Procedure

Sample Report

A qualitative report is essential for every penetration test. Comprehensive descriptions on the technical and management level give a clear understanding of all vulnerabilities.

Management Summary

Our final report includes a non-technical summary of the project and all identified findings for the management level. All findings are summarized concisely.

Approach, Scope and Tools

Furthermore, our final report includes a detailed description of our testing methodology, the analysed test target, scope and used tooling.

Findings and Recommendations

In addition, our final report contains a detailed, technical description of all identified findings. You receive a detailed recommendation for the remediation of every vulnerability. This aids technical personnel, such as administrators or developers.

Standardized Risk Rating

We adhere to recognized standards like the OWASP risk rating procedure for the scoring of identified vulnerabilities. The risk of a vulnerability is based on its likelihood and impact.

OWASP Risk Rating Procedure

The risk rating is assigned following the OWASP risk rating procedure, which is based on the factors probability and impact. In the following, our risk rating matrix can be seen:

Picture10
icon matrix1 e1618490140318
These vulnerabilities can be abused by attackers with low technical knowledge using publicly available exploits.
icon matrix2 1 e1618490133738
Vulnerabilities that can be exploited manually by an attacker. No publicly known exploits exist.
icon matrix3 e1618490151725
Vulnerabilities that allow an attacker to access sensitive functions or information. The privileges an attacker can obtain through exploitation of these vulnerabilities is limited.
icon matrix4 e1618490157443
Vulnerabilities, which do not pose an immediate risk, but may serve as a platform for further attacks.
icon matrix5 e1618490147633
Useful information that might indicate potential errors. These findings do not constitute a security risk, but should be evaluated.​

Optionally, we offer a risk rating procedure using CVSS v3. More Information can be found in the CVSS specification.cvss