The test summary report shall include information on at least of the following:
(a) the parties involved;
(b) the project plan;
(c) the validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes and technologies supporting the critical or important functions covered by the TLPT;
(d) selected scenarios and any significant deviation from the threat intelligence;
(e) executed attack paths, and used tactics, techniques and procedures;
(f) captured and non-captured flags;
(g) deviations from the red team test plan, if any;
(h) blue team detections, if any;
(i) purple teaming in testing phase, where conducted and the related conditions;
(j) leg-ups used, if any;
(k) risk management measures taken;
(l) identified vulnerabilities and other findings, including their criticality;
(m) root cause analysis of successful attacks;
(n) high level plan for remediation, linking the vulnerabilities and other findings
…