Ask any pentester what the best part of their job is, and surely, you will not receive an enthusiastic “Reporting!” as your answer. Regardless of how monotonous the process may be, a great report is one of the most important pieces of an offensive security assessment. The final report is where critical information is communicated to show the reader the security state of the systems in scope. Putting together such a deliverable can be challenging, especially when you have two very distinct audiences reading the same report.
This talk primarily focuses on how pentesters can use narrative framing to story-tell in a way that articulates critical information to both technical and non-technical readers alike. Attendees will learn how this technique should be applied not just to executive summaries, but to the actual technical findings themselves. Other ways to improve reporting will also be explored, including what constitutes a great finding, strong practices that can be incorporated into the reporting process, and other various tips and tricks.
Ultimately, the goal of this presentation is to help pentesters to better frame information in a way that lands with their intended audience, creating better deliverables overall. For non-pentesters, from engineers to executives, this presentation will illustrate what to expect in a good report when having security assessments conducted on their systems.
