| Element | Description |
|---|---|
| Executive summary | - Date range of the assessment - Purpose and scope of the assessment - General status of the assessment and summary of your findings regarding risk to the client - Disclaimer |
| Scan results | - Explanation of the scan results, such as how you’ve categorized and ordered vulnerabilities - Overview of the types of reports provided |
| Methodology | - Tools and tests you used for vulnerability scanning, such as penetration testing or cloud-based scans - Specific purpose of each scan, tool, and test - Testing environments for each tool used in the assessment |
| Findings | - Which systems identified by the client you successfully scanned and which you did not - Whether any systems were not scanned and, if so, the reasons why |
| Risk assessment | - Index of all vulnerabilities identified, categorized as critical, high, medium, or low severity - Explanation of the above risk categories - List of all vulnerabilities with details on the plugin name, description, solution, and count information |
| Recommendations | - Full list of actions the client should take - Recommendations of other security tools the client can use to assess the network’s security posture - Security policy and configuration recommendations |
| Sample Technical Report: RootKid - Github |
Hack The Box Sample Report
My First VA Report