Approach
Sample Report
A qualitative report is essential for every penetration test. Comprehensive descriptions on the technical and management level give a clear understanding of all vulnerabilities.
Management Summary
Our final report includes a non-technical summary of the project and all identified findings for the management level. All findings are summarized concisely.
Approach, Scope and Tools
In addition, our final report includes a comprehensive description of the testing methods used, the system analyzed, and the scope of the test, as well as the tools and scripts employed during the penetration test.
Findings and Recommendations
In addition, our final report contains a detailed, technical description of all identified findings. You receive a detailed recommendation for the remediation of every vulnerability. This aids technical personnel, such as administrators or developers.
Standardized Risk Rating
We adhere to recognized standards like the OWASP risk rating procedure for the scoring of identified vulnerabilities. The risk of a vulnerability is based on its likelihood and impact.
OWASP Risk Rating Procedure
The risk rating is assigned following the OWASP risk rating procedure, which is based on the factors probability and impact. In the following, our risk rating matrix can be seen:
These vulnerabilities can be abused by attackers with low technical knowledge using publicly available exploits.
Vulnerabilities that can be exploited manually by an attacker. No publicly known exploits exist.
Vulnerabilities that allow an attacker to access sensitive functions or information. The privileges an attacker can obtain through exploitation of these vulnerabilities is limited.
Vulnerabilities, which do not pose an immediate risk, but may serve as a platform for further attacks.
Useful information that might indicate potential errors. These findings do not constitute a security risk, but should be evaluated.
Alternatively, we offer a risk assessment method based on CVSS. More Information can be found in the CVSS specification.
Frequent questions regarding penetration tests (FAQ)
When can we expect the final report?
Our reports are generally delivered within 1-2 weeks after the penetration test has ended. Should you require an earlier transmission of test results, please address this topic in our common kick off meeting. For time-critical projects we gladly share our results earlier, if possible.
More information, as well as a sample report can be found here.
How is the final reported transmitted?
All sensitive documents or credentials are provided via our encrypted file exchange platform. The end-to-end encryption takes place on the transport layer (TLS), as well as the file layer (AES-256). We host our own platform independently on German servers. The document retrieval is accountable and automatically deactivated after 30 days with a subsequent full data erasure.
Via this exchange platform you will receive an e-mail with a secure link for the retrieval of our final report (PDF). Furthermore, you will receive optional log data or proof-of-concept exploits in a ZIP folder.
What report languages are available?
We provide both German and English versions of all our tests and final documents that you receive from us. Our employees are fluent in the language.
The language of the report can be selected in the configurator. Furthermore, this topic will be discussed again at the joint kick-off meeting.
Do you offer any other risk assessment methods?
If you need a customized method for assessing the criticality of identified vulnerabilities, please feel free to discuss this with us. Provided your risk assessment method follows a standard and is transparent, we will generally accommodate your request.