> sort -k3 -rn investment_priorities.csv | head -5 && echo 'evidence, not headlines'_
A competitor suffers a ransomware incident. The board asks the CISO: "Could that happen to us?" The CISO, who has been requesting a network segmentation budget for two years, says yes. The board approves £180,000 for segmentation — not because the pen test demonstrated the risk eighteen months ago, but because a headline made the risk feel real.
Three months later, a vendor announces a critical vulnerability in a widely-used VPN product. The board asks again. The CISO requests £60,000 for an upgraded VPN solution with MFA integration. Approved — because the headline created urgency.
Meanwhile, the pen test report from nine months ago identified that the organisation's Active Directory is Kerberoastable, that the SOC has zero detection capability for lateral movement, and that a chain of three medium findings provides unrestricted access to the financial database. These findings don't have headlines. They don't trigger board questions. They sit in the remediation tracker, competing for budget against the reactive spend that headlines generate.
Reactive spending isn't wrong — the segmentation and VPN upgrades are legitimate investments. But reactive spending is inefficient. It addresses the threat that feels most urgent rather than the risk that's been demonstrated. The pen test report contains evidence of what an attacker can actually do to this specific organisation. That evidence should drive the investment priorities — not the news cycle.
A well-structured pen test report contains several categories of information that, when read as investment intelligence, reveal where the highest-return security spending opportunities are.
| Report Element | What It Tells the CISO | Investment Implication |
|---|---|---|
| Attack chains | The specific path the tester used to reach the crown jewels. Which findings combined to produce the compromise. Where the chain could be broken most cheaply. | The cheapest break point in the chain is the highest-ROI investment. Disabling LLMNR (free, 15 minutes) may break a chain that leads to the financial database — making it a higher-ROI investment than a £200,000 EDR deployment that would catch the attacker three steps later. |
| Time to objective | How quickly the tester achieved their primary objective (DA, sensitive data access). Two hours indicates fundamental architectural weakness. Five days indicates reasonable but improvable defences. | If DA was achieved in two hours, the investment priority is breaking the chain — quick wins that delay the attacker. If DA took five days, the investment priority shifts to detection — ensuring the SOC can detect and respond within that window. |
| Detection gaps | Which tester actions were detected by the SOC, EDR, and monitoring. Which went unnoticed. Where the detection architecture has blind spots. | Investing in detection capability for the specific techniques the tester used undetected. A SIEM rule for DCSync costs very little. The visibility it provides is worth significantly more than its implementation cost. |
| Effort-to-remediate estimates | Which findings are quick wins (hours), standard remediations (days to weeks), and architectural projects (months). The relationship between remediation effort and risk reduction. | Prioritise quick wins that break chains. Then fund the standard remediations. Then present the architectural projects — with the pen test evidence — as investment cases to the board. |
| Recurring findings | Which findings appeared in the previous engagement and are still present. Whether the organisation is making progress or running in place. | Recurring findings indicate either insufficient investment in remediation or systemic issues that require architectural change. If LLMNR recurs for the third year, the investment isn't in another GPO — it's in a configuration management tool that prevents policy drift. |
The most powerful investment prioritisation technique the pen test report enables is chain-based analysis. Every attack chain has links — and some links are cheaper to break than others. The link that's cheapest to break while having the greatest impact on the chain is the highest-ROI investment.
The chain analysis reveals that the path to the financial database can be broken four different ways — three of which cost nothing and take less than an hour combined. The £120,000 segmentation project is the strategically correct investment, but the organisation doesn't need to wait for it to be funded and implemented. The immediate quick wins break the demonstrated chain today. The strategic investment prevents future chains that quick wins can't address.
This phased approach — immediate quick wins, short-term standard remediations, strategic architectural investments — gives the board a clear, evidence-based investment roadmap rather than a single large number that's easy to defer.
The board doesn't make security decisions — it makes investment decisions. The CISO's job is to translate pen test evidence into the language of investment: cost, return, risk, and alternatives.
| Don't Say | Say Instead | Why It Works |
|---|---|---|
| "We need to implement network segmentation." | "The pen test demonstrated that a single compromised workstation provides unrestricted access to the financial database containing 45,000 customer records. The path can be broken immediately at zero cost by disabling three protocols. Full segmentation — preventing any future path — costs £120,000 over six months." | Connects the investment to a specific, demonstrated risk with quantified impact. Offers a phased approach — immediate action plus strategic investment. |
| "We need better endpoint detection." | "The pen tester operated inside our network for five days without detection. Our SOC identified zero of seven attacker actions. If this had been a real attack, the mean time to detect would have exceeded five days — during which the attacker had access to every system in the domain. Improving detection to catch the three most critical techniques costs £35,000." | Quantifies the gap (zero detection), frames the risk (five-day dwell time), and provides a specific investment with a defined outcome. |
| "The pen test found 34 findings." | "The pen test identified three attack paths to sensitive data. The highest-risk path — from a standard workstation to the financial database — can be broken this week at no cost. The second path requires a £15,000 investment in MFA for the Citrix gateway. The third requires the segmentation project we deferred last year." | Frames findings as attack paths, not statistics. Each path has a specific cost to address. The board can approve investments by priority rather than facing a single undifferentiated remediation budget. |
| "We should invest in security." | "Our pen test programme shows that recurring findings dropped from 14 to 3 over two years. Time to compromise increased from 2 hours to 2 days. Detection rate improved from 0% to 44%. The remaining gap — detection of lateral movement and Kerberos attacks — requires £35,000 in SIEM rules and a quarterly purple team programme at £20,000 per year." | Demonstrates ROI on previous investment. Shows the trajectory. Identifies the specific remaining gap with a specific cost to close it. |
| Priority | Investment Type | Typical Cost | Expected Return |
|---|---|---|---|
| 1. Chain-breaking quick wins | GPO changes, protocol disabling, permission revocations, password rotations — fixes that break demonstrated attack chains at zero or minimal cost. | £0–5,000. Often zero — these are configuration changes, not procurement. | Highest ROI in the programme. Each quick win breaks a demonstrated path to sensitive data. Implemented this week. Validated by retest. |
| 2. Detection improvements | SIEM rules for specific techniques, EDR tuning, SOC process improvements, purple team sessions to validate and expand coverage. | £10,000–50,000 per year depending on scope and frequency. | High ROI. Detection doesn't prevent compromise but limits dwell time — the period during which the attacker operates undetected. Reducing dwell time from days to hours dramatically reduces the impact of any breach. |
| 3. Identity and access hardening | MFA deployment, gMSA adoption, privileged access management, conditional access policies, tiered administration model. | £20,000–80,000 depending on scope and existing infrastructure. | High ROI. Identity is the most common attack vector in pen test findings. Hardening the identity architecture addresses the entry point for most attack chains. |
| 4. Architectural improvements | Network segmentation, zero trust implementation, application tier redesign, privileged access workstations, management network isolation. | £50,000–250,000+ depending on scope and environment complexity. | Highest long-term value but highest cost. Architectural improvements prevent categories of attack rather than individual techniques. Present as phased programmes with interim compensating controls. |
| 5. Capability building | SOC maturity, red team/purple team programmes, security architecture function, threat intelligence, security culture and awareness. | £30,000–100,000+ per year ongoing. | Compounding returns over time. Capabilities improve across engagements. Each year's investment builds on the previous year's. The most mature organisations invest here because the foundational controls are already in place. |
Security investment decisions should be driven by demonstrated risk, not by headlines, vendor marketing, or the last breach that made the news. The pen test report contains the evidence: specific attack paths to specific business-critical assets, with specific costs to break them at each point. That evidence, translated into investment language — cost, return, risk, alternatives — gives the board the information it needs to make intelligent funding decisions.
The highest-ROI investments are almost always the cheapest: the GPO changes, the permission revocations, and the protocol disabling that break demonstrated attack chains at zero cost. The next tier — detection improvements and identity hardening — provides high return at moderate cost. The strategic investments — segmentation, zero trust, architectural redesign — provide the highest long-term value but require the most funding and time. A phased plan, presented with pen test evidence, makes each tier fundable on its own merits.
The pen test report isn't a compliance artefact. It's an investment prioritisation tool. The organisation that reads it as one makes better security investment decisions than the organisation that reads the news.
Our reports are designed to be read by the CISO and presented to the board — with chain-based prioritisation, cost estimates for every remediation, and longitudinal metrics that demonstrate return on previous investment. Because the best security budget is the one built on evidence.