There is an old saying in the consulting business: "If you do not document it, it did not happen." Of course, the insinuation here is that because it did not happen, you cannot bill for it. Whether you are working as a consultant or as a full-time employee, failing to report the findings of your security assessment, in a format and style that results in improvements to security, will render your work academic. Too frequently, good work is dismissed because findings are reported in an unprofessional manner, without appropriate focus on their impact on core business operations, or without adequate justification. If you are running a vulnerability scanning project, penetration test, or IT security audit, this chapter ...