- Before testing begins, there's a lot of preparation work, and after completing the testing (like scanning, exploiting, and moving through the system), several important tasks need to be done to officially finish the project. These tasks may vary depending on the specific engagement, but they are generally necessary to properly close out the project and fulfill contractual obligations.
Cleanup
- Once testing is complete, we should perform any necessary cleanup, such as deleting tools/scripts uploaded to target systems, reverting any (minor) configuration changes we may have made, etc
Documentation and Reporting
- This includes command output, screenshots, a listing of affected hosts, and anything else specific to the client environment or finding. We should also make sure that we have retrieved all scan and log output if the client hosted a VM in their infrastructure for an internal penetration test and any other data that may be included as part of the report or as supplementary documentation.
Report Review Meeting
- Depending on the types of findings, the client may bring in additional technical subject matter experts if the finding is related to a system or application they are responsible for.
- The client will have the opportunity to ask questions about anything in the report, ask for clarifications, or point out issues that need to be corrected. Often the client will come with a list of questions about specific findings and will not want to cover every finding in detail (such as low-risk ones).
Deliverable Acceptance
- The Scope of Work should outline how project deliverables, like reports, will be accepted. In penetration tests, the report is first sent to the client as a DRAFT for review and feedback. After the client provides input, we update the report and send it back as FINAL. Some clients may not accept a DRAFT report, so it's important to have a consistent process for all customers.
Post-Remediation Testing
- We will review any documentation provided by the client showing evidence of remediation or just a list of remediated findings. We will need to reaccess the target environment and test each issue to ensure it was appropriately remediated. We will issue a post-remediation report that clearly shows the state of the environment before and after post-remediation testing.
For example, we may include a table such as:
| # |
Finding Severity |
Finding Title |
Status |
| 1 |
High |
SQL Injection |
Remediated |
| 2 |
High |
Broken Authentication |
Remediated |
| 3 |
High |
Unrestricted File Upload |
Remediated |
| 4 |
High |
Inadequate Web and Egress Filtering |
Not Remediated |
| 5 |
Medium |
SMB Signing Not Enabled |
Not Remediated |
| 6 |
Low |
Directory Listing Enabled |
Not Remediated |