A substantial amount of vulnerability verification will be necessary, in most cases, to ensure that your findings are actually exploitable. Mitigation efforts can be expensive and, as such, vulnerability verification is a critical task in terms of your reputation and integrity. In our experience, we have noticed several situations where people just run a tool, grab the results, and present them directly to their clients. This type of irresponsibility and lack of control over your assessment may result in serious consequences and lead to the downfall of your career. In situations where there are false negatives, it might even place the client at risk by selling a false sense of security. Thus, the integrity of test data should not be tainted with errors and inconsistencies.

The following are a few procedures that may help you in documenting and verifying the test results before transforming them into a final report:

• Taking detailed notes: Take detailed notes of each step that you have made during the information gathering, discovery, enumeration, vulnerability mapping, social engineering, exploitation, privilege escalation, and persistent access phases of the penetration testing process.
• Note-taking template: Make a note-taking template for every single tool you execute against your target from Kali. The template should clearly state its purpose, execution options, and the profiles aligned for the target assessment, and provide space for recording the respective test results. It is also essential to repeat the exercise at least twice before drawing a final conclusion from a particular tool. In this way, you certify and test-proof your results against any unforeseen conditions. For instance, when using Nmap for the purpose of port scanning, we should lay out our template with any necessary sections, such as usage purpose, target host, execution options, and profiles (service detection, OS type, MAC address, open ports, device type, and so on), and document the output results accordingly.
• Reliability: Do not rely on a single tool. Relying on a single tool (for example, for information gathering) is absolutely impractical, and may introduce discrepancies to your penetration testing engagement. Thus, we highly encourage you to practice the same exercise with different tools made for a similar purpose. This will ensure the transparency of the verification process, increased productivity, and reduced false positives and false negatives. In other words, every tool has its own specialty for handling a particular situation. It is also worth testing certain conditions manually wherever applicable, and using your knowledge and experience to verify all the reported findings.