My key takeaways
- The report in a pentest IS the product
-
An adequate hacker who writes well is more useful to a customer than a l33t hacker who writes poorly. — Bronwen Aker
- Vulnerability scans sold as pentest reports have soured business to infosec
- Writing good reports is a skill that can be learned
- 7 deadly sins of report writing
- Bad Writing like typos/mispelllings, poor grammar or no clear narrative
- Condescending Tone
- Bad Screenshots
- Inconsistent Formatting
- Randomized Lists
- Irrelevant Guidance
- Info from Another Customer
- good report writing
- Tells a story
- Is easy to follow
- Explains why things matter
- Is accessible to the reader
- Improved public speaking helps with writing skills
- improve screenshots
- screenshot supplement narratives not replace it
- narrow your screenshots and make them big
- use light mode, avoid dark mode
- use different profiles in Linux
- avoid transparency (e.g. screenshooting shells)
- include highlights, callouts and captions
- do include the exact command string used where ever possible
- avoid dropshadows
- Avoid fancy fonts
- use styles to have consistent designs
- if you have lists in your report, sort’em
cat list.txt | sort -V | uniq
orsort -uV list.txt
- The report writer must be the subject matter expert so has to give relevance guidance in the report
- Avoid copy and paste from other reports
- risk of contamination with another client’s info to high
- If the client does something well, mention it
- make time for revisions
- use print preview
Env
-
Provided by BHIS
-
Speaker
additional links
- https://br0nw3n.com/2022/08/sort-your-lists-penetration-test-reporting-tips/
- https://www.noredink.com/
- OWL online writing lab
- https://twp.duke.edu/beyond-students-faculty/twpws-student-resources
Video
User comments
-
N3m1sys — heute um 19:17 Uhr
Use the sandwich method…
What was done well
What was bad
What they will continue to do well -
whitecyberduck — heute um 19:23 Uhr
I like using Word’s Text-To-Speech while reviewing
-
c0rndogs — heute um 19:40 Uhr
Styles are the most unappreciated and overlooked feature in Word that can make your life one million percent easier -
michaels — heute um 19:49 Uhr
I can’t stress this "relevant and accurate" point strongly enough – I wanted to burn a pentest firm WITH FIRE when they wasted my time arguing about vulnerability scanner false positives. -
Nick Barker — heute um 19:56 Uhr
Has anyone ever used “steps recorder” ? It’s magic for tutorials