Module 4

4.7

Handling Client Questions

The Q&A after a readout is where many junior pentesters struggle. The client doesn’t ask about your tools or your technique. They ask about their business.

Common client questions and what they’re really asking:

“What’s our actual business risk?” — They want you to translate technical findings into business terms. Don’t say “you can be Kerberoasted.” Say “an attacker with basic network access could gain full control of your domain within hours, including access to financial data and HR records.”

“How confident are you this is the only path?” — They want to know if fixing these findings makes them safe. Be honest: “This was the fastest path we found in the testing window. There may be others that would require more time to discover.”

“Why should we prioritize this over our other projects?” — They’re asking for help making a business case. Connect your finding to something they care about: regulatory compliance, data breach cost, operational disruption.

“Can you explain this to someone non-technical?” — They need to communicate your findings internally. Give them language they can use.

On the right, evaluate two answers to the same client question. Pick the stronger one.

Challenge

Evaluate Client Q&A Responses

compare-evaluate

Oliver Whitaker (CISO) asks this question during the Navigating Security Corp readout. Evaluate both answers.

Answer A

Based on our testing, this was the most direct path. We identified it through BloodHound analysis and confirmed it by walking the full chain. However, the authorized testing window covered DC01 specifically, and Active Directory environments are complex. There may be additional paths that would require broader scope or more time to discover. I'd recommend this assessment be conducted annually and that the specific findings we identified today be remediated promptly, which would eliminate this confirmed path regardless of whether others exist.

Answer B

We're very confident. We used BloodHound, which maps all possible paths to Domain Admin, and this was the only one that came up. We also ran CrackMapExec across the environment and didn't find any other routes. Your environment is pretty well configured outside of the service account issues we found.

Question 1 of 2

Which answer is stronger?

Question 2 of 2

What is the biggest problem with the weaker answer?