During a penetration testing engagement, a tester discovered a series of vulnerabilities that were documented with extensive logs, raw output from security tools, and configuration files. Which of the following types of information should most appropriately be included in the appendix of the final report?
Raw output from security tools and extensive logs
Risk prioritization based on the findings
Personal data of the penetration testers involved
Contact information for the penetration testing team
The appendix of a report is the appropriate place to include ancillary information such as raw output from security tools and extensive logs. This data supports the findings in the main report but is too detailed and technical to include within the body. The appendix allows for technical stakeholders to review the raw data if needed. Risk prioritization is part of the main findings and should be included in the main body of the report, not in the appendix. Contact information for the penetration testing team should be present in the initial sections of the report or within a defined communications section, not the appendix. Personal data of the penetration testers is not relevant to the report and could raise privacy concerns.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What types of security tools might provide raw output during a penetration test?
Open an interactive chat with Bash
Why is risk prioritization necessary in the context of a penetration testing report?
Open an interactive chat with Bash
What should be included in the appendix of a penetration testing report aside from raw output?