A threat traceability matrix is an excellent structure for presenting your threat analysis as well as the results of your penetration testing. Ideally, you would include the following information in your threat traceability matrix:
- the threat agent,
- the affected asset,
- the attack surface,
- the attack goal,
- the attack,
- the attack impact, if successful (here, you may use the impact metrics of the CVSS scoring system),
- references to related work, e.g. to vulnerabilities in similar products, or to descriptions of the kind of vulnerability and/or exploit,
- estimated exploitability (here, you may use the exploitability metrics of the CVSS scoring system).
- whether you have attempted this attack (if you have, refer the reader to the appropriate section; if you haven’t, refer the reader to the location in the report where you motivate that delimitation),
- the results of potential penetration tests.
The threat traceability matrix should allow the reader of your report to easily find answers to the following questions:
- Have you considered all relevant attacks? You can strengthen this by providing good and exhaustive references to related work.
- Have you performed penetration tests of the most important attacks? Here, the motivation of your probability of attack success will be important to convince the reader that your focus was correct.
- Did your penetration tests succeed?
If you like, you can plot your threats in a risk matrix, which will clearly indicate which threats are worthy of penetration testing.