ANNEX VII
Details of the report summarizing the relevant findings of the TLPT referred to in Article 26(6) of Regulation (EU) 2022/2554
The test summary report shall contain information on at least all of the following:
|
(a) |
the parties involved; |
|
(b) |
the project plan; |
|
(c) |
the validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes, and technologies supporting the critical or important functions covered by the TLPT; |
|
(d) |
selected scenarios and any significant deviation from the targeted threat intelligence report; |
|
(e) |
executed attack paths, and used tactics, techniques and procedures; |
|
(f) |
captured and non-captured flags; |
|
(g) |
deviations from the red team test plan, if any; |
|
(h) |
blue team detections, if any; |
|
(i) |
purple teaming in testing phase, where conducted and the related conditions; |
|
(j) |
leg-ups used, if any; |
|
(k) |
risk management measures taken; |
|
(l) |
identified vulnerabilities and other findings, including their criticality; |
|
(m) |
root cause analysis of successful attacks; |
|
(n) |
high level plan for remediation, linking the vulnerabilities and other findings, their root causes and remediation priority; |
|
(o) |
lessons derived from feedback received. |