February 2

Webinar takeaway – Things NOT to Do in Pentest Reports: Tips, Tricks, and Traps in Report Writing

0  comments

My key takeaways

  • The report in a pentest IS the product
  • An adequate hacker who writes well is more useful to a customer than a l33t hacker who writes poorly. — Bronwen Aker

  • Vulnerability scans sold as pentest reports have soured business to infosec
  • Writing good reports is a skill that can be learned
  • 7 deadly sins of report writing
    1. Bad Writing like typos/mispelllings, poor grammar or no clear narrative
    2. Condescending Tone
    3. Bad Screenshots
    4. Inconsistent Formatting
    5. Randomized Lists
    6. Irrelevant Guidance
    7. Info from Another Customer
  • good report writing
    • Tells a story
    • Is easy to follow
    • Explains why things matter
    • Is accessible to the reader
  • Improved public speaking helps with writing skills
  • improve screenshots
    • screenshot supplement narratives not replace it
    • narrow your screenshots and make them big
    • use light mode, avoid dark mode
      • use different profiles in Linux
    • avoid transparency (e.g. screenshooting shells)
    • include highlights, callouts and captions
    • do include the exact command string used where ever possible
    • avoid dropshadows
  • Avoid fancy fonts
  • use styles to have consistent designs
  • if you have lists in your report, sort’em
    • cat list.txt | sort -V | uniq or sort -uV list.txt
  • The report writer must be the subject matter expert so has to give relevance guidance in the report
  • Avoid copy and paste from other reports
    • risk of contamination with another client’s info to high
  • If the client does something well, mention it
  • make time for revisions
  • use print preview

Env

additional links

Video

Things NOT to Do in Pentest Reports: Tips, Tricks, and Traps in Report Writing

User comments

  • N3m1sys — heute um 19:17 Uhr
    Use the sandwich method…
    What was done well
    What was bad
    What they will continue to do well

  • whitecyberduck — heute um 19:23 Uhr
    I like using Word’s Text-To-Speech while reviewing
    file

  • c0rndogs — heute um 19:40 Uhr
    Styles are the most unappreciated and overlooked feature in Word that can make your life one million percent easier

  • michaels — heute um 19:49 Uhr
    I can’t stress this "relevant and accurate" point strongly enough – I wanted to burn a pentest firm WITH FIRE when they wasted my time arguing about vulnerability scanner false positives.

  • Nick Barker — heute um 19:56 Uhr
    Has anyone ever used “steps recorder” ? It’s magic for tutorials


Tags

copywriting, report, writing


You may also like

Webinar takeaway – Things NOT to Do in Pentest Reports: Tips, Tricks, and Traps in Report Writing

Webinar takeaway – Things NOT to Do in Pentest Reports: Tips, Tricks, and Traps in Report Writing
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}