Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 13

Cybersecurity II, Unit 13: Pen Test Reporting and Professional Communication

The work product clients pay for. Executive summaries, technical findings, evidence, remediation, debriefs, and the soft skills that determine whether you're rehired.

Length
240 min
Level
advanced
Track
Cyber II
Cadence
Semester 2

Career paths

Penetration TesterGRC & Risk
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 13: Pen Test Reporting and Professional Communication

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Week 19 | | Prerequisite | Units 5–7 | | Materials | Sample pen test report (good + bad), report template, presentation rubric |

Safety: Standard course safety; documentation focus.

Standards & credential alignment

  • OffSec PEN-200 (PWK) report standards (proxied to OSCP exam-style format).
  • PTES Penetration Testing Execution Standard.

Learning objectives

By the end of this unit, students can:

  1. Produce a pen test report with sections required by industry standard.
  2. Write an executive summary that a non-technical CFO can act on.
  3. Write technical findings that a developer can fix from.
  4. Defend findings in a verbal debrief and accept pushback professionally.
  5. Distinguish finding from recommendation from opinion.

Vocabulary

  • Finding - A factual observation of a weakness with evidence.
  • Recommendation - A specific, actionable, prioritized fix.
  • Risk rating - Severity score (CVSS or org-defined).
  • Reproduction steps - Steps that allow client engineers to confirm and fix.
  • Debrief - Live read-out of report to client stakeholders.
  • Retest - Follow-up engagement to verify fixes.

Pacing

| Day | Focus | Deliverable | | --- | -------------------------------- | ------------------------------ | | 1 | Report anatomy + good vs. bad | Annotated good/bad report | | 2 | Executive summary writing | 1 executive summary draft | | 3 | Technical findings + remediation | 3 findings written to template | | 4 | Debrief practice | Recorded 5-min debrief |

Day 1 - Report anatomy

Standard sections:

1. Executive Summary
2. Engagement Overview
   2.1 Scope
   2.2 Objectives
   2.3 Methodology
   2.4 Tools
   2.5 Timeline + Personnel
3. Risk Assessment Summary
   - Findings count by severity
   - Risk heat map
4. Findings (sorted by severity, descending)
   For each:
     - Title (specific, not generic)
     - Severity / CVSS
     - Affected systems
     - Description
     - Evidence (screenshots, request/response, command output)
     - Reproduction steps
     - Impact
     - Recommended remediation (specific, prioritized)
     - References (CVE, vendor advisory, OWASP)
5. Strategic Recommendations
6. Appendices
   - Tooling / methodology
   - Engagement notes index
   - Retest schedule

Compare-and-contrast exercise: students review a deliberately bad report (vague findings, screenshots without context, recommendations like "harden the system") and a strong report. Annotate differences in 5 specific places.

Day 2 - Executive summary

Land these rules:

  • Audience: CEO, CFO, board. They will spend 90 seconds.
  • Lead with business impact, not technical detail.
  • Use plain English. No acronyms without expansion.
  • Numbers matter: "3 critical, 7 high, 12 medium" beats "many."
  • End with the one thing leadership must decide this week.

Template (1–2 pages max):

ACME Corp engaged us between [dates] to assess [scope].
We identified [N] findings, including [N] critical and [N] high severity.
The most material risk is [plain-English description] which could result in [business impact].
Three actions, taken in the next 30 days, would close the most material risks: [1, 2, 3].
The detailed findings, evidence, and remediation guidance are in the body of this report.

Students draft an exec summary for the Unit 7 web assessment.

Day 3 - Technical findings

Quality bar:

  • Title: "SQL Injection in /api/search allows authentication-bypass and DB read" - not "SQL Injection."
  • Reproduction steps: a junior engineer can paste them in and reproduce.
  • Evidence: screenshot plus raw request/response.
  • Remediation: "Migrate to parameterized queries; ban string-concatenated SQL via lint rule X" - not "fix the SQL injection."

Students rewrite three findings from earlier units to professional standard.

Day 4 - Debrief

In 5 minutes, students debrief one finding to a panel (teacher + two peers acting as client).

Structure:

  1. Title + severity (10s).
  2. What happened in plain English (60s).
  3. Live demo or screenshot evidence (60s).
  4. Business impact (45s).
  5. Recommended fix (45s).
  6. Q&A (60s).

Common pushback to handle:

  • "We have a WAF - isn't that enough?"
  • "Our developers don't have time."
  • "We didn't see this in our last audit."
  • "How sure are you?"

Rubric scored on: clarity, evidence presentation, professionalism, handling pushback, time management.

Soft skills landed

  • Don't blame. Describe.
  • Recommend; don't lecture.
  • "I don't know, I'll find out and follow up" is a strong answer.
  • Pushback is data. Listen first; respond second.
  • Always offer the next step (retest, follow-on).

Common misconceptions

  • "The technical work is the deliverable." - The report is the deliverable.
  • "More pages = more value." - Density and signal beat length. The reader's time is the constraint.
  • "My finding is correct, so no need to be diplomatic." - Diplomacy is how findings get fixed.

Assessment

  • Day 1 annotation.
  • Day 2 executive summary draft.
  • Day 3 three rewritten findings.
  • Day 4 debrief - rubric scored.

Career connection

The communication delta is what separates a $70K analyst from a $150K consultant. Write well, present clearly, listen, follow up.

Homework

Find one publicly published pen test report (CISA, public disclosures). Identify three things you'd lift for your own template and one thing you'd change.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum