Skip to content

Module 17 — Reporting & Remediation

Type 14 · Adversarial Review — let AI draft the pentest report, then verify every finding, number, and CVE you can't reproduce before you sign it; deliver a report modeled on real public ones. (Secondary: Judgment-as-Code/Gate — a structural validator checks the 11 sections and reference URLs.) Go to the hands-on lab →

Last reviewed: 2026-06

Offensive Securitythe report is the product; a shell nobody can act on is worthless.

Difficulty: Intermediate  ·  Estimated time: ~5–7 hrs (study + lab)  ·  Prerequisites: Foundations

In 60 seconds

The uncomfortable truth that separates a professional from a tool-runner: nobody buys shells — they buy the report. A brilliant exploit that produces a finding the defender can't understand, reproduce, or act on is worth nothing. The same engagement is told twice: the executive summary answers "how exposed are we, in business terms?" and the technical findings answer "exactly what, where, proven how, fixed how?" This is the single most career-defining offensive skill — and the place AI is both most useful and most dangerous.

Why this matters

Clients and defenders don't buy shells — they buy a clear, prioritised, reproducible account of what's wrong and how to fix it. Reporting is the single most career-defining offensive skill: it separates a "tool runner" from a professional, and it's the deliverable that gets you hired and re-hired. This module turns everything you found across the track into a report a defender can act on.

Objective

Write a professional penetration-test report — executive summary, technical findings with risk ratings and evidence, and prioritised remediation — modeled on real public reports.

The core idea

The uncomfortable truth that separates a professional from a tool-runner: nobody buys shells — they buy the report. A client or a defender pays for a clear, prioritised, reproducible account of what's wrong and how to fix it. A brilliant exploit that produces a finding the defender can't understand, reproduce, or act on is worth nothing. This is the single most career-defining offensive skill and the deliverable that gets you re-hired — which is why the track ends here, turning everything you found into something actionable.

The mental model

The report is audience-driven: the same engagement is told twice. The executive summary answers "how exposed are we, in business terms, and what do we do Monday?" — no jargon, just risk and money. The technical findings answer "exactly what, where, proven how, fixed how?" — each with a clear title, evidence, reproduction steps, impact, and a risk rating that blends CVSS with business context (the KEV/EPSS prioritisation from module 03, applied to this client's reality).

The gotcha

A finding you can't reproduce is not a finding. A brilliant exploit that produces something the defender can't understand, reproduce, or act on is worth nothing — reproducibility and clarity, not cleverness, are what the client actually pays for.

AI caveat

Reporting is where AI shines and is most dangerous. A model drafts clean report prose from your notes in seconds, but it will smooth over a finding you can't actually reproduce or invent an impact that merely sounds right. AI authors the prose; you verify every finding, number, and CVE. You sign it; you own it — your name is on a document the client makes real decisions from.

Learn (~4 hrs)

The standard & real examples - PTES — Reporting — the structure a professional report follows. - Public Pentesting Reports (curated collection) — read two or three real reports from reputable firms to model tone, structure, and risk framing.

Tooling - Ghostwriter (GhostManager) — open-source reporting / engagement management; optional, but see how teams operationalise it.

Key concepts

  • Audience: executive summary vs technical detail
  • Findings: clear title, evidence, reproduction, impact, risk rating (CVSS + business context)
  • Prioritisation by real risk (callback to KEV/EPSS, module 03)
  • Actionable remediation a defender can actually implement
  • Reproducibility — a finding that can't be reproduced isn't one

AI acceleration

This is where AI shines and where it's most dangerous: a model drafts clean report prose from your notes in seconds — but it will also smooth over a finding you can't reproduce or invent an impact. AI authors the prose; you verify every finding, number, and CVE. You sign it; you own it.

Check yourself

  • Why is the report — not the shell — the actual product of an engagement?
  • How does the story you tell in the executive summary differ from the technical findings, and who reads each?
  • Why isn't a finding you can't reproduce a finding, and where is AI most likely to betray you here?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).