Writing pentest reports is an art form for many pentesters.  The pentest report is your primary deliverable, the result the client is actually paying for, and getting it right makes the difference between a happy client or not. If you follow Cyver Core’s blog, you know we recently wrote a piece about writing better pentest reports.  

In this follow-up, we’re going to discuss what’s different when your pentest report is intended to help the client meet compliance needs. Normally, this means the compliance report is shared with an auditor, possibly verified by a third-party, and is primarily intended to meet a very specific checklist. The goal is not to help the client harden their environment, but to prove that their environment meets minimum cybersecurity requirements for the compliance norm in question. For example, if the client has to meet PCI-DSS compliance, they need an annual pentest to verify that the security perimeter meets, at minimum, those standards.  

Writing Pentest Reports for the Auditor 

In most cases, the pentest report is intended for the auditor. However, you still want to ensure devs and compliance officers in the company can use the report to actually remediate any issues you find. This normally means using your standard report template with a managerial-level introduction at the top, an in-depth section for findings, and then adding new sections specifically for the auditor.  

At Cyver Core, we recommend adding the following new sections:  

Include the Compliance Norms Used 

It’s always a good idea to include the compliance norms used for the pentest. Because most compliance standards have a list of items to check and to what standards. Including that checklist and marking those checks off in the report makes it that much easier for the auditor to see if a) the pentest meets the requirements of the audit and b) if the client passed.  

This should include:  

  • The compliance norm used for the pentest  
  • An overview of the pentest performed and how it maps to the compliance norm in question  
  • An overview of the tools and methodology and how they map to the compliance norm in question  
  • The pentest checklist delivered by the compliance norm and findings per section. In some cases, you might want to detail checks completed per section.  

This data is also relatively easy to add. Chances are, you already have it in the normal findings overview and upload. Adding data into a new section is a relatively simple matter of moving it and mapping it to those compliance norms. You can do that manually, or you can use a pentest management platform like Cyver Core to automate the process.  

Automating the Process with Cyver Core 

Cyver Core uses an automated reporting process to pull vulnerability findings into tickets. Tickets can then be imported directly into a pentest report template, based on the pentest performed. Cyver also allows you to set up pentest templates, where you set norms, configure pentest checklists, and use compliance frameworks to establish task lists per pentest, per pentester on the project. Once you’ve marked those off, you can import all of it directly into the pentest report. You can automatically map your findings per asset, per check to the relevant sections of the compliance framework requirements – because you did that as part of pentest setup and work management.  

While that makes it easier to deliver higher quality reports, it also offers quality assurance, and a visual record of items checked to the client. That, alone, can be a USP.  

If you’d like to learn more, check our pentest reports page here.