EEssential SkillsGeneral
Learn to take structured, real-time engagement notes that support reporting, evidence review, and team collaboration. Covers what to capture, when to capture it, and how to keep notes useful without turning them into unstructured command dumps.
Take real-time engagement notes that are structured enough to support report writing, timestamped enough to reconstruct a timeline, and clear enough that a teammate who was not present could understand what happened and why.
Every downstream deliverable in a security engagement depends on the quality of your notes. Reports, debriefs, evidence packages, and timeline reconstructions are only as good as what you wrote down while the work was happening. Trying to reconstruct an engagement from memory — even a few hours later — introduces gaps, inaccuracies, and missing context that weaken every artifact built on top of it.
Note-taking is also the skill that scales the least intuitively. On a short engagement, you might get away with messy notes. On a two-week engagement with multiple testers, a pivoting attack chain, and a client expecting a detailed timeline, undisciplined notes become an expensive liability.
When asked about your engagement methodology or workflow, being able to describe your documentation practice signals professionalism.
The key differentiator is showing that you treat notes as a first-class work product, not an afterthought. A good response:I take timestamped notes in real time throughout the engagement. Every action gets a timestamp, the command or step, and a note on why I chose that approach and what the result was. I tag findings as I discover them and reference screenshots inline so nothing gets orphaned. At the end of each phase I write a brief status summary. The goal is that anyone on the team could pick up my notes and know exactly where the engagement stands without asking me.
Strong engagement notes read like a structured log of decisions. Each entry has a timestamp. Commands and their output are recorded alongside a brief note explaining intent: 14:32 — Ran BloodHound collection against acme.local. Looking for shortest path from current user to Domain Admins. Result: found a three-hop path through the ITSupport group via WriteDACL on the AdminSDHolder object. Findings are tagged. Screenshots are referenced with descriptive names. Status summaries appear at natural breakpoints. A teammate picking up these notes would know exactly where the engagement stands.
Weak engagement notes read like a terminal history pasted into a text file. Commands appear without timestamps, without context, and without results. There is no separation between what was run, what was observed, and what it means. When a significant finding appears, it is buried in a wall of undifferentiated text. Screenshots exist somewhere on the filesystem but are not referenced. The clearest sign of weak notes is that even the person who wrote them struggles to reconstruct what happened two days later.
The practical test: could you hand your notes to a teammate at the end of the day and have them write an accurate status report without calling you? If the answer is no, your notes are not structured enough.
crackmapexec tells the reader nothing; knowing that you chose it because SMB signing was disabled and you needed to verify local admin access tells them everythingA teammate who was not on the engagement should be able to read your notes, reconstruct the timeline, identify every finding, and understand why you made the decisions you made — without asking you a single question.
Engagement Notes — ACME Corp Internal Pentest — 2026-03-15
Phase: Internal Network — Initial Enumeration
09:15— Started from WS-JSMITH (10.10.14.22). Domain user context:jsmith@acme.local. Running initial domain enumeration to map attack surface before targeting specific systems.
09:18— Ran BloodHound collection (SharpHound, all collection methods). Looking for shortest paths to Domain Admins and high-value targets. Output saved:evidence/bloodhound/acme_collection_20260315.zip
09:31— BloodHound analysis complete. Key finding:svc_backup account has DCSync rights via membership in a nested group chain. The account also has an SPN registered, making it Kerberoastable. [FINDING-01: Kerberoastable service account with DCSync rights]
09:35— Requested TGS forsvc_backupSPN. Ticket saved toevidence/kerberoast/svc_backup.kirbi. Sending to offline cracking. Chose to target only this account rather than bulk-requesting all SPNs — environment has Kerberos logging enabled and bulk requests would likely trigger an alert.
09:42 — While waiting on crack results, checking domain password policy to evaluate spray viability. Policy: 5 attempts, 30-min lockout, 8-char minimum with complexity. Spray is viable at 1 attempt per 35 minutes.
10:15— Crack succeeded:svc_backuppassword isBackup2024!. Testing access.
10:18— Confirmed:svc_backuphas local admin onFS01(10.10.14.50) via SMB. Screenshot saved:evidence/screenshots/svc_backup_admin_fileserver.png
--- Status Summary — End of Morning Session
Completed: Initial enumeration, BloodHound analysis, Kerberoasting of svc_backup. Have local admin on FS01.
Open: Need to test DCSync rights for svc_backup. Password spray queued as fallback if DCSync path does not work.
Next: Attempt DCSync from FS01 using svc_backup credentials.
Run a short practice session in your lab — even fifteen minutes of enumeration is enough. Take notes using the structure from this lesson: timestamp every action, annotate every command with intent and result, tag anything significant, and reference any saved output. At the end, read your notes as if you were a teammate who was not there. Can you reconstruct what happened, what was found, and what the next steps are? If anything is unclear, that is the gap to close.
crackmapexec tells the reader nothing; knowing that you chose it because SMB signing was disabled and you needed to verify local admin access tells them everything