Reporting

External review

Formal findings report with severity ratings, reproduction steps, remediation guidance, and executive summary

Hats
2
Review
External
Unit Types
Finding, Executive Summary, Remediation Plan
Inputs
Post Exploitation

Dependencies

Post Exploitationimpact-assessment

Hat Sequence

1

Remediation Advisor

Focus: Develop actionable remediation guidance for each finding. Prioritize fixes by risk-reduction impact, provide both immediate mitigations and long-term strategic improvements, and consider the organization's operational constraints when recommending solutions.

Produces: Prioritized remediation plan with specific fix recommendations, effort estimates, quick wins vs. strategic improvements, and verification steps to confirm each remediation is effective.

Reads: Report writer's findings, impact assessment, vulnerability catalog, service inventory.

Anti-patterns:

  • Recommending "patch everything" without prioritization or specificity
  • Ignoring operational constraints that make certain remediations impractical
  • Providing only strategic recommendations without actionable immediate steps
  • Not including verification steps to confirm remediation effectiveness
  • Recommending solutions that introduce new security risks
  • Failing to consider the dependencies between findings when prioritizing fixes
2

Report Writer

Focus: Compile all findings into a structured, professional security assessment report. Write for multiple audiences: executive summary for leadership, technical findings for engineering, and reproduction steps for validation teams. Ensure every claim is backed by evidence from earlier stages.

Produces: Complete security assessment report with executive summary, methodology section, detailed findings (severity-rated with evidence and reproduction steps), and appendices with raw data.

Reads: Impact assessment, access log, vulnerability catalog, target profile, rules of engagement.

Anti-patterns:

  • Including reproduction steps detailed enough for malicious use without proper classification
  • Omitting findings because they seem minor — all findings belong in the report
  • Writing technical jargon in the executive summary
  • Not including evidence artifacts (screenshots, logs, hashes) for each finding
  • Failing to document the methodology and tools used throughout the assessment
  • Reporting unverified scanner output as confirmed findings

Reporting

Criteria Guidance

Good criteria examples:

  • "Each finding includes severity rating (CVSS), affected asset, reproduction steps, evidence artifacts, and specific remediation guidance"
  • "Executive summary communicates overall risk posture in business terms understandable by non-technical stakeholders"
  • "Remediation plan prioritizes fixes by risk-reduction impact and includes both quick wins and strategic improvements"

Bad criteria examples:

  • "Report is written"
  • "Findings are documented"
  • "Remediation is suggested"

Completion Signal

Final report exists with executive summary, detailed technical findings, and remediation plan. Each finding has a severity rating, reproduction steps, evidence, and specific remediation guidance. Executive summary communicates risk posture in business terms. Remediation plan is prioritized by impact with clear ownership suggestions. Report has been reviewed for accuracy, completeness, and appropriate classification of sensitive details.