Phase 7
Reporting
Reporting is the final and one of the most critical phases. It turns the operation into a usable record of what happened, what worked, what failed, and what the client should do next, and it should produce a report that can be presented to leadership, used by defenders, and relied on for remediation and retesting.
Report Structure
- Executive Summary
- Introduction
- Positive observations
- Negative observations
- Conclusion
Scope
- Description of scope
- Exclusions and limitations
Attack Narrative
Include a full walkthrough from reconnaissance to the achieved objective so the customer can understand the chain, not just the isolated findings.
Findings
- Finding details: Each finding should include a clear description, proof of concept, impact, and mitigation guidance.
- Severity model: Use a consistent scoring approach for physical security findings. PSVSS is a lightweight model for doing that in a repeatable way.
Evidence Note
Never underestimate the value of photos. During the assignment, photograph everything. It is better to have too many photos than too few.
Phase Output
A complete report suitable for delivery and presentation to the customer.