4.2
Report Structure
A professional pentest report has a predictable structure. Clients expect it. Auditors expect it. Your future employers expect it. Here are the sections, in order:
Cover page. Client name, engagement type, date, your firm’s branding. Sets the tone.
Table of contents. Non-negotiable for any report over five pages.
Executive summary. Written for the CISO and the board, not for engineers. One to two pages. Business risk, not technical details.
Scope and methodology. What was tested, how it was tested, what was excluded. This protects you and sets context for the findings.
Findings. The core of the report. Each finding includes a description, severity rating, evidence (screenshots, command output), business impact, and remediation guidance.
Risk summary. A high-level view of all findings by severity. Often a table or chart. Gives the client a quick snapshot.
Appendices. Supporting data, full scan output, raw evidence that’s too detailed for the main body.
TadiSec’s completed report for Navigating Security Corp is available in the Artifact tab. Study it — this is the standard you’re working toward.
On the right, report excerpts have been stripped of their section labels. Identify which section each excerpt belongs to.
Identify Report Sections
multiple-choice
Each excerpt is from TadiSec's Navigating Security Corp report. Identify which report section it belongs to.
TadiSec identified a complete attack path from a standard domain user account to Domain Administrator in two steps, leveraging a weak service account password and misconfigured replication rights. If exploited by a malicious insider or an attacker who gains initial access, this path would grant unrestricted control over the entire Active Directory environment — including the ability to forge credentials for any account in the domain.
Testing was conducted between March 24 and April 3, 2026 (excluding the March 30–31 blackout) against DC01 (10.1.1.10, Windows Server 2019) at Navigating Security Corp. The assessment simulated an insider threat scenario using a low-privilege domain user account (t.chigubhu, Domain Users) provided by the client. Testing followed the PTES framework and was limited to the targets defined in the scope of work (TDSC-SOW-2026-001).
The service account svc_adbackup (SPN: WINSRV/svc-backup.navigatingsecurity.corp) was configured with a weak password that was cracked within 6 minutes using a standard wordlist. This account holds DS-Replication-Get-Changes-All rights on the navigatingsecurity.corp domain root, enabling a DCSync attack to extract all domain credential hashes — including krbtgt — without requiring interactive access to DC01.
Rotate the svc_adbackup password to a 25+ character randomly generated string immediately and revoke its DS-Replication-Get-Changes-All rights from the domain root naming context. Long-term, implement Group Managed Service Accounts (gMSA) for all service accounts to eliminate human-managed credentials. Priority: CRITICAL — address within 48 hours.
Of the 5 findings identified, 2 were rated Critical, 2 were rated High, and 1 was rated Medium. No Low or Informational findings were reported. The overall security posture of the internal AD environment is assessed as HIGH RISK due to the presence of a confirmed two-step path to full domain compromise from a standard domain user account.