Reporting

In the final phase of penetration testing, findings need to be provided to the business in a meaningful way. Here, you would define everything from how you entered their environment to what you found. It's important to provide the business with recommendations on how to fix the gaps that you have exposed in your penetration test.

Your report should have an executive summary and a technical report. Each section needs to be tailored to the audience that you are presenting it to. For example, you would not say that you used the MS17-010 EternalBlue exploit to compromise a system in the executive summary, but you would say this in the technical report.