- Cleanup - Delete tools, scripts, and files uploaded to target systems - Revert config changes - Make detailed notes of all activities - Documentation and Reporting - Command output - Screenshots - Listing of affected hosts - Scan and log outputs - Do not keep PII or other sensitive data - Report Deliverable: - Attack chain - Executive Summary - Detailed finding specific to client's environment - Adequate steps to reproduce each finding - Near, medium, and long term recommendation specific to the environment - Appendices with: - Target scope - OSINT data - Password cracking analysis - Discovered ports/services - Compromised hosts - Files transferred to client-owned systems - Any account creation and/or system modifications - AD security analysis - Relevant scan date/supplementary documentation - Report review meeting - Delivery acceptance - Typically defined in SoW - Post-Remediation Testing - Data retention and purge