Reporting
Executive Reports
Executive summaries communicate security risks in business terms. Focus on impact, risk, and strategic recommendations—not technical details.
Tip
Executives want to know: What's at risk? How bad is it? What do we need to do? How much will it cost?
Executive Summary Structure
flowchart TB
A[Executive Summary
1-2 pages max] --> B[Overview] A --> C[Key Findings] A --> D[Risk Summary] A --> E[Recommendations] A --> F[Next Steps] B --> B1[Scope & Objectives] B --> B2[Testing Dates] B --> B3[Assessment Type] C --> C1[Critical Issues] C --> C2[Business Impact] C --> C3[Attack Scenarios] D --> D1[Overall Risk Level] D --> D2[Trending Comparison] D --> D3[Industry Benchmark] E --> E1[Prioritized Actions] E --> E2[Resource Estimates] E --> E3[Timeline] style A fill:#00d4ff,stroke:#000,color:#000
1-2 pages max] --> B[Overview] A --> C[Key Findings] A --> D[Risk Summary] A --> E[Recommendations] A --> F[Next Steps] B --> B1[Scope & Objectives] B --> B2[Testing Dates] B --> B3[Assessment Type] C --> C1[Critical Issues] C --> C2[Business Impact] C --> C3[Attack Scenarios] D --> D1[Overall Risk Level] D --> D2[Trending Comparison] D --> D3[Industry Benchmark] E --> E1[Prioritized Actions] E --> E2[Resource Estimates] E --> E3[Timeline] style A fill:#00d4ff,stroke:#000,color:#000
Writing Guidelines
✓ DO
- • Use business language
- • Quantify risk in dollars when possible
- • Provide clear priorities
- • Include visual summaries
- • Focus on outcomes
- • Keep it under 2 pages
- • Lead with the most critical findings
- • Suggest resource allocation
✗ DON'T
- • Use jargon without explanation
- • Include command outputs
- • List every finding
- • Use fear tactics
- • Assume technical knowledge
- • Provide vague recommendations
- • Skip the business impact
- • Forget to mention positives
Executive Summary Template
text
================================================================================
PENETRATION TEST - EXECUTIVE SUMMARY
[CLIENT NAME] Assessment
================================================================================
ASSESSMENT OVERVIEW
-------------------
Assessment Type: Internal Network Penetration Test
Testing Period: November 11-15, 2024
Scope: Corporate network (10.0.0.0/16)
Systems Tested: 500+ hosts across 3 locations
Methodology: PTES, MITRE ATT&CK Framework
OBJECTIVE
---------
Evaluate the security posture of [CLIENT]'s internal network by simulating
a sophisticated attacker who has gained initial access to the corporate
network, such as through a phishing attack or compromised employee device.
--------------------------------------------------------------------------------
OVERALL RISK: HIGH
--------------------------------------------------------------------------------
The assessment identified significant security vulnerabilities that would allow
an attacker to fully compromise the corporate environment within hours of
gaining initial network access.
KEY FINDINGS SUMMARY
--------------------
┌─────────────┬─────────────────────────────────────────────────────────────────┐
│ CRITICAL │ Domain Administrator compromise achieved in 4 hours │
│ 2 │ Complete Active Directory control obtained │
├─────────────┼─────────────────────────────────────────────────────────────────┤
│ HIGH │ Service accounts with weak passwords │
│ 5 │ SMB relay attacks possible across network │
├─────────────┼─────────────────────────────────────────────────────────────────┤
│ MEDIUM │ Excessive administrative privileges │
│ 8 │ Missing security patches on servers │
├─────────────┼─────────────────────────────────────────────────────────────────┤
│ LOW │ Policy configuration improvements needed │
│ 12 │ │
└─────────────┴─────────────────────────────────────────────────────────────────┘
BUSINESS IMPACT
---------------
The vulnerabilities identified pose significant risks to [CLIENT]:
FINANCIAL RISK:
• Potential ransomware deployment affecting all business operations
• Estimated recovery cost: $2.5M - $5M (based on industry benchmarks)
• Business interruption: 5-15 days minimum
DATA RISK:
• Full access to customer database (500,000 records)
• Employee PII accessible (SSN, banking details)
• Intellectual property exposure (R&D documents)
REGULATORY RISK:
• GDPR notification requirements if breached
• SOX compliance audit findings likely
• Potential regulatory fines: $500K - $2M
REPUTATIONAL RISK:
• Customer trust impact
• Competitive disadvantage
• Media/publicity exposure
ATTACK SCENARIO ACHIEVED
------------------------
Starting from a single compromised workstation with standard user privileges,
the assessment team was able to:
1. Capture credentials from network traffic (Day 1)
2. Compromise service accounts via password cracking (Day 1)
3. Access database servers containing customer data (Day 2)
4. Obtain Domain Administrator privileges (Day 2)
5. Demonstrate ability to deploy ransomware-like payload (Day 2)
This attack path mirrors real-world techniques used by threat actors such as
Conti, REvil, and BlackCat ransomware groups.
PRIORITY RECOMMENDATIONS
------------------------
IMMEDIATE (Next 30 Days) - Budget: ~$50,000
┌─────┬────────────────────────────────────────────────────────────────────────┐
│ 1 │ Reset all service account passwords to 25+ characters │
│ │ Impact: Blocks credential-based attacks │
├─────┼────────────────────────────────────────────────────────────────────────┤
│ 2 │ Enable SMB signing on all domain-joined systems │
│ │ Impact: Prevents relay attacks │
├─────┼────────────────────────────────────────────────────────────────────────┤
│ 3 │ Disable LLMNR/NBT-NS via Group Policy │
│ │ Impact: Prevents credential capture │
└─────┴────────────────────────────────────────────────────────────────────────┘
SHORT-TERM (60-90 Days) - Budget: ~$150,000
┌─────┬────────────────────────────────────────────────────────────────────────┐
│ 4 │ Implement Privileged Access Management (PAM) solution │
│ │ Impact: Controls administrative access, enables monitoring │
├─────┼────────────────────────────────────────────────────────────────────────┤
│ 5 │ Deploy Endpoint Detection and Response (EDR) tools │
│ │ Impact: Detects and responds to attacks in progress │
├─────┼────────────────────────────────────────────────────────────────────────┤
│ 6 │ Establish network segmentation for critical systems │
│ │ Impact: Limits attacker lateral movement │
└─────┴────────────────────────────────────────────────────────────────────────┘
POSITIVE OBSERVATIONS
---------------------
• Antivirus deployed consistently across endpoints
• Firewall rules restrict outbound traffic
• Security team responded to test alerts within 30 minutes
• Password complexity requirements in place
TRENDING COMPARISON
-------------------
Compared to Q2 2024 assessment:
• Critical findings: ↑ 1 (was 1, now 2)
• Average time to compromise: ↓ Improved (was 2 hours, now 4 hours)
• Patch compliance: ↑ 85% to 91%
• User awareness: ↑ Phishing click rate down 40%
NEXT STEPS
----------
1. Schedule technical debrief with IT/Security teams
2. Prioritize remediation based on recommendations above
3. Consider quarterly vulnerability assessments
4. Plan retest for Q1 2025
================================================================================
CLASSIFICATION: CONFIDENTIAL - EXECUTIVE DISTRIBUTION ONLY
Prepared by: [Consultant Name], [Company]
Date: November 20, 2024
================================================================================Visual Elements
Include visual summaries to quickly communicate risk:
Findings Breakdown
text
# Markdown/Presentation Format - Risk Distribution Chart
FINDINGS BY SEVERITY
====================
Critical ██████████████████ 2 (7%)
High █████████████████████████████████████ 5 (19%)
Medium ██████████████████████████████████████████████████████████████ 8 (30%)
Low ██████████████████████████████████████████████████████████████████████████████████████████████████ 12 (44%)
├────────────────────────────────────────────────────────────────────┤
0 5 10 15
Total Findings: 27
FINDINGS BY CATEGORY
====================
Authentication ████████████████████████████████████████ 40%
Configuration ██████████████████████████████ 30%
Patch Management ████████████████ 16%
Access Control ██████████████ 14%
REMEDIATION EFFORT ESTIMATE
===========================
│ Low Effort │ Med Effort │ High Effort │
────────────────────┼────────────┼────────────┼─────────────┤
Critical (2) │ 0 │ 1 │ 1 │
High (5) │ 2 │ 2 │ 1 │
Medium (8) │ 4 │ 3 │ 1 │
Low (12) │ 10 │ 2 │ 0 │Attack Path Summary
flowchart LR
A[Initial Access
Standard User] --> B[Credential
Harvest] B --> C[Service Account
Compromise] C --> D[Lateral
Movement] D --> E[Domain Admin
Achieved] A -.- |30 min| B B -.- |2 hours| C C -.- |1 hour| D D -.- |30 min| E style A fill:#3b82f6,stroke:#000,color:#fff style B fill:#eab308,stroke:#000,color:#000 style C fill:#f97316,stroke:#000,color:#000 style D fill:#f97316,stroke:#000,color:#000 style E fill:#dc2626,stroke:#000,color:#fff
Standard User] --> B[Credential
Harvest] B --> C[Service Account
Compromise] C --> D[Lateral
Movement] D --> E[Domain Admin
Achieved] A -.- |30 min| B B -.- |2 hours| C C -.- |1 hour| D D -.- |30 min| E style A fill:#3b82f6,stroke:#000,color:#fff style B fill:#eab308,stroke:#000,color:#000 style C fill:#f97316,stroke:#000,color:#000 style D fill:#f97316,stroke:#000,color:#000 style E fill:#dc2626,stroke:#000,color:#fff
Language Translation Guide
| Technical Term | Executive Language |
|---|---|
| Domain Admin compromise | Complete control of all corporate systems |
| Kerberoasting | Service password cracking allowing system access |
| LLMNR Poisoning | Network traffic interception capturing passwords |
| Lateral movement | Spreading access across multiple systems |
| Privilege escalation | Gaining administrative control |
| SMB relay attack | Hijacking user connections to access other systems |
| Pass-the-hash | Using stolen credentials without knowing passwords |
| NTDS.dit extraction | Theft of all company passwords |
Risk Quantification
Warning
When quantifying risk, use industry data and be transparent about estimates.
Cite sources like Ponemon Institute, IBM Cost of Data Breach Report, or Verizon DBIR.
text
RISK QUANTIFICATION FRAMEWORK
=============================
LIKELIHOOD FACTORS
------------------
• Attack complexity: How easy is exploitation? (1-5)
• Required access: What access level is needed? (1-5)
• Detection difficulty: How likely to be detected? (1-5)
• Historical frequency: How often is this exploited? (1-5)
IMPACT FACTORS
--------------
• Data sensitivity: What data is at risk? ($)
• System criticality: What systems are affected? ($)
• Recovery time: How long to restore? (hours/days)
• Regulatory exposure: What compliance implications? ($)
SAMPLE CALCULATION
------------------
Finding: Domain Admin Compromise via Kerberoasting
Likelihood Score: 4.2/5 (High)
- Attack complexity: 2 (Easy - tools readily available)
- Required access: 3 (Any domain user)
- Detection difficulty: 4 (Minimal logging by default)
- Historical frequency: 5 (Very common in breaches)
Impact Estimate:
- Data at risk: Customer database (500K records @ $150/record = $75M exposure)
- Recovery estimate: $2.5M (forensics, remediation, notification)
- Regulatory fines: $500K - $2M (GDPR, state laws)
- Business interruption: $500K/day x 10 days = $5M
Annualized Loss Expectancy (ALE):
- Single Loss Expectancy (SLE): $10M (conservative estimate)
- Annual Rate of Occurrence (ARO): 0.3 (30% chance/year based on industry)
- ALE = SLE x ARO = $3M per year risk exposure