Should You Be Sharing Penetration Test Reports?



If you're trying to land a large enterprise contract and you're in the middle of the vendor vetting process and you're starting to get security questionnaires and the security team of your prospect is asking for things like your penetration test report and your governance documentation, just remember, unfortunately, your prospects, your clients are not always right. Just because they ask for those things doesn't mean that you send them, because think about what you're sending right. Your penetration testing reports, your government's documentation is a lot of sensitive information and it even can actually undermine your credibility a little bit if you put yourself in the shoes of the people vetting you, the security teams of these large organizations that you're after, if you're just willing to send everything over there thinking, oh, wow, they're pretty open with their information. Right. So a lot of these things can be accomplished in a different way. And sometimes it takes a little bit of pushback on your side. For example, instead of sending a full penetration test reports, send a letter of attestation. Your pen testers should have provided that to you. An overview of the penetration testing activities, the results and so on.

If they need to get on the phone with your prospect and discuss the penetration tests and how it went, maybe share screenshots of the report, then that's fine as well. But it's a lot better to do that than send a full report. Same thing with governance documentation. Usually those discussions can be had over video conference and you can screen share and walk through the documentation. They can get enough of what they need to understand whether or not you have your security program in place to their standards. And meanwhile, you're not spelling out a bunch of sensitive information, because if you do, if you start sending all this stuff out, think about what's going on. The tides are turning right and all of a sudden you should be vetting them from a security perspective. You should be having them send down response to a security questionnaire, because now if you send all this over, they're harboring your sensitive data that's stored in their environment. So just consider that when you're in the middle of the vendor vetting process.

Contact Silent Sector to speak with an expert about penetration testing considerations, requirements, and methods.

About the Author

Written by Zach Fuller

Zach Fuller is an entrepreneur who has built businesses in multiple industries. He served as Green Beret in the U.S. Army, conducting highly sensitive combat operations in Afghanistan. Zach was awarded a Bronze Star Medal and other decorations for his actions overseas. He later built an investor relations team for a private equity company. Holding the role of Executive Vice President, he lead the team to raising well over $300,000,000 in private capital to acquire real estate assets and making it to the Inc. 500 list of Fastest Growing Private Companies. Zach is a Certified Ethical Hacker and founding partner of Silent Sector, where he is focused on mid-market and emerging companies which he considers to be the backbone of the American economy and our way of life.
Find me on:, Apple Podcasts, Amazon, and