Q: 5
[Reporting and Communication]
Which of the following components should a penetration tester include in the final assessment
report?
Options
Discussion
D . The attack narrative connects the technical findings to real-world risks, showing how vulnerabilities were chained during the pentest. That’s pretty much standard for a complete final report. Customer remediation plan (B) might show up as an extra, but it’s not core in every assessment.
I don’t think it’s B. D fits since the attack narrative is always standard, while remediation plans are more variable.
Option D Similar question came up on official practice, always look for the attack narrative as a must-have in reporting.
B tbh. I figured a customer remediation plan should be part of the final assessment since clients need to know what to fix, not just what got exploited. Maybe I'm missing why the attack narrative is prioritized. Anyone think B makes more sense for client value?
Probably D. The attack narrative gives a clear, step-by-step path of how the pentest was performed and what was compromised, which is what clients want to see in the report. It ties together findings and shows real-world impact. Pretty sure that's what they're after here.
Yeah, D makes sense. The attack narrative is essential in pentest reports to show the chain of exploits and risk impact, I think B (remediation plan) is useful but not always included by the tester.
Why not B here? Had something like this in a mock and remediation plan was part of the reporting section. Aren't testers supposed to suggest fixes, or is that out of scope for most pentest reports?
Its D
D
D tbh, but if they asked about recommendations B might fit depending how you interpret "components".
Be respectful. No spam.
