DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

Course available on demand

Penetration Testing deliverables include a final report showing services provided, methodology, findings, and recommendations to remediate or correct issues discovered during the test. This course will show you how to use tools in Kali to help with reporting and to learn about methodologies. A penetration testing methodology is required to conduct the pen test in a consistent and standardized way for repeatable results.

One of the main questions a client will ask a pentester is what methodology is used for testing their assets. It is important to learn this to help clients understand how testing is conducted and to provide them with a deliverable that supports the findings. It is important to understand the basics of reporting prior to starting a pentest because findings need to be conveyed to a client in a way they can understand and then correct the issues.

By the end of the course, you will have materials that can be used on pen testing engagements. This includes a report template, reading materials for reference, and an understanding of various methodologies and ways to fit a methodology to a client’s requirement for a pentest.

Why this course? 

This course will guide you step by step to ensure you not only understand the process of writing a report, but also the structure and methodology that is behind it. In easy to follow, structured modules, you will see what goes into creating an excellent report, starting when you first engage your client and ending when you hand in the effects of your hard work. The workshop will show you how to seamlessly integrate automated reporting tools as well, so that you are able to streamline your work without compromising the quality of your report. During this course you will be able to practice all those skills and apply them confidently in your pentesting engagements. 

Who is this course for? 

  • Penetration testers and security teams who want to ensure their reports are delivered according to the best practices in the field
  • Beginners in the field who want to make sure they have this crucial skill down to a science right away on their first assignments
  • Experienced penetration testers looking to level up their report writing skills or fill in the gaps in their knowledge
  • Red Team managers and leaders searching for reporting frameworks to implement in their day-to-day activities
  • Pentesting company owners, CEOs, and client-facing executives who want to be able to  communicate effectively with their clients while understanding the technical background  gbhind a penetration test report

Why now? 

Because it's a crucial skill to any penetration tester at any point of their career. Whether you want to learn how to build a report from the ground up, or you're looking to step up your game and improve your existing reports, now is the best time - why wait? 

Course benefits:

What skills will you gain?

  • You will be able to deliver a professional penetration test report.
  • Learn to use reporting tools, such as Faraday and Dradis, for issues discovered during testing.
  • After taking the course, you will be able to communicate about how you test a client’s assets, will know what deliverables are expected between the client and tester, and will be able to describe the testing methodology and what is included in a final report.

What will you learn about?

  • You will understand what documents need to be exchanged between clients and testers., such as NDAs. 
  • Distinguishing between vulnerability assessment, compliance reporting and pentest reporting.
  • Learn a reporting format, use a reporting template, and understand how to choose the best pentest methodology for the client.

What tools will you use?

OWASP ZAP, Burp, Kali Linux, Dradis, Magic Tree, and Nmap.

Course general information: 

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What will you need?

Laptop or desktop. For the operating system, use Kali Linux as a virtual machine, or installed on the HDD, SD card, or USB flash drive. It’s preferred to use a recent Kali Linux distro (2018.4). We will use free tools included in the Kali Linux distribution. We will need MS Word or another free documentation tool, such as LibreOffice or OpenOffice to make a report.

What should you know before you join?

  • You should already know how to install and configure Kali.
  • Have familiarity with setup and configuration of Burp and Zap and have a basic understanding of penetration testing.
  • Define the different report types (vulnerability, compliance and pentesting reporting) and explain best practices in reporting. Define methodologies. APA guidelines and format for reporting.

These materials will help put your expertise in a written format so that people without the same knowledge can understand what you are trying to communicate. The goal is to use effective communication to help organizations grow and to keep them safe from unwanted intrusions.

Get the intro:

In Module 0 for the course you can build the solid foundation needed to really master report writing. During the lecture you will learn: 

  • What kind of tasks or contracts you can encounter while working in security that will require a formal report? 
  • What methodologies are there when it comes to reporting? How to choose the best one? 
  • What's the difference between standards, best practices, and methodologies? 
  • How should you structure your report writing process?
  • How to best format your report? 
  • What parts should your report contain? 
  • What are the most common mistakes when writing a report? 

Remember, that's just the introduction, more awaits in the course! 

Your instructor: Chrissa Constantine

Chrissa is a web application pentester and has a Master of Science in Information Security, CISSP and CE|H certifications. She held positions as a consultant at Apple and for a Silicon Valley start-up as a penetration tester. Chrissa enjoys hacking competitions, meeting new people, and learning new things.






Course Syllabus

Module 1: Methodologies and Best Practices

This module defines a methodology and introduces the foundation of reporting including best practices. A primary question asked by a client is what methodology will be used during the pentest.

Methodologies define rules and practices that the tester implements during the course of the test. The methodology is a roadmap that helps the tester assess the security posture of the web application.

After this module, you'll be able to:

  • Customize a methodology from one of the industry-accepted standards.
  • Overview of OWASP Testing Guide, PCI Pentest Guide, Penetration Testing Execution Standard and NIST 800-115.
  • Introduction to the typical documents exchanged between clients and testers

Module 1 Exercises:

  • You will pick a methodology based upon the testing scenario
    • Evaluate relevant standards
    • Pick a methodology
    • Create the report outline
  • The initial module provides information about the various standards and helps a student pick a methodology to use in testing.
  • The paper will be checked for complete sections of the outline, grammar, and spelling, along with use of a methodology discussed in class.

Workload: 4 hours 30 minutes

Module 2: Introduction of tools

This module introduces the tools used to create reports. Learn about Dradis, Faraday and other reporting tools that are part of Kali. Start the process of adding the other tool results (Burp, Nmap, etc.) to the report. Have a methodology in place to help with writing.

After this module, you'll be able to:

  • Use and configuration of tools for generating a report.
  • Integrate the methodology into a suitable report format.
  • Use of a template for report format in either Word or a free reporting tool.

Module 2 exercises:

  • Scan a host from a vulnerable app
    • Requires configuration of tools, and launching a scan
  • Scan data is used to populate vulnerabilities in the report
  • The next phase of the outline will be provided for review
  • The report will be checked to ensure it conforms with the methodology and contains test data in the form of vulnerabilities
  • Grammar, spelling and formatting will be checked to ensure they are consistent across the report

Workload: 4 hours 30 minutes

Module 3: Pentesting vs. Vulnerability Scanning

Learn how to break down testing into phases to aid in documentation.

After this module, you'll be able to:

  • Understand the differences between pentesting and vulnerability scanning.
  • Document and verify results
  • Differentiate between pentesting and vulnerability scanning.
  • Learn results verification. Learn how to document findings.

Module 3 exercises:

  • You will document additional findings and write up a conclusion
  • Findings will be checked to ensure they are accurate (verification)
  • Short quiz to test validation skills

Workload: 4 hours 30 minutes

Module 4: Report Types and Final Reporting

This module will go over how to combine tool results into a systematic and structured report.

We will learn about Executive, Managerial and Technical Reporting. The final report will be compiled and generated by the end of this module.

After this module, you'll be skilled in:

  • Executive Reporting
  • Managerial Reporting
  • Technical Reporting
  • Final Report
  • Risk Matrix, Vulnerability and Exploit Mapping, Testing Methodology and how to use them in reporting

Module 4 exercises:

  • You will have the opportunity to provide the final report based up earlier modules.
  • The executive, managerial and technical reporting aspects will be rolled up into the front matter of the final report. This will give you an opportunity to understand the various styles of writing used for various client needs.

Workload: 4 hours 30 minutes

Final Exam:

  • Thirty question exam on the theoretical aspects of report writing for penetration testing


If you have any questions, please contact our eLearning Manager at [email protected].

Course Reviews


1 ratings
  • 5 stars1
  • 4 stars0
  • 3 stars0
  • 2 stars0
  • 1 stars0
  1. Report Writing Takes More Training Then You Think


    I have been interested in the topic of security for quite a few years now. I started off interested solely on wireless and then moved onto forensics. However one day I came across the topic of Bug Bounty’s and again was immediately hooked. I have always considered myself a web guy since I love all things internet but this was new for me. I spent all my time learning to look for bugs and never realized that a proper report should be written when something is found. When I saw this course offered it seemed like something I needed to take over just wanting to take.

    One I began the course I was shocked to see just how much goes into writing a report correctly. Chrissa explains all the information very well, some of the modules are long but are well worth the time. She walks you through the entire report writing process starting with pre-engagement, covers a myriad of tools that you have at your disposal and also includes templates for you to reference. Risk, responsibility and liability? Ha! Who even knew there was such a thing?

    I am glad I took the time to take this course, after going through this I feel that I was not properly prepared as a pen tester or even a bounty hunter prior. If you want to take this seriously than you need to be more professional than your competition. To do that you need to deliver something stellar at the end of your work, Chrissa teaches you just how to do that.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.