For those of you that have been on these here internets for a while you may have come across sites such as passiveaggressivenotes.com. Although they can be a bit of a knee-slapper, they are clearly not how to present your case on a pentest report. Perhaps the overtly aggressive “LOL YOUR STUFF IS SO BROKE" reporting isn’t what many would consider to be professional, friendly, or even conducive to creating a long-term relationship with a client. Or is it? It seems that sometimes telling someone that their baby is ugly is exactly the correct thing to do. This may fly in the face of logic as we tend to focus on non-aggressive reporting with facts to back up what we’re seeing. Does this result in a customer understanding the risks at a level that is commensurate with what we’re seeing? Recently I had a customer say to us that we weren’t aggressive enough in our reporting. This was something that we struggled with internally and still do to this day as it’s just not our nature. Obviously, you don’t want to irritate any client. In this specific case, the deliverable that we composed was meant to be a catalyst for change within their organization in order to improve the overall security posture. The report absolutely needed to be straight-talk, harsh, yet presented in a professional format with the proper recommendations. How would one determine this style of reporting is right? Know your client. Establish their expectations and goals from the very beginning of the engagement. This way, handling the deliverable with the proper style is a piece of cake :)