Security Assessment Report — Baobab Bay Lodge
Client: Jean-Marc Rasoanaivo, Baobab Bay Lodge Assessment date: [Date] Assessor: [Your name]
Executive Summary
[Write 2-3 paragraphs for Jean-Marc — he runs a lodge, not a security team. Summarize what was found, what was fixed, and what he should know going forward. Explain the risk in terms of his guests and his business, not in technical codes. If a guest's passport number could have been stolen, say that. If the booking form is now safe, say that and explain what changed.]
Assessment Scope
[Reference the scope document. Describe what was tested (the booking website and its database), what tools were used, and what was explicitly excluded. Note any constraints that applied during the assessment.]
Findings
| Finding | Severity | Description | Evidence | ATT&CK Mapping | Status |
|---|---|---|---|---|---|
| [Finding title] | [Critical / High / Medium / Low] | [What was found and why it matters for the lodge] | [Reference to tool output — sqlmap results, Nmap scan, log entries] | [ATT&CK ID if applicable] | [Fixed / Open / Mitigated] |
[Add a row for each finding. Include enough detail that Jean-Marc understands what was wrong, and enough evidence that a technical reviewer can verify the finding.]
Remediation Actions
[For each finding that was fixed, describe: what was changed, why this fix addresses the root cause, and evidence that the fix works. Include before/after test results — the sqlmap command that succeeded before the fix should fail after. Note whether the application still functions normally after the change.]
Hardening Actions
[For each hardening item applied, describe: what was changed, what risk it addresses, and verification that the change took effect. Include before/after Nmap results where applicable. Explain each change in terms Jean-Marc would understand — "we locked the database door that was left open to the street" rather than "removed host port binding for MySQL on 3306."]
Recommendations
[Items beyond this engagement's scope that matter for Jean-Marc's security posture. These are not findings from the assessment — they are professional guidance about what to consider next. This is where topics like regular security reviews, developer access management, and any questions Jean-Marc raised during the engagement can be addressed.]
Appendix: Raw Tool Output
[Optional. Include relevant sqlmap output, Nmap scans, LogQL queries, and log entries that support the findings above. This section is for the technical record — Jean-Marc does not need to read it, but it preserves the evidence chain.]