PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

Reporting Levels

One of the deliverables for the majority of PEN Consultants’ services is a customized Findings and Recommendations Report, in addition to a variety of raw tool outputs, vulnerability scan reports, etc., for nearly every service. However, we understand that in some cases, our default, full, premium-level reporting may not be needed, allowing us to focus more time on actual testing, or perhaps even reduce engagement time (and costs) overall.

The following are a few reporting options we provide:

    • Scenario: The consumers of the report will range from Auditors, IT staff, technical managers, C-level, etc.
    • Summary: Our default, premium report that has been highly customized, polished, and QA’d
    • Example report:
    • Cost: This level of reporting represents 15% - 50% of the testing time/cost (Avg: 25-30%). Smaller-scoped engagements with a large number of findings use a higher percentage, while larger-scoped engagements with fewer findings use a smaller percentage. Example: A $10,000 engagement would include ~$3,000 in reporting costs.
    • Scenario: The consumers of the report would generally be the same as the Standard Reporting option (option #1), at the loss of a less polished write-up of the findings.
    • Summary:
      • The Executive/Overview report would be similar to the Standard Reporting option (option #1), up to and including the section "Summary of Recommendations". This document would NOT have the list of individual findings and recommendations.
      • A second report, known as a Raw Report, would include the individual findings and recommendations that have been lightly customized to your environment, but much of the QA process on our end is cut out, making this closer aligned to a rough draft. There is minimal effort put into customizing our boilerplate content, so, in some cases, due to time constraints, the reporting may require the client to track down certain details. 
    • Example report: See Summary description above
    • Cost: This level of reporting represents 10-25% of the testing time/cost.
    • Scenario: The consumers of the report would primarily be limited to IT staff. It is NOT written with C-level/executives or Auditors in mind. However, it is possible this report, along with a single-page attestation letter, could satisfy most audit requirements.
    • Summary: This would be the "Raw Report" only from Option #2 (above)
    • Example report: See Summary description above
    • Cost: This level of reporting represents 5-15% of the testing time/cost.
    • Scenario: The consumers of the report will primarily be IT staff with a deep understanding of system and network administration, information and cybersecurity, web development (if applicable), common vulnerabilities, attacks, and risks, etc.
    • Summary: This is included with most testing, and would not be a report at all, but rather, the testers' raw notes from each test that were taken during the engagement. These could range from just a few brief statements and screenshots, to a copy/paste of some of our raw boilerplate content. There will likely be no recommendations, nothing has been QA’d, it is far less formal, and assumes a highly technical reader that understands the risks for most vulnerabilities and what needs to be done to mitigate those risks.
    • Example findings and notes:
    • Cost: $0 - Included with most vulnerability assessments and penetration tests
    • Alternatively, we could provide:
      • Something midway between two of these options
      • One of the less formal levels of reporting, send it to you for review, and then increase the reporting level as desired
      • Another format altogether