- This event has passed.
Reporting for Pentesters
June 7 @ 12:00 pm – 4:00 pm EDT
Instructor: BB King
Course Length: 4 Hours
This class is a distillation of what I’ve learned in my pentesting career about how to create a report that is both easy to read and hard to misunderstand. I will help you develop habits and support materials that simplify the work of reporting so you can get better results with less effort.
Ask anyone who signs the checks which is worth more: a clear and actionable report from a tester with average technical skills, detailing how vulnerabilities were found and exploited, showing the impact of those exploits, and making concrete recommendations for improvement? Or a hastily-assembled list of compromised systems, thrown together by an elite hacker in the last hour of the contract after running a rampage through your networks?
If you want to set yourself apart, work on your reporting skills. The hacks are ephemeral. The report lives forever. The hacks are fun – and they require your constant effort to keep current. The reporting is what makes this all a viable career – and once you know how to produce a good one, you can apply that skill endlessly as the computing world changes around you.
This course helps you know what makes a good report good. It discusses the reporting mindset, and the foundational principles that always lead to a report you can be proud of, regardless of the tools you use for the test or for writing the report. We will look at some real reports as examples, and work together on ways to improve in the areas that are most important, as well as those that are most commonly neglected.
- A clear understanding of what makes a good report good.
- Concrete examples of good and bad reporting, and how to tell the difference.
- A sample report template you can use to build your own custom reports.
- How to safely re-use content over time without worry of spilling one customer’s information into another customer’s report.
- How to make Microsoft Word do some of this work for when you report-as-you-go.
Who Should Take This Course
- Anyone who has to write pentest reports. You’ll learn how to do it better and with less work.
- Anyone who has to read pentest reports. You’ll see that helpful and actionable reports are possible, and find some specific things to look for in writing samples from prospective pentesters, be they consultants or potential employees.
Audience Skill Level
Ability to follow spoken English and the ability to create and save a document in Microsoft Word on Windows or MacOS. The course is focused on pentest reports, and the hands-on parts apply to Microsoft Word, but the same principles apply to anyone who needs to report details of how computer systems work.
Bring a laptop with access to a recent version of Microsoft Word. We’ll cover both winword.exe on Windows and “Microsoft Word.app” on MacOS. The in-browser “WebWord” editor doesn’t support the automation* and content-reuse features we use in class.
What Students Will Be Provided With
- Slide deck and links to all the materials used in class.
- A sample report template you can use after class for whatever you want.
* Sample macros and automation suites in Word that simplify repetitive pentest reporting tasks
Pay-What-You-Can and Cyber Range Access
Cyber Range access varies depending on payment level.
|Tuition Paid||Cyber Range Access|
|Less than $295||No Cyber Range Access|
|$295+||Six Months Cyber Range Access|
|Full Price – $575||Twelve Months Cyber Range Access|
Pricing tiers for this class are: $25, $50, $95, $150
Trainer & Author
BB King has been pentesting webapps since 2008. He was the second hire into his employer’s application security team at a time when “PCI” was brand new and long before bug bounty programs – when experienced webapp pentesters had to be made, not found. His internal training and coaching efforts built a successful team of 30 testers, few of whom had significant experience pentesting before joining the team.
BB believes that webapps are the best targets for pentesting because although they all look familiar on the surface, they’re all different, often in surprising ways. Each webapp is a collection of puzzles for a pentester and the first puzzle is figuring out where the other puzzles are! Once you get started, each test can be an engaging chance to practice your problem-solving skills and dive into new technologies.