findings

Scope of Work

The scope shown in the following subsections varies depending on the asset type.

Target Description

The report includes information on the asset that pentesters tested, along with the environment you specified when planning the pentest:

  • Production (for end users)
  • Staging (proposed future production environment)
  • Development (asset in work)

In-Scope Testing Methodologies

In this section, we get into more specifics on the tests that pentesters performed. In general, we test to standards such as:

In this section we include a checklist of the tests that we performed on your assets. Depending on your asset, it may also include manual and automated steps that we use with black box and grammar-based fuzzing. For more information, see:

Test Cases that Thwarted Exploitation Attempts

This section lists the tests that did not find vulnerabilities while testing your asset.

Methodology

This section includes basic methodologies that pentesters used before, during, and after the test.

Pre-Engagement

  • Scoping
  • Customer
  • Documentation
  • Information
  • Discovery

Penetration Testing

  • Tool-assisted assessment
  • Manual assessment
  • Exploitation
  • Risk Analysis
  • Reporting

Post Engagement

  • Prioritized remediation
  • Best practice support
  • Retesting

Risk Factors

We use a modified version of the OWASP Risk Rating Methodology, based on their business impact and likelihood. We measure each factor on a scale from 1 (very low) to 5 (very high).

Severity Definitions

Based on the Risk Factors, we assign a rating to each finding, using the following equation:

Risk = Impact * Likelihood

For more information, see our documentation on Severity Levels.

Summary of Findings

When feasible, this section includes graphs that categorize vulnerabilities by:

  • Type
  • Severity

Analysis

A short summary of each vulnerability. If you have a Full Report + Finding Details, you can find more information about each vulnerability in the appendix on Finding Details.

Where applicable, this section also includes a list of open ports and services.

General Risk Profile

We include a color-coded chart based on impact and likelihood of each vulnerability.

Recommendations

This section includes pentesters’ recommendations for what you can do to mitigate and remediate each finding.

Post-Test Remediation

This section includes the type, severity, and state of each finding, as well as whether the finding has been resolved.

For findings that you Fixed or marked as Accepted Risk, you can see a date when it was resolved.

Terms

This section includes a disclaimer. Terms don’t appear in reports for In-House Pentests.

Appendix A - Finding Details

In this section, you can see details for each finding. This includes the following:

  • Vulnerability Type
  • Description
  • Affected URLs
  • Proof of Concept of the vulnerability
  • Severity
  • Suggested Fix
Last modified December 18, 2024