After a penetration test, the client requests a document that includes the methodology used, a list of all vulnerabilities found along with their CVSS scores, and detailed steps for remediation. Which type of report section is this?
This section contains detailed findings, CVSS scores, and remediation guidance for technical teams.
Why this answer
The client's request for methodology, vulnerability list with CVSS scores, and remediation steps describes the detailed, technical findings of the penetration test. This content is characteristic of the Technical Report section, which provides in-depth analysis and actionable data for technical stakeholders, as opposed to high-level summaries or contractual documents.
Exam trap
The trap here is confusing the Executive Summary's high-level risk ratings with the Technical Report's detailed CVSS scores and remediation steps, leading candidates to incorrectly select the Executive Summary when the question explicitly lists granular technical details.
How to eliminate wrong answers
Option A is wrong because the Executive Summary provides a high-level overview for non-technical management, not the detailed methodology, CVSS scores, and step-by-step remediation instructions. Option C is wrong because the Rules of Engagement (RoE) is a pre-engagement document defining scope, boundaries, and legal terms, not a post-test deliverable containing findings and remediation.