Writing the Executive Summary

The executive summary is the most-read and worst-written section of most pentest reports. It’s written for the CISO, the board, the compliance team — people who don’t know what Kerberoasting is and don’t need to. They need to know three things: what was tested, what was found, and how bad it is.

A strong executive summary:

Leads with the overall risk posture. Don’t bury the lead. If the environment is high-risk, say so in the first sentence.

Describes findings in business terms. Not “we Kerberoasted a service account.” Instead: “we obtained credentials that grant administrative access to the financial reporting database.”

Recommends action at the strategic level. Not “patch CVE-2024-XXXX.” Instead: “implement automated service account credential rotation to eliminate the most common class of vulnerability we identified.”

Fits on one to two pages. If the executive summary is five pages, it’s not an executive summary — it’s the report.

On the right is a badly written executive summary for the Navigating Security Corp engagement. Find the three biggest problems.