As a penetration tester, you have been contracted to perform a security assessment for a major corporation. The corporation has also hired a third-party security firm to oversee the testing process and evaluate the comprehensive security posture. In your written report, which of the following components would be MOST important to include to address the interests of the third-party security firm?
You selected this option
Comprehensive appendices including raw output from security tools and unfiltered test data
You selected this option
An executive summary highlighting the overarching security posture without delving into technical specifics
You selected this option
An extensive section on common themes and root causes without specific references to individual findings
You selected this option
Detailed findings with risk rating using a reference framework and proposed remediation strategies
An executive summary is generally used to provide a high-level overview of findings for stakeholders who may not require deep technical details, such as C-suite executives. However, third-party security firms typically have the expertise necessary to understand and analyze technical findings in-depth, so they would be more interested in detailed findings, risk rating based on a reference framework, and the proposed remediation strategies. This will enable them to critically assess and validate the penetration testing methodology, findings, and recommendations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a reference framework in penetration testing?
Open an interactive chat with Bash
Why is risk rating important in a penetration testing report?
Open an interactive chat with Bash
What type of remediation strategies should be included in a penetration testing report?