CyberSec Lab — Pentest Report Writing & Vulnerability Chaining

OBJECTIVES

Review all raw findings from the engagement

Identify the critical severity finding

Build the correct vulnerability chain

Calculate CVSS scores for 2 findings

Write the executive summary

Document findings with remediation steps

Complete the risk matrix

Submit the final report

🔍

Raw Findings

⛓️

Vuln Chain

🔢

CVSS Calc

📊

Risk Matrix

📖

Reference

📝

Write Report

EXPERT — PENTEST METHODOLOGY

REPORT WRITING & VULN CHAINING

CLIENT: NovaTech Inc — External Network Assessment

SCENARIO

You have completed a two-week external network penetration test against NovaTech Inc. Your raw notes and tool output are loaded. Now do the work that actually matters: analyse the findings, identify how they chain together, calculate risk scores, and write a professional report the client can act on.

ENGAGEMENT DETAILS

Item	Detail
Client	NovaTech Inc
Scope	External network, 45.77.12.0/28
Dates	2026-04-21 to 2026-05-02
Type	Black box external assessment
Tester	You (lead assessor)
Findings	9 total (review all before chaining)

WORKFLOW

Raw Findings — read all 9 findings carefully
Vuln Chain — identify which findings chain into a critical attack path, in the correct order
CVSS Calc — calculate risk scores for your two most critical findings
Risk Matrix — plot all findings by likelihood × impact
Write Report — executive summary, detailed findings, remediation

WHAT MAKES A GOOD PENTEST REPORT

Executive summary written for non-technical business stakeholders
Every finding has: description, evidence, impact, remediation
CVSS scores justify the severity rating
Remediation is specific and actionable — not "apply patches"
Chained findings are documented as a single attack narrative

Display Mode

RAW FINDINGS — NovaTech Inc External Assessment

VULNERABILITY CHAIN BUILDER

ATTACK PATH — DRAG FINDINGS INTO ORDER

Chain score: —

Add findings from the Raw Findings panel in the order an attacker would exploit them — from initial access through to the maximum impact.

CVSS v3.1 CALCULATOR

BASE SCORE METRICS

—

Select metrics above

RISK MATRIX — Likelihood × Impact

REFERENCE — PENTEST REPORTING

EXECUTIVE SUMMARY STRUCTURE

Written for a CTO or board — no technical jargon. Cover: what was tested, the single most important finding, the overall risk posture, and the top 3 recommended actions. Should be readable in 2 minutes.

FINDING STRUCTURE (per finding)

Title: Short, plain-English name Severity: Critical/High/Medium/Low CVSS Score: e.g. 9.8 (Critical) Description: What the vulnerability is Evidence: What you observed/captured Impact: Business impact if exploited Remediation: Specific actionable fix

CVSS v3.1 BASE METRICS

AV — Attack Vector: Network(N) Adj(A) Local(L) Physical(P)
AC — Attack Complexity: Low(L) High(H)
PR — Privileges Required: None(N) Low(L) High(H)
UI — User Interaction: None(N) Required(R)
S — Scope: Unchanged(U) Changed(C)
C/I/A — Confidentiality/Integrity/Availability impact: None(N) Low(L) High(H)

VULNERABILITY CHAINING

A chain is when exploiting one finding enables or amplifies the exploitation of another. The combined chain often has higher impact than any individual finding. Always ask: "what does this access enable next?"

Classic chain: Recon → Initial Access → Privilege Escalation → Lateral Movement → Impact

REMEDIATION QUALITY

Bad: "Apply security patches"
Good: "Apply Apache 2.4.57 or later, available at apache.org/downloads — patch within 30 days per your patching SLA"

Bad: "Improve password policy"
Good: "Enforce minimum 14-character passwords with complexity requirements in Group Policy (Computer Configuration → Windows Settings → Security Settings → Account Policies)"

PENETRATION TEST REPORT — NovaTech Inc

Executive Summary

Finding 1 (Critical)

Finding 2 (High)

Remediation Plan

Score & Submit

OVERALL RISK POSTURE (select one)

Based on the highest-severity finding and overall attack chain.

TOTAL FINDINGS

CRITICAL / HIGH COUNT

EXECUTIVE SUMMARY (write for a non-technical CTO — 3-5 sentences)

TOP REMEDIATION PRIORITY (single most important action)

CRITICAL FINDING — Unauthenticated Remote Code Execution

CVSS SCORE

Use the CVSS Calculator tool

AFFECTED COMPONENT

TECHNICAL DESCRIPTION

EVIDENCE (what you observed)

BUSINESS IMPACT

HIGH FINDING — Weak Credential Policy / Password Reuse

CVSS SCORE

AFFECTED COMPONENT

TECHNICAL DESCRIPTION

EVIDENCE

BUSINESS IMPACT

REMEDIATION — CRITICAL FINDING (be specific and actionable)

Good: "Upgrade Apache to 2.4.57+ within 7 days. Disable the vulnerable module X in httpd.conf." Bad: "Patch the server."

REMEDIATION — HIGH FINDING (credential policy)

ATTACK CHAIN NARRATIVE (explain how the findings chain together)

REPORT SCORE

0 / 100

Complete all sections of the report, then submit.

Scoring is based on: completeness of each section, quality indicators (specificity of remediation, chain narrative logic, appropriate technical depth), and correct identification of the attack chain order.

A score of 70+ passes. 85+ is professional quality. 95+ is client-ready.