This subsection of the report should contain the methodology the penetration tester followed during the security assessment. It's better to show this process using a diagram and explain each process to the client so that the technical team on the client side will know how their organizational assets are being tested. 

Whether the penetration tester follows the NIST-800 standard, the PTES standard, or their own company's standard, they have to explain the process in this subsection.