> head -n 2 report.pdf | grep 'Kerberoasting' && echo 'nobody will read further'_
A penetration test report is delivered to the CISO. It's 142 pages. It contains 38 findings, an attack narrative, detection gap analysis, and remediation roadmap. The testing was thorough. The findings are well-evidenced. The remediation guidance is specific enough to implement without further research.
The CISO reads the full report. They understand the risk. They know what needs to happen: a six-month remediation programme covering Active Directory hardening, network segmentation, detection engineering, and a service account migration project. Total estimated cost: £180,000 in staff time and tooling.
They present to the board. The board has 45 minutes allocated for the cybersecurity update, shared with three other agenda items. They haven't read the report. They won't. They'll read the executive summary — the first two pages — and they'll base their funding decision on what those two pages communicate.
If the executive summary says: "The assessment identified 38 findings: 3 critical, 8 high, 14 medium, 9 low, and 4 informational. The tester achieved Domain Admin access via Kerberoasting of the svc_backup service account, followed by NTDS.dit extraction via secretsdump" — the board nods, asks no questions, and moves to the next agenda item. They don't know what any of those words mean. They don't know whether 38 findings is good or bad. They don't know what to fund.
If the executive summary says: "A tester connected to a meeting room network port and, within two hours, gained unrestricted access to every system in the organisation — including the finance database, the HR records, and the CEO's email. No security system detected or prevented any stage of the attack. The entire compromise path can be broken by three changes costing approximately £15,000 in the first month, with a further £165,000 recommended over six months for strategic improvements" — the board asks questions, approves the initial £15,000 immediately, and requests a follow-up paper on the £165,000 programme.
Same report. Same findings. Same risk. Different executive summary. Different outcome.
The executive summary is a funding document. Its purpose is not to summarise the technical findings — it's to communicate business risk in terms that cause the people who control the budget to allocate resources for remediation. If it fails at this, the remaining 140 pages are an academic exercise.
Most executive summaries fail not because they're inaccurate, but because they're written for the wrong audience. The tester writes what they'd want to read. The CISO translates it for the board. The board receives a diluted, second-hand version of the risk. The original message is lost in translation — and the funding decision is based on whatever survived the journey.
| Failure Pattern | Example | Why It Fails |
|---|---|---|
| Technical language in a non-technical section | "Domain Admin was achieved through Kerberoasting of the svc_backup service account (SPN: MSSQLSvc/erpsrv01.acme.local:1433), followed by DCSync and NTDS.dit extraction." | The board doesn't know what any of these terms mean. They can't assess the severity, can't estimate the impact, and can't make a funding decision. The sentence communicates the tester's expertise, not the organisation's risk. |
| Statistics without context | "38 findings were identified: 3 critical, 8 high, 14 medium, 9 low, and 4 informational." | Numbers without a frame of reference. Is 38 good or bad? Are the 3 critical findings connected or independent? What's the business impact of the 3 critical findings versus the 14 medium? The reader has data but no understanding. |
| False reassurance | "The organisation's security posture is broadly in line with industry expectations for a company of this size and sector." | "In line with industry expectations" may mean that 85% of similar organisations also have their domain compromised during pen tests. It sounds reassuring. It's meaningless. The board leaves comfortable. The risk remains. |
| Alarm without specificity | "Numerous critical and high-severity vulnerabilities were identified across the environment, posing significant risk to the organisation. Immediate action is recommended." | Alarming but unactionable. Which vulnerabilities? What risk, specifically? How much will "immediate action" cost? The board feels anxious but has no information to act on. Anxiety without a clear ask produces paralysis, not funding. |
| No financial framing | "We recommend implementing MFA, network segmentation, and Active Directory hardening as priority remediations." | Three recommendations with no cost, no effort estimate, and no phasing. The board can't approve what it can't budget. "Implement MFA" is an initiative — the board needs to know it costs £35,000 and takes eight weeks before they can authorise it. |
A board member reading an executive summary has at most two minutes and no security expertise. They need five questions answered, in language they use every day, on no more than two pages.
| Question | What Good Looks Like | What Bad Looks Like |
|---|---|---|
| 1. What did we test? | "We tested your internal network — 1,247 systems — simulating an attacker who has gained access to a network port in your office, such as a visitor, a contractor, or a compromised device." | "An internal infrastructure penetration test was conducted against the 10.0.0.0/16 address range using a grey-box methodology with authenticated scanning." |
| 2. What's the headline? | "Within two hours, the tester gained access to every system in the organisation — every email account, every file share, every database — with no alert from any security system." | "Domain Admin access was achieved through a chain of three high-severity findings." |
| 3. What's the business impact? | "An attacker following this path would have unrestricted access to: customer records (45,000 individuals, triggering GDPR notification), financial systems (accounts payable manipulation), email (CEO, CFO, legal — enabling invoice fraud), and intellectual property (product designs, supplier pricing)." | "High confidentiality and integrity impact across the domain." |
| 4. What needs to happen? | "Three immediate changes break the attack path: disable a broadcast protocol (15 minutes), change one service account password (5 minutes), and remove an unnecessary administrative privilege (10 minutes). These three changes, costing less than a day's effort, prevent the specific compromise demonstrated." | "We recommend remediating all critical and high findings as a matter of priority." |
| 5. What will it cost? | "Immediate fixes: less than £1,000 (internal staff time, no procurement). Strategic programme (MFA, network segmentation, detection improvements): approximately £180,000 over six months. Recommended phasing: £15,000 in Month 1, £40,000 in Month 2–3, £125,000 in Month 4–6." | No cost mentioned. No phasing. No distinction between quick wins and strategic investments. The board can't approve an unquantified request. |
Five questions. Plain English. Two pages. If the executive summary answers all five, the board has the information needed to make a funding decision in the 12 minutes they've allocated. If it doesn't, the CISO spends those 12 minutes explaining what Kerberoasting is instead of securing budget approval.
The first summary is accurate. The second is useful. The first communicates expertise. The second communicates risk. The first produces filing. The second produces funding. The technical findings are identical. The business outcome is entirely determined by how the executive summary presents them.
Writing for the board isn't about simplification — it's about translation. The technical reality doesn't change. The language changes to match the audience's vocabulary, decision-making framework, and time constraints.
| Technical Language | Board Translation | Why the Translation Works |
|---|---|---|
| "Achieved Domain Admin access" | "Gained complete control of every system, account, and file in the organisation" | "Domain Admin" means nothing to a non-technical reader. "Complete control of everything" is immediately understood and appropriately alarming. |
| "LLMNR poisoning captured NTLMv2 hashes" | "A broadcast protocol that should be disabled allowed credentials to be captured from the network without interacting with any system" | The mechanism is described by its effect (credentials captured) and its root cause (a protocol that should be disabled), not by its technical name. |
| "Kerberoasting of svc_erp service account" | "A service account with a weak password was compromised — the password was cracked in 11 seconds using freely available tools" | "11 seconds" communicates urgency more effectively than "Kerberoasting." "Freely available tools" communicates that this isn't a sophisticated nation-state attack — it's accessible to any motivated adversary. |
| "NTDS.dit extraction via DCSync" | "The password database for every account in the organisation was extracted" | The business implication (every password compromised) is the significant fact. The technical mechanism (DCSync, NTDS.dit) is detail the board doesn't need. |
| "No SOC alerts generated during the engagement" | "No security system detected or prevented any stage of the attack — the 24/7 monitoring service, the endpoint protection, and the security alerts all failed to identify the intrusion" | The detection failure is described in terms the board understands: the services they're paying for didn't work. This reframes a detection gap as a return-on-investment question. |
| "CVSS 9.1 — Critical" | [Don't include CVSS scores in the executive summary] | CVSS scores are meaningless to a non-technical audience. They add precision without adding understanding. Replace them with business impact statements. |
The pen test provider writes the report, including the executive summary. But the CISO is the person who presents it to the board — and they know their board better than any external provider can. The most effective approach is collaborative: the provider writes a clear, business-focused executive summary, and the CISO adapts it for their specific board's language, priorities, and risk appetite.
Funding is the primary outcome — but the executive summary influences several other decisions that shape the organisation's security trajectory.
| Decision | How the Summary Influences It |
|---|---|
| Vendor accountability | "The 24/7 monitoring service, the endpoint protection, and the security alerts all failed to identify the intrusion" triggers a conversation about whether the managed SOC provider is delivering value. The executive summary frames the detection failure as a procurement and contract question. |
| Insurance renewal | The executive summary may be shared with the cyber insurance underwriter during renewal. A summary that demonstrates identified risks with a funded remediation programme strengthens the application. A summary that reveals critical findings with no remediation plan may result in increased premiums or coverage restrictions. |
| Regulatory posture | For organisations in regulated sectors (financial services, healthcare, critical infrastructure), the executive summary may be reviewed by regulators. A summary that demonstrates proactive testing, honest assessment, and funded remediation evidences mature risk management. A summary that minimises or obscures findings creates regulatory risk. |
| Organisational culture | The tone of the executive summary sets the tone for how the organisation responds to security risk. A summary that blames individuals ("the IT team failed to...") creates defensiveness. A summary that frames findings as systemic and fixable ("these are configuration issues, not failures of competence") creates a culture that engages with risk rather than hiding from it. |
| Testing frequency | A summary that demonstrates clear value — findings that led to funded remediation that measurably improved security — makes the case for continued investment in testing. A summary that produces no action makes the board question whether the next test is worth commissioning. |
The executive summary is the most important section of the penetration test report — not because it contains the most information, but because it's the only section the decision-makers will read. It's a funding document. Its purpose is to communicate business risk in terms that cause the people who control the budget to allocate resources for remediation.
A good executive summary answers five questions in plain English on two pages: what did we test, what's the headline, what's the business impact, what needs to happen, and what will it cost. It contains no CVSS scores, no technical jargon, and no references that require security expertise to interpret. It translates the tester's findings into the board's language — data exposure, regulatory consequence, financial liability, and operational disruption.
The 140 pages that follow the executive summary are important. They contain the evidence, the remediation steps, the attack narrative, and the detection gap analysis. But those 140 pages only matter if the first two pages cause someone to open them. The executive summary is the gate. If it opens, remediation gets funded. If it doesn't, the report gets filed, the findings get backlogged, and the next pen test finds the same attack path six months later.
Our executive summaries answer the five questions in plain English: what we tested, what we found, what it means for the business, what needs to happen, and what it will cost — because the two pages that open the report determine whether anything in the remaining 140 gets actioned.