This short article defines the TODAY model, which is a 5-step guide of how to create pen-test reports in an efficient way. This model is applicable to the “Detailed observations” section only, which is the hardest one. Executive summary, legal notes, and detailed steps to reproduce are out of the scope for this model – there are more efficient models. Also, use TODAY model to write emails, bug bounty reports, and technical articles.
Define or remember, who would read your report and what action should they take right after the reading. For example, the goal of the posts of “Lifehacks for hackers” section is to empower hackers with new mental tools, so hackers would achieve their own goals at the workplace in a linear way.
The goal of this step is to write a list of vulnerabilities with their severities. Do this carefully. Use the result of the previous step when choosing the appropriate names and severities.
Remember: the real goal of the drafting process is to become completely aware of what you are going to say. Before impacting the customer – impact yourself. Make sure, that you logically understand, what are you going to say.
Therefore: copy & paste everything you believe in – and mark what you’ve copy pasted, to avoid any plagiarism. Fill the gaps by writing explicitly the ideas you believe in, and feel free to use your native language.
The goal of this step is to achieve clarity. Clarity means that each sentence leaves only one single choice of how this exact sentence could be understood by the readers you serve.
The only way to achieve this is to operate on the level of words. You should naturally refactor your report, as you would refactor the code to be run in someone’s mind. I know no other way of how to do it reliably and efficiently, except this one.
The goal of this step is to ensure that the report sets the right direction to the customer, in a consistent way, so the customer would be able to act without doubts – as much, as possible.
Give your report to another team member, and ask for a feedback. Then, don’t fight – yield to them if they would have any doubts. A good technical pen test report should not create questions, so if the questions arise – the author already lost the battle, no need to argue, just rewrite the sentence. Don’t rely on yourself only: everybody makes assumptions about what is known to everybody, and everybody instinctively tends to avoid places that they don’t like in their own writings sometimes.