The appendix of a report is the appropriate place to include ancillary information such as raw output from security tools and extensive logs. This data supports the findings in the main report but is too detailed and technical to include within the body. The appendix allows for technical stakeholders to review the raw data if needed. Risk prioritization is part of the main findings and should be included in the main body of the report, not in the appendix. Contact information for the penetration testing team should be present in the initial sections of the report or within a defined communications section, not the appendix. Personal data of the penetration testers is not relevant to the report and could raise privacy concerns.