Practise the vocabulary and structure of professional penetration testing reports: findings, severity ratings, and recommendations.
0 / 6 completed
1 / 6
In a penetration test report, the 'executive summary' section is intended for:
The executive summary translates technical findings into business risk: 'We identified 3 critical vulnerabilities that could allow a full system compromise. We recommend prioritising the authentication fixes before the planned product launch.'
2 / 6
A finding described as 'Critical' in a pentest report typically means:
Critical findings (CVSS 9.0–10.0) typically require immediate remediation. Example language: 'An unauthenticated attacker can execute arbitrary commands on the server by exploiting this SQL injection vulnerability — this requires no special privileges or user interaction.'
3 / 6
The 'reproduction steps' section of a pentest finding serves to:
Precise reproduction steps are essential: 'Step 1: Log in as any user. Step 2: Navigate to /profile?id=1. Step 3: Change the ID parameter to another user's ID. Observe: you can view and edit the other user's profile.' Developers use these to reproduce, fix, and verify remediation.
4 / 6
Which phrase best describes an 'informational' finding in a pentest report?
Informational findings are not vulnerabilities but observations that could assist an attacker: server banners revealing software versions, absence of security headers, or HTTP methods enabled unnecessarily. They inform the client without being actionable risks by themselves.
5 / 6
A pentest report recommendation section should include:
Effective recommendations are specific and actionable: 'Implement parameterised queries (prepared statements) for all SQL database interactions. Example in Python: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))' — not just 'fix the SQL injection'.
6 / 6
The phrase 'the vulnerability was exploited to achieve privilege escalation' means:
Privilege escalation is a critical finding class: horizontal escalation = accessing other users' resources at the same privilege level; vertical escalation = gaining higher privileges (admin, root, SYSTEM).