Black Hat | Def Con 2024
Are you attending Black Hat? Meet the Cobalt team and Core at booth #2913!
Black Hat | Def Con 2024
Are you attending Black Hat? Meet the Cobalt team and Core at booth #2913!

4 Tips for Making the Most of a Pen Test Report

In traditional pen testing models, the final report consists of a pdf summary of the findings emailed to you at the end of a testing…

In traditional pen testing models, the final report consists of a pdf summary of the findings emailed to you at the end of a testing period. All communication around individual vulnerabilities usually happens in a one-hour readout call, then you’re on your own. This old-fashioned way of reporting works for compliance purposes, but for the developers who actually need to fix the findings, it’s not the best delivery method.

With Cobalt’s Pen Testing as a Service model, reporting is an interactive and ongoing process. Individual findings are posted on the platform as they are found, and at the end of a test the pen test lead reviews all the findings and produces a final summary report. Once complete, the lead passes it on to the customer. The final report that is sent over at the end of a test isn’t static, it’s a living document and reflects the changes and input made. For example, when vulnerabilities are marked ready for re-test on the platform, the researcher will verify the fix and update the state which is then automatically reflected on the full report.

Here are 4 tips to get the most out of a pen test report:

1. Get Involved in the Risk Assessment

The Cobalt researchers are experts in pen testing and have strong experience in assessing risk from a technical standpoint — but they don’t know your business as well as you, and sometimes it can be challenging for a third party to assess the actual business impact of a vulnerability. The pen test lead will always have the final say in the risk assessment, but relevant information is key for good decisions. Therefore, we encourage business teams to get involved in the risk assessment process by providing business related insights to the pen test lead so the assigned risk is aligned with the real world. You can do this by providing comments directly in the platform for each individual finding as it is reported.

2. Show Progress to Stakeholders

During a pen test there are many stakeholders that may be interested in the findings and success of a test. This may be members of your security team, engineering, product, etc. You want to show stakeholders that the test was successful, that you are fixing vulnerabilities, and that you are more secure. You can do this by providing them with most up-to-date information. With traditional pen testing this would mean you are updating the final report you were given. With Cobalt, the status of findings are automatically updated as they are fixed. This gives you the ability to download the most up-to-date report at anytime. The pen testing is a point in time, but the final report is a living document that shows the fixes overall.

3. Use Different Report Views

After testing is done, you want to be able to share the results with key stakeholders. However, the amount of information you want to share with each individual can differ. This is where having different versions of you full report can help summarize only certain information to different stakeholders. With Cobalt, we make this easy by offering three different levels: Attestation, Full Report, and Full Report + Findings Details. No need to go in cut, copy, and paste. Have it ready with a click of a button.

4. Facilitate Direct Communication with Developers

While a full pen test summary report is great for compliance and stakeholder management, reporting to the developers needs to be more detailed. It’s important that the communication channel between security and Development teams is as seamless as possible. The easier it is to communicate, the more likely it is that findings will get fixed. Traditionally, this finding communication is done via email, but with Cobalt this can be done by either inviting the developers into the platform for direct communication and/or setting up integrations enabling you to push the findings over to your JIRA or GitHub project with the click of a button.

Hope these tips offer some guidance as you manage your pen test reports. Feel free to comment or reach out with feedback or additional tips.

In case you missed the previous step in the pen testing process. Here are a few great articles to explore next:

Back to Blog
About Jakob Storm
Jakob Storm is Co-founder and Chief Product Architect at Cobalt. In his current role, Jakob helps guide the development of the Cobalt platform, working closely with product teams and business stakeholders to drive Cobalt’s architectural roadmap and ensure strong business/technology alignment. More By Jakob Storm
Man-In-The-Middle Attacks: How to Detect and Prevent
This article covers the steps cybercriminals commonly take to execute different MITM attacks, and how security teams can detect and prevent them.
Jan 24, 2023