Skip to content

The Penetration Test Report: Showcase or Garbage?

  • by
discus thrower

Growing up, I played football and it was all that mattered to me. I thought I could never enjoy another sport as much as I did the game of football. A friend on my football team in high school invited me out to join the track team to compete in the shot put, but I eventually fell in love with the discus throw. I loved the way the discus flew through the air. I loved the way it felt when everything seemed to connect perfectly sending a tight stretch through my core and sending all of that energy through the discus like a perfectly calibrated trebuchet. The perfect throw yields a feeling you hope to experience again and again.

I spent thousands upon thousands of hours practicing the discus throw, as well as the shot put and hammer throw. For all of the hours that are put in, there is really only a handful of chances to showcase your skills. In a given practice, I would often throw for hours straight, sometimes eclipsing 100 throws in a session. In a track meet, you get, at most, six attempts. If I were to take 300 throws in a week, including six in a meet, I would find only 2% of those throws actually mattered. Everything had to align in order to get my best throw, out of 300, to happen in one of those six attempts. Sometimes I would hit a great throw in a meet, sometimes I wouldn’t.

It wasn’t until I got to college where I learned how important it was to be consistent and systematic in my approach and to trust my routines. My coach, Dan Haakenson, taught me to be mindful in practice of each throw I take. He said that throwers generally have their best throw of the day around the same attempt, so I began to mark each throw with a flag and count each throw as I went through my series of throws for the day. Slowly, I began to identify a pattern and I found my best throw to usually fall somewhere between my 8th and my 10th throw of the day. Why would this be important to know? It was the difference between having a “showcase” performance or a “garbage” performance come meet day.

Here is how a meet works. Throwers are organized in groups called “flights” and each group of usually eight throwers would warm up taking practice throws together before they took their three attempts in the prelims with hopes of getting three more attempts in finals. Every thrower has a different approach to warm-ups, some calculated and routine-like, others without much of a care. To the calculated thrower like myself, it was always entertaining watching my competitors toss their warm-up throws. I generally kept the same routine once I learned how to be calculated: two standing throws, two half-turns, and three full attempts. Why? My best throws generally happened between throws eight and ten, so I would always take seven warm-up throws, knowing that generally that I will have my best throw of the day in my next three attempts.


Not every thrower was taught the importance of consistency and having a system on meet day. Most throwers that I observed threw warm-up throws until, finally, they hit “a good one” or even more painful to see “good ones”. I call this phenomenon “Winning the Warm-ups”. To the throwers who win warm-ups, it is important to see themselves have a good throw to feel confident they will throw well during competition. This seems reasonable, as throwing well in warm-ups can be an indication for good throw to come during competition, but more often than not, the throwers that have to see to believe, often have their best throws take place before the competition even begins.

It was hard to watch as I always liked to see people at their best and set personal records. I loved the competitions and often someone having a good throw would get my juices flowing and would get me throwing farther as well. Track and field is a unique sport in the fact that a competitor could have a huge personal record, but it has no impact on my ability to live up to my own potential. Maybe I wouldn’t win a meet if someone had the day of their life, but I could’t control that. What I could control was myself and my approach. I knew that if I could develop a routine and system that made it predictable, and followed through with it, then I would have a great chance of having a showcase performance versus a garbage performance.

Time to tie this in to a penetration test, specifically the reporting aspect on a pen test.

A penetration test report is the way that the findings (vulnerabilities, exploits, risk classifications, etc.) are communicated to the end user of the report, in our case, a client. Our customers hire us to test their applications and networks to help them identify security weaknesses and exploit those vulnerable areas to see what sort of sensitive information we can access or privileges we can gain. This is supposed to simulate the efforts of a malicious party trying to steal valuable information for a profit or to damage the client.

There are many approaches, techniques, and tools used in a penetration test, and each tester has a varying approach, much like each discus thrower has a different approach to their routines and form. Some throwers are what we call “country strong” and lack athleticism, but can muscle the discus out a ways. Other throwers can be unassuming physically, but their quickness, flexibility, and explosiveness yield equally impressive throws. Different approaches, similar results. Both can fall victim to “Winning Warm-ups” and deliver a lackluster performance. A well-trained penetration tester can approach an engagement from a few perspectives, but if they lack the discipline or systems to effectively communicate findings, the value is lost in the test and the client received a garbage report.

The report is the ultimate judgement on the test. Many testers love digging around in networks and applications, but hate note-taking and reporting. If the reporting is delayed or pushed off, it is likely that the full findings of the test will not be communicated to the client, leaving the client less than satisfied. The tester might feel like their performance was great, much like a thrower might point to that bomb they dropped in warm-ups after a bad day in the ring, but when it comes time for the test, the results are ultimately what matter.

We have developed a system for our testers to use that gives our clients consistent, clear, and actionable reports. The key in our reporting process is a tool that we developed called Test Manager. Test Manager allows our penetration testers to report findings with ease, collaborate during engagements, and cross-train other testers with vulnerability data and test findings readily available. It also gives more visibility to our clients with the ability to see what tests are being performed, view progress of testing, and easily generate reports as critical issues are found.

Through Test Manager, our reporting process allows for our testers to have the best chance to showcase their findings with consistency and clarity. I can remember one of our managers telling me he was unsure about using Test Manager at first when he came on board, but found it difficult to perform engagements without it after a while. We use it internally and it is a differentiator for us when we perform our tests.

If you want penetration testing that consistently delivers clear, useful reports paired with the skill of our security team, then just contact us to learn more.