# Findings Report

## Overview

A **Findings Report e**ntails everything that you did and found on a high and low level. This section will have very quick and short notes on each section of the **Findings Report,** highlighting the importance of each one and what they're about

**TCM Security Sample Report**

{% embed url="<https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report>" %}

## Disclaimer

* A Disclaimer saying that the test is a snapshot in time meaning that after the week of engagement if someone opens up a port or puts up an new vulnerable application, we are not responsible for that.
* The engagement is time limited meaning that we can only target what we can in that period of time. When limited on time not going to find everything)

{% hint style="info" %}
Some clients will be cheap and pay for a week instead of two not giving a good in depth engagement
{% endhint %}

## Assessment Overview

* High level overview
* State that all testing is performed based on the NIST XXXXX&#x20;
* Show the phases of the pentest life cycle

<figure><img src="/files/KS6lcEaJwqwbsHIhOYNT" alt=""><figcaption><p>Penetration testing life cycle</p></figcaption></figure>

## Assessment Components

* State what an external penetration test is (or whatever kind of pentest you're doing)
* Multiple components = multiple statements

## Findings Severity Summary

* Must rate findings based off severity
* Use the CVSS V3 score rating chart
* The severity rating is based off of **Likelihood** and **Impact** which can be subjective
* Example: You find a XSS vulnerability in one of their web applications but they had it accessible through a whitelist only. This would make the **Likelihood** of the attack go down along with the severity rating (High or Moderate).

<figure><img src="/files/Y6pHrzW0gnAzZ8HMTUU9" alt=""><figcaption><p>CVSS V3 rating chart</p></figcaption></figure>

## Scope

* Each assessment will be paired with details stating which IP addresses are in scope
* Scope exclusions will be stated, usually **DoS a**nd **Social Engineering**
* **Client allowances** ; did the client assist you in any way?
  * Provide a password or access to an account

## Executive Summary

* This summary is for someone who is a **C Level Executive**
* They probably won't come from a technical background so dumbing down the concepts is important
* Scoping and Time Limitations
  * State what the timeline and scope were
* Testing Summary:
  * This is a quick summary of what attacks were preformed and what they findings were
  * Don't get into too much of the technical details (tools, crazy techniques, etc.)
  * Include what was compromised and what you could see
  * Should only be **High** or **Critical** findings
* Security Strengths
  * Provide summary of what their strengths were (SIEM alerts/prevention, firewall alerts, etc.)
* Security Weaknesses
  * Summary of where their securty holes are (MFA, Weak password policies, Unrestricted logon attempts, etc)
* Vulnerabilities by impact

  * Add a pretty chart with the severity rating scores

  <figure><img src="/files/u2VY2FRf8vselSw3eFRz" alt=""><figcaption><p>Pretty chart example</p></figcaption></figure>

## Technical Findings

* Technical summary for the more technical people (network engineers, security analysts etc.)
* Each finding will be it's own section ranked from most **Critical** to **Least Critical**
  * Includes Description, impact, system(IP), references (NIST doc) and a PoC
  * Have pictures to help explain everything as well
  * Don't have a picture for everything so it's step by step. That can be too much

<figure><img src="/files/dcnQhfGBdnbSM0f9MizT" alt=""><figcaption><p>Findings Example</p></figcaption></figure>

* Next should be a **Remediation** section for that finding
  * Who should fix it?
  * Attack vector (remote, internal etc.)
  * Actions that should be taken to remediate
* Informational Findings
  * This can include credentials from breached dumps
  * Blur out passwords on the report but leave the Users visible

<figure><img src="/files/1hvUon1leOKgthgcKt25" alt=""><figcaption><p>Informational finding example</p></figcaption></figure>

* Additional reports and scans
  * Provide all of the outputs (**Nmap** scans summary, **Nmap** scan by host, **Nessus** scans)
  * Use excel or PDF documents

{% hint style="info" %}
It's important to include scans because if there's a lot of critical/high vulnerabilities and a few medium ones, the report will only have critical and high but there's more things going on in the scans a lot of the times
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/report-writing/findings-report.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.