Reporting & Communication

When prioritising findings in a penetration test report, which scoring system is most commonly used to communicate a standardised severity rating to the client?

• A CPU benchmark score
• B CVSS (Common Vulnerability Scoring System) ✓
• C CRC checksum
• D MD5 hash value

Answer: CVSS provides a standardised numeric severity score for vulnerabilities, giving clients a consistent way to understand and prioritise the risk of each reported finding.

During an engagement a tester discovers an actively exploited critical vulnerability that places the client at immediate risk. According to good practice, what should the tester do?

• A Post the finding on social media for visibility
• B Delay disclosure until the final report is delivered
• C Immediately notify the client's designated contact out-of-band before continuing ✓
• D Keep it secret to avoid alarming the client

Answer: Critical findings, signs of a prior breach, or imminent risk require immediate out-of-band communication to the client's point of contact rather than holding the information until the formal report, so they can act quickly.

Which section of a penetration test report is written for non-technical leadership and summarises overall risk and business impact in plain language?

• A The list of CVE identifiers
• B The packet capture logs
• C The raw Nmap output appendix
• D The executive summary ✓

Answer: The executive summary distils the engagement's key risks, overall posture, and business impact into concise, non-technical language aimed at senior leadership and decision makers.

For each finding in a penetration test report, what is the MOST useful element to include so the client can fix the underlying issue?

• A A specific, actionable remediation recommendation ✓
• B The tester's favourite operating system
• C The price of the assessment
• D A list of unrelated industry news

Answer: Effective reports pair each finding with clear, actionable remediation guidance so the client knows exactly what steps to take to resolve the issue and reduce risk.

After delivering the final report and confirming remediation, what should the tester do with sensitive engagement data such as captured credentials and findings?

• A Publish it in a public repository
• B Securely destroy or archive it per the agreed data-handling terms ✓
• C Keep copies indefinitely on a personal laptop
• D Email it to the whole company unencrypted

Answer: Post-engagement cleanup requires securely destroying or archiving sensitive data according to the contract, because retaining client credentials and findings carelessly creates serious confidentiality risk.

A penetration tester is presenting findings to a mixed audience of executives and system administrators. What is the BEST communication approach?

• A Tailor the depth and language to each audience, business-level for executives and technical detail for administrators ✓
• B Refuse to answer any questions
• C Read the raw scanner output aloud line by line
• D Use only deep technical jargon throughout

Answer: Good reporting and communication adapts to the audience: executives need business risk framed plainly, while technical staff need the detail required to reproduce and remediate findings.