5. Penetration Reports

Penetration testing (or “pen testing”) is the practice of simulating attacks on a system or application to uncover security weaknesses:

• Black Box: The tester has no prior knowledge of the system.
• White Box: The tester has detailed knowledge of the system.
• Gray Box: Some knowledge is provided, but not full.

Use Cases 

• Black Box Testing
  External testers find a login vulnerability. The team patches the issue and retests for confirmation.
• White Box Testing
  Full system knowledge reveals code injection risks. Developers implement code fixes and resolve the report.
• Gray Box Testing
  Limited access tests expose endpoint vulnerabilities. Engineers secure the endpoints and log retesting results.
• Retesting After Fixes
  Vulnerabilities are fixed post-penetration test. Follow-up tests are conducted to ensure no further risks remain.

Pen testers document discovered vulnerabilities and exploitation paths. In the system, you’d log each test (or each portion of a test) as a Penetration Report, noting the Name and any steps or results in the Description. Security teams typically use it to confirm that known vulnerabilities are patched and no new ones have appeared.

Typical Workflow

1. Pen Test Execution

A security team or external vendor performs tests to “break” the system, exploit vulnerabilities, or stress‐test certain endpoints.

2. Report Logging

Each test is logged with a Name (e.g., the pen test campaign or date) and a Description of what was tested, which vulnerabilities were discovered, etc.

Additional fields can be added as needed (e.g., recommended fixes or references to CVE entries).

3. Review & Action

Security engineers analyze the pen test findings.

If issues are found, they coordinate with developers or ops teams to fix them.

The pen test might be repeated to confirm the fix.