IoT pentest process - Reporting

3. Reporting

When the penetration testing is completed, the results are gathered in a report. The report should use a standardized structure in order to facilitate comprehension, analysis and comparison with other pentest projects. The hacking thesis guidelines describes how the thesis report should be structured. Please remember to document all tests, not just the successful ones. If no test is successful, it is still possible to write a valuable report (stating we could not find a weakness in the product). The ideal outcome is that each test (successful and unsuccessful) can be expressed as an attack graph with explanatory metrics such as TTC (Time To Compromise). In addition to this, if a previously unknown vulnerability is identified and exploited additional steps should be taken for responsible disclosure.