An attack narrative is a crucial component of a final penetration test report. It provides a chronological, step-by-step description of the actions the tester performed to compromise the target systems. This narrative contextualizes the findings, demonstrating how individual vulnerabilities can be chained together to create a significant security risk. It effectively communicates the practical impact of the security flaws to both technical and non-technical stakeholders, illustrating the path a real-world attacker could follow.

A. User activities: The report focuses on the tester's actions and resulting system vulnerabilities, not a general log of all user activities, which is out of scope.

B. Customer remediation plan: The tester provides remediation recommendations. The customer is responsible for creating and implementing the actual remediation plan based on those recommendations.

C. Key management: This is a specific technical control. It would be included as a finding if a vulnerability was discovered, but it is not a standard, mandatory section of every report.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115

Technical Guide to Information Security Testing and Assessment. Section 6.2

"Security Assessment Report

" details the contents of a final report. It emphasizes including a narrative that describes the attack path and the steps taken

stating the report should "describe the process and procedures used in the assessment" (p. 6-2).

2. The Penetration Testing Execution Standard (PTES). (2012). Technical Guidelines. The "Reporting" section explicitly requires a "Narrative" that provides a chronological account of the engagement. It states

"The narrative of the attack path taken by the penetration testing team is the core of the technical findings" (Reporting Section

para. 2).

3. Allen

J.

& Hunker

J. (2013). A Survey of Penetration Testing. Carnegie Mellon University

Software Engineering Institute. CMU/SEI-2013-TN-006. This technical note discusses the penetration testing process and reporting. It highlights that the report must detail the "sequence of actions taken by the test team" to provide a clear picture of the attack

which is synonymous with an attack narrative (p. 14).