Pentest reporting is the deliverable for most pentests – even if you’re primarily testing for teams that want to remediate. Your report is the client’s key to remediation, to compliance, and to ensuring they have the means to understand what the cybersecurity environment looks like in their organization. Yet, for many pentest teams, reporting eats up a considerable amount of the time you spend on a pentest report. It’s not unusual for pentesters to spend 20-60% of the time spend testing on the report.
For many pentesters, that also means lost productivity and lost time to testing. After all, if you need skilled pentesters to write up reports, those pentesters are losing 20-60% of productivity on new pentests just writing reports. Of course, that varies depending on the pentest team and how you structure pentest reports but reporting is always a large part of overhead.
Time Spent Reporting Depends on the Complexity of the Pentest
The first and most important step is that pentest reporting timelines vary a great deal depending on the complexity of the pentest. For example, web app and similar pentests are often very straightforward and easy to report on. However, many teams also do more complex testing. You might report on red team exercises, crown jewel scenarios, etc., where you don’t know what the outcome of the pentest will be when you start. Therefore, you’ll have to write up custom content based on what was found, the decisions made around exploiting it, and what was behind it. Your methodology and research could start over again and again. For that reason, pentesters can spend anywhere from a few hours to multiple days on reporting, regardless of tools.
- Red Teaming – about 2 hours on reporting per 6-8 hours of pentesting
- Complex Pentests – 2+ hours per 6-8 hours of pentesting
- Web app/Network pentests – 1+ hour per 6-8 hours of pentesting
- Scan – 1-2 hours
Where Pentesters Spend Their Time
Reporting on pentests means:
- Writing or copy/pasting generic information such as recommendations, CVE, exploits, descriptions, etc.
- Importing findings from tooling via copy/paste/etc.
- Writing unique report content (executive summaries, client-specific data, etc.)
- Formatting the report
- Client communication (Collecting information, updating the client, delivering the pentest report)
If you’re using a tool, you’ll also have to consider:
- Troubleshooting when things go wrong
- Using the tooling/learning the tooling
- Working with assets in the tooling
This task list changes significantly depending on what kind of tooling you’re using. However, our pentester survey showed that pentesters spend:
- 20-70% of time on Writing unique content
- 10-20% of time on Importing from tools
- 50-75% of time on Copy/paste
- 20-50% of time Formatting the Report
- 20-50% of time on Client Communication
How Tooling Impacts How Long Pentesters Spend Reporting
If you’re using tooling, the amount of time you spend on each aspect of report writing changes. In addition, the amount of time you spend depends on what kind of tool you’re using.
- Word – Time to report is measured in days. Typically 2-3
- Report Generation Tool (E.g., Dradis) – Typical report timelines are 6-14 hours
- Pentest Management/Collaboration Platform (E.g. Cyver) – Typical report timelines are 4-6 hours
Tooling also changes where you have to spend time. For example, in our survey of pentest users without a pentest management platform:
- 40% of survey respondents reported writing unique content as the biggest time-sink in writing pentest reports
- 40% of survey respondents reported copy-pasting pre-prepared content like CVEs and descriptions as the biggest time sink
- 20% listed client communication as the biggest time-sink
After using a pentest management platform for 6+ months, those same respondents changed answers to:
- 16.7% writing or copy/pasting generic report content such as recommendations
- 33.3% writing unique report content
- 16.7% formatting the report
- 16.7% client communication
- 16.7% troubleshooting the reporting tool
Essentially, tooling changes where you have to invest time and may introduce new tasks like troubleshooting and formatting.
Streamlining Pentest Reporting
Most pentest teams spend 2-14 hours on pentest reporting, with 20-60% of the total time to pentest dedicated to reporting. Here, the average pentest report takes about 8-14 hours without a pentest management or reporting platform and about 5-6 hours with one. Cyver Core’s clients report an average of 6 hours spent on pentest reporting with an average of 2 days spend on pentest reporting before using the tool.
If you’d like to learn more, download our whitepaper for an in-depth look at how Cyver Core saves time on pentest reporting.
Or, contact us to schedule a demo to get started right away.