Back to all activities

Report Creation


This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the current state of security, the process by which the auditor came to that assessment, and recommendations that will guide the hosts progression to meet their security goals.


    • Treat the report with the utmost security. It should only be shared as a complete work between the auditor(s) and the identified leadership and points of contact of the organization.

Walk Through

    • Create charts and visuals for roadmap, risk-matrix, implementation matrix, and critical processes.
    • Compile approaches, impact, risk, recommendations and resources for each vulnerability.
    • Prepare narrative components.
    • Write explanations for why any adversaries or threats that the auditor identifies as "un-addressable" with the organizations current capacity.
    • Collect agreements & scope.
    • Document tools used for testing where needed.
    • Update glossary where needed.
    • Compile full report contents.
    • Send the report to client. [1]
    • Document updates to activities to submit back to SAFETAG.


  • 1 "When a pilot lands an airliner, their job isn’t over. They still have to navigate the myriad of taxiways and park at the gate safely. The same is true of you and your pen test reports, just because its finished doesn't mean you can switch off entirely. You still have to get the report out to the client, and you have to do so securely. Electronic distribution using public key cryptography is probably the best option, but not always possible. If symmetric encryption is to be used, a strong key should be used and must be transmitted out of band. Under no circumstances should a report be transmitted unencrypted. It all sounds like common sense, but all too often people fall down at the final hurdle." - The Art of Writing Penetration Test Reports