Reporting Levels

The following are a few reporting options we provide:

1. STANDARD REPORT
   • Scenario: The consumers of the report will range from Auditors, IT staff, developers, technical managers, C-level, etc.
   • Summary: Our default, premium report that has been highly customized, polished, and QA’d
   • Example report: https://penconsultants.com/report
   • Cost: This level of reporting represents 15% - 50% of the testing time/cost (Avg: 25-30%). Smaller-scoped engagements with a large number of findings use a higher percentage, while larger-scoped engagements with fewer findings use a smaller percentage. Example: A $10,000 engagement would include ~$3,000 in reporting costs.
2. RAW REPORT + EXECUTIVE/OVERVIEW
   • Scenario: The consumers of the report would generally be the same as the Standard Reporting option (option #1), at the loss of a less polished write-up of the findings.
   • Summary:
     • The Executive/Overview report would be similar to the Standard Reporting option (option #1), up to and including the section "Summary of Recommendations". This document would NOT have the list of individual findings and recommendations.
     • A second report, known as a Raw Report, would include the individual findings and recommendations that have been lightly customized to your environment, but much of the QA process on our end is cut out, making this closer aligned to a rough draft. There is minimal effort put into customizing our boilerplate content, so, in some cases, due to time constraints, the reporting may require the client to track down certain details. 
   • Example report: See Summary description above
   • Cost: This level of reporting represents 10-25% of the testing time/cost.
3. RAW REPORT
   • Scenario: The consumers of the report would primarily be limited to IT staff/developers. It is NOT written with C-level/executives or Auditors in mind. However, it is possible this report, along with a single-page attestation letter, could satisfy most audit requirements.
   • Summary: This would be the "Raw Report" only from Option #2 (above)
   • Example report: See Summary description above
   • Cost: This level of reporting represents 5-15% of the testing time/cost.
4. RAW FINDINGS
   • Scenario: The consumers of the report will primarily be IT staff/developers with a deep understanding of system and network administration, information and cybersecurity, web development (if applicable), common vulnerabilities, attacks, and risks, etc.
   • Summary: This is included with most testing, and would not be a report at all, but rather, the testers' raw notes from each test that were taken during the engagement. These could range from just a few brief statements and screenshots, to a copy/paste of some of our raw boilerplate content. There will likely be no recommendations, nothing has been QA’d, it is far less formal, and assumes a highly technical reader that understands the risks for most vulnerabilities and what needs to be done to mitigate those risks.
   • Example findings and notes: https://penconsultants.com/informed
   • Cost: $0 - Included with most vulnerability assessments and penetration tests
5. CUSTOM
   • Alternatively, we could provide:
     • Something midway between two of these options
     • One of the less formal levels of reporting, send it to you for review, and then increase the reporting level as desired
     • Another format altogether