Sample Penetration Report

Here is an outline that has been used by several different organizations over the years and in some cases still being used by some of the larger security consulting practices:

Executive Summary

Findings

Recommendations

Introduction

Purpose and Scope

Network Map

Remote Dial-in Map

Findings and Recommendations

Organizational and Procedural Issues

Network Security Responsibility

Internal Restrictions

Network-Wide Vulnerabilities

Firewall

Intrusion Detection and Security Monitoring

Host Vulnerabilities

Dial-in Vulnerabilities

Password Issues

Network Vulnerabilities

Recommendations

Industry Best Practices

Network Considerations

Network Addressing

Firewalls

Automated Systems

Intrusion Detection and Security Monitoring

Vulnerability Scanning

Host Considerations

System Banners

Dial-in Access

Remote Management of Network Infrastructure Devices

Centralized Security Authority

Informational Services

User Authentication

Passwords

Password Administration

Password Structure and Policy

Appendix

Appendices usually contain specific information, such as network sweeps, notes from testing, and other types of documentation. This information is usually too large to fit in the body of the report itself.

Assessment Process Overview

Background

Security as an Operational Process

Security Posture Defined

Assessment Process

Network Discovery

Target System and Vulnerability Identification

Data Analysis and Security Design Review