This content originally appeared on HackerNoon and was authored by Florian Henrion
If you are from the Offensive Security world you might know that the most boring task for an Ethical hackers is doing the report.
And that’s frustrating when you think about it — you could have the best hacker in the world on your team, but 80% of their work during a pentest remains invisible to the client. The remaining 20%, the report, is what makes up most of the actual delivery.
Sure, you could say, “Florian, there’s also communication, client relationships, support, and so on…” I agree, but here’s the thing: if the client doesn’t understand the report, doesn’t like it, or doesn’t see their quality expectations reflected in it… a big chunk of your work might not even be acknowledged.
This is the most important part of the delivery.
It shows your expertise, how you propose mitigations, outline next steps, and set priorities. It gives the client the visibility they were missing.
So if the most critical document is also the one your team enjoys the least… maybe it’s worth making the process more enjoyable. After all, would you craft a beautiful vase if you didn’t like pottery? Probably not.
The Context
Before to explain you how I have actually made this whole process more fun, you might have to understand my role in the reporting process as it might differ to what you are used to.
Initially in our team, we frequently had the following situation: the pentesters would always delay writing the report until the end of the mission. As a result, there was often a lot of frustration just before Delivery Day (for example, the following Monday).
So, we decided to try a new approach: do a little bit every day, even if there were only a few discoveries. The new rule was simple:
- Pentesters update the report daily
- The manager reviews it daily
How did we enforce this? One word: Discipline.
Each of us had a fixed one-hour slot in our calendars dedicated to writing or reviewing the report.
If you are curious to know how we were managing our meetings, urgency, side quests, etc while respecting this schedule.
Well feel free to reach me on LinkedIn & let’s gr️ab a ☕️
In our case, the manager (the role that I played) had to review the quality of the document, hunting for typos, unclear explanations or descriptions, and even challenging certain findings. But more importantly, they had to make sure the technical message was properly translated into language a C-level audience could understand (at least for the parts that concerned them).
This first change made us switch to this 👇
Already better, right? Did you expect to see happy faces all around? Nah, they’re engineers, what did you expect? You can’t just make them happy like that.
Let’s Get Creative
The first trick I used to spark a bit of positive emotion while they were doing something they didn’t enjoy was this, look carefully at the comment:
I’d leave a comment during the review, acting pretty serious about something they might have missed or phrased poorly. Then I’d drop a weird Reddit link that made them go 🧐 — “what the h*ck is this guy talking about?” And then:
Just dropped a random meme from the bushes🌳😁
In the open-space you could spot the one who just fell into the trap. Also it came with a few unexpected benefits:
- A bit of fun,
- Sometimes a topic of discussion (nice debate for the lunch time),
- Over time, they actually started hunting for my Easter eggs in the reviews, which also helped me confirm they were reading my comments 😈.
📝 Of course, I wouldn’t always make those look that obvious… it pushed me to be more creative when building my traps.
\
The second trick — Creating a Culture Where Mistakes Lighten the Mood
Since I was also stuck doing the not-so-fun part — reviewing — I figured I might as well find ways to lighten it up too. Now and then, we’d come across hilarious typos:
- “The application leaks sensible data…”
- “The serveur responded slowly”
- “A PET request” (not quite the same as GET 😅)
If you’re a French speaker, some of these probably hit home. Instead of nitpicking, I’d drop a light comment or private message with a joke. Nothing public, just something subtle to say, “I saw it, and I’m laughing with you.”
It became a small shared moment of fun, and it made the review phase feel a bit more human.
⭐️ By the way, for the managers/leaders out there, don’t forget the golden rule: Good Feedback in Public, Bad feedback in Private, as the limit might be thin here, go for the private 👌).
\
The Third Tricks — Make Great Discoveries Feel Great
Following the same logic as good feedback, I wanted to bring more value to their findings, and make them proud of their work. Something that would not only reward the effort, but also motivate them to keep digging for gems and giving their best.
So I started doing this: every time a strong discovery came up (especially critical vulnerabilities), I’d celebrate it in three ways:
- A direct comment in the report 👍, just for them
- A shoutout in our internal channel 🔥, in front of the team
- I’d also ask: “Can you walk me through how you found that? What made you go down that path?”
This turned small wins into proud moments — and encouraged a mindset of curiosity and shared learning.
We all enjoy talking about how we found something great. It’s satisfying — it reminds us that we’re actually good at what we do. It also breaks the routine. When you’re stuck in back-to-back pentest engagements when the planning is full for weeks and you feel like pentesting machine.
BONUS 🎯 : If you do penetration testing for your company, I mean internally, you have multiple teams, location, etc. I would simply reach the project Director asking him for his feedback, did he likes our way to communicate? Did the vulnerability presentation met his expectations? Did the info was clear enough, etc.
It’s an easy way to gather great input for your Lessons Learned — and it sends some well-deserved positive vibes back to your team.
With time this became what we called “The Wall Of Fame” — a collection of emails and messages praising our work, from clients or internal teams.
On tough days, when morale dipped, we’d scroll back through those notes and remember where we crushed it. A reminder that we’ve done great things — and more are coming. 🚀
At that stage, we already started to reach this 👇
More Tricks
As we already reach a critical size for this first article, I guess I will keep those points for a next one:
- How did we cut reporting time while doubling its impact?
- How did we build habits that support deep focus — without micromanaging anyone?
- How did we design processes that don’t collapse when someone’s offline?
- …
\
This content originally appeared on HackerNoon and was authored by Florian Henrion
Florian Henrion | Sciencx (2025-07-30T05:32:08+00:00) Nobody Likes Writing Pentest Reports—So We Turned It Into a Game. Retrieved from https://www.scien.cx/2025/07/30/nobody-likes-writing-pentest-reports-so-we-turned-it-into-a-game/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.