The Evidence Package

The testing window has closed — April 3rd, end of day. TadiSec’s authorized access to DC01 is done. You have a pile of raw findings: Nmap scans, BloodHound output, Kerberoasting results, privilege escalation evidence, and some enumeration output that turned out to be noise.

This is the evidence package — everything you collected during the engagement. It’s messy. It’s not organized by finding. Some of it is critical, some of it is informational, and some of it isn’t even reportable.

Before you can write a report, you need to triage this evidence:

Identify distinct findings. A Kerberoasting result and the subsequent lateral movement might be one finding or two, depending on how you frame it. Group related evidence together.

Separate findings from noise. Not everything you discovered is a reportable finding. An open port that’s expected and documented is noise. A misconfigured GPO that exposes credentials is a finding.

Identify the severity. Which findings have the highest business impact? That determines report priority and presentation order.

The evidence package on the right is TadiSec’s raw output from the Navigating Security Corp engagement. You’ll use this same evidence in Module 4 when you evaluate the report. For now, triage it.

Review the evidence package on the right and answer the triage questions. How many findings can you identify? What’s noise?