Writing the Executive Summary

The executive summary is the most-read and worst-written section of most pentest reports. It should be tailored more so for non-technical people, conveying business impact as well as positives from the entire pen test process.

The people that read it need to know three things: what was tested, what was found, and how bad it is (if at all).

A strong executive summary:

Leads with the overall risk posture. Don’t bury the lead. If the environment is high-risk, say so in the first sentence.

Describes findings in business terms.

• “The testing team Kerberoasted a service account.” ❌
• “The testing team obtained credentials that grant administrative access to the financial reporting database.” ✅

Recommends action at the strategic level.

• “Patch CVE-2024-XXXX.” ❌
• “Implement automated service account credential rotation to eliminate the most common class of vulnerability identified.” ✅

Fits on one to two pages. If the executive summary is five pages, it’s not a “summary” any more.

On the right is a badly written executive summary for the Navigating Security Corp engagement. Find the three biggest problems.