Strong operators are judged on what they can prove. In professional assessments and in structured training, the report is the durable product. Activity logs disappear; screenshots without context mislead; narrative without timestamps wastes reviewer time.
Evidence-first reporting inverts the usual draft order: collect proof, then write conclusions.
The minimum viable report skeleton
Use a fixed skeleton so reviewers know where to look:
- Executive summary — three to five sentences, no jargon pile-up.
- Scope and constraints — what was in bounds and what was not tested.
- Timeline — ordered events with UTC timestamps where possible.
- Findings — each finding paired with evidence and impact.
- Limitations — what you could not verify and why.
- Recommendations — prioritized, tied to findings, not generic hardening lists.
If a finding has no evidence section, it is a hypothesis. Label it as such or cut it.
Write findings as testable claims
A finding should read like a claim a defender can validate:
Claim: Lab identity provider accepted legacy authentication for a service account used in the scenario chain.
Evidence: Timestamped log excerpt, account identifier (redacted), and the control that should have applied.
Impact: Establishes a lateral movement path under documented assumptions.
Recommendation: Enforce modern authentication for service accounts in the lab template and add detection for the observed pattern.
Avoid “critical vulnerability” language unless impact is demonstrated in scope.
Timelines beat tool output dumps
Paste bins of raw command output force reviewers to reconstruct intent. Instead:
- One row per meaningful decision point.
- Short rationale column (“why this step now”).
- Pointer to raw logs stored in the lab evidence bundle.
This mirrors how The Armory scenario reviews are structured: reviewers reward clarity, not volume.
Common reporting failures in training
| Failure | Why it hurts | Fix |
|---|---|---|
| Screenshot without caption | Reviewer cannot verify relevance | Caption + timestamp + scope note |
| Tool name as finding title | Hides actual risk | Rename to the exposed condition |
| Missing negative results | Implies full coverage | List paths attempted and blocked |
| Recommendations without owner | No one can act | Map to control, process, or detection |
Practice loop
Draft the timeline during the run, not after. Update the executive summary last. Compare your report against scoping discipline from the same week’s lab block.
For structured peer review of reporting habits—still within educational use—use the HackerForce Discord operator channels and keep sensitive lab material inside approved environments.
