6 Things Every Security Assessment Report Should Include

Report writing is a critical component of a cyber security assessment. The technical report communicates a point in time collection of the security vulnerabilities/findings in an assessment so that the discovered risks can be recreated and properly mitigated. To effectively communicate the assessment results, there are 6 things a solid report should include: Each finding discovered during the assessment, what risk each finding presents to the customer, an assigned level of risk for each finding, where/how each risk was discovered, and a recommendation to resolve each risk.


  • Presenting the Discovered Findings

Each finding discovered during the assessment should be included in the report. In order to properly present each finding, a high level description of each finding should be included as well as a description of why the finding poses risk to the customer. If a finding isn’t included, it cannot be resolved.

  • Presenting the Risk of Each Finding

Each finding discovered during the assessment should be included in the report. In order to properly present each finding, a high level description of each finding should be included as well as a description of why the finding poses risk to the customer. If a finding isn’t included, it cannot be resolved.

  • Presenting the Risk of Each Finding

It is important to show the impact of not resolving each risk so that the business can better understand each finding and develop a remediation plan.

  • Assigning Each Finding a Risk Level

Each finding should be associated with a risk level. Typical risk levels range from critical to informational. This helps the business unit prioritize risk remediation efforts.

  • Demonstrating Where/How Each Finding was Detected

When remediating an issue, it is important to know where a finding was discovered. Demonstrating the discovery in the report ensures that each finding can be recreated so that proper remediation, whether it occurs in one or multiple instances, can be carried out. This can be demonstrated, for example, with screen captures of the step by step attack vector.

  • Providing a Recommendation of Remediation of Each Finding

Providing a remediation recommendation or best practice provides a head start to determining the best path forward. This can save time searching for a solution and provides an understanding of what a resolution should accomplish.


Before hiring a third party to perform a cyber security assessment, ask for an sample report to ensure the report has the elements listed above. These reporting elements ensure that when risks are found in a security assessment, an organization’s remediation team can effectively recreate the finding and craft a strategy to resolve and mitigate the risk. If an element is missing, remediation efforts could render an incomplete resolution, leaving possibilities for other avenues of attack for a vulnerability that was thought to be fixed.


Fabrice Mouret