> s/Kerberoasting/complete access to all customer data/g_
A penetration test identifies that LLMNR poisoning, combined with a Kerberoastable service account and a misconfigured Backup Operators group membership, creates a path to Domain Admin in under four hours. The finding is technically accurate, thoroughly evidenced, and correctly rated as critical. It's an excellent piece of security analysis.
The CISO presents it to the board. The slide reads: "Critical: Kerberoasting of svc_backup service account (T1558.003) via LLMNR poisoning (T1557.001) enabled NTDS.dit extraction and complete AD compromise. CVSS 9.1." The board nods politely. The CFO asks what it costs to fix. The CISO says "it's complex." The board moves to the next agenda item. Nothing is funded. Nothing changes.
The same finding, translated: "An attacker who plugs a laptop into any network port in any of our offices — a meeting room, a hot desk, a printer port — can access every customer record, every employee's email, every financial document, and the credentials of every user in the organisation within four hours. Our security monitoring systems will not detect this happening. The fix involves three configuration changes that can be implemented in two weeks at negligible cost." The board approves the remediation before the CISO finishes the sentence.
The technical finding was identical. The business translation changed the outcome. This is the translation problem — and it's where most pen test reports fail their most important audience.
Boards don't manage vulnerabilities. They manage risk — financial, regulatory, operational, and reputational. A pen test finding that isn't expressed in these terms doesn't register as a business decision. It registers as a technical problem that the IT department should handle. The translation from technical finding to business risk is what elevates a pen test from an IT exercise to a board-level input.
The security industry has developed sophisticated frameworks for quantifying vulnerability severity — CVSS, DREAD, risk matrices. These frameworks are useful for security professionals triaging remediation. They are useless for communicating risk to a board.
| What the Report Says | What the Board Hears | What the Board Needs to Hear |
|---|---|---|
| "CVSS 9.1 — Critical" | "It's a big number. Is 9.1 bad? Out of what? Is 7 also bad? How bad is 5?" | "This vulnerability, if exploited, would give an attacker unrestricted access to our customer database — 340,000 records including personal and financial data." |
| "Kerberoasting via svc_backup" | "I don't know what any of those words mean. This sounds like an IT problem." | "A system account used for backups has a weak password that can be cracked in seconds. This account has permission to read every file on the domain controller — which stores the credentials of every user in the organisation." |
| "LLMNR poisoning enables credential capture" | "Something about the network. Presumably the IT team can fix it." | "Anyone who connects a device to our office network — a visitor, a contractor, a malicious insider — can silently capture employees' login credentials without interacting with any system. This works in any office, from any network port, and takes less than two minutes." |
| "Missing SMB signing allows relay attacks" | "I have no frame of reference for this. Next slide." | "A network configuration means that an attacker who captures one employee's credentials can instantly impersonate them to other systems — without needing to crack their password. This bypasses password complexity requirements entirely." |
| "External forwarding rules not restricted on M365" | "Something about email settings." | "If any employee's email account is compromised, the attacker can create a rule that silently forwards every email that employee receives — including confidential client communications, financial data, and legal privileged material — to an external address. We currently have no control preventing this, and no alert that detects it." |
The technical description is precise and correct. It's also incomprehensible to anyone without security expertise. The board doesn't lack intelligence — they lack context. CVSS scores assume the reader understands the scoring methodology. MITRE ATT&CK technique IDs assume familiarity with the framework. Technical terminology assumes a shared vocabulary that doesn't exist outside the security team.
Boards assess risk across four dimensions: financial, regulatory, operational, and reputational. Every pen test finding can — and should — be expressed in at least one of these dimensions. The translation doesn't change the finding. It changes the frame.
| Risk Dimension | The Board's Question | How to Express It |
|---|---|---|
| Financial | "How much could this cost us?" | Quantify the exposure: cost of breach notification (£-per-record estimates from industry benchmarks), potential regulatory fines (percentage of turnover under UK GDPR), cost of incident response and forensics, cost of business disruption, and potential litigation from affected customers. A finding that "exposes 340,000 customer records" becomes a finding with a quantifiable financial impact range. |
| Regulatory | "Could this trigger a regulatory investigation or fine?" | Map the finding to the applicable regulation: UK GDPR (personal data exposure), PCI DSS (cardholder data), FCA rules (financial services), NIS2 (essential services). State the potential consequence: ICO investigation, enforcement notice, fine of up to £17.5m or 4% of global turnover. A technical finding becomes a compliance finding the legal director understands. |
| Operational | "Could this disrupt our ability to operate?" | Describe the operational consequence: if an attacker achieves Domain Admin, they can encrypt every system in the organisation simultaneously (ransomware). Recovery time from a domain-level ransomware event is typically measured in weeks, not days. What is the cost per day of complete operational shutdown? How long would it take to rebuild Active Directory from scratch? |
| Reputational | "Could this damage our brand, our client relationships, or our market position?" | Describe the reputational consequence: a data breach involving customer records triggers mandatory notification to every affected individual. Media coverage. Client attrition. Loss of competitive tenders where security posture is evaluated. For professional services firms, reputational damage often exceeds the direct financial cost of the breach. |
A finding expressed across all four dimensions stops being "an IT problem" and becomes "a business risk." Business risks get board attention, budget allocation, and executive sponsorship. IT problems get delegated to the IT manager and added to the backlog.
To illustrate the translation in practice, here's a single critical finding — the Kerberoasting-to-Domain-Admin chain — expressed for each of the three audiences that a pen test report serves.
One finding. Three expressions. The board sees financial exposure, regulatory risk, and the cost of remediation — enabling a funding decision in minutes. The CISO sees the attack chain, the break points, the detection gaps, and the comparison to the prior engagement — enabling strategic prioritisation. The IT team sees the exact Group Policy path, the PowerShell commands, and the verification steps — enabling implementation without further research.
Boards make investment decisions by comparing cost of action against cost of inaction. A pen test finding that presents only the cost of remediation ("£3,000 in staff time") without the cost of inaction ("£4.8m–£12m in breach costs") leaves the board without the comparison they need to make a decision.
| Finding | Cost of Remediation | Cost of Inaction |
|---|---|---|
| Kerberoasting → DA chain | ~£3,000 in staff time. Three GPO changes. Two weeks. No vendor, no hardware, no licensing. | 340,000 customer records exposed. ICO notification. Potential fine up to £2.8m. Mandatory individual notification. Forensic investigation: £150k–£400k. Operational disruption: 3–6 weeks. Reputational damage: unquantifiable. |
| Unrestricted email forwarding | ~£500. Single Exchange Online transport rule. 30 minutes to implement. | Any compromised account can silently exfiltrate all email to an external address. Average BEC loss in UK: £138,000 per incident (City of London Police, 2024). Legal privilege potentially waived if client communications are exfiltrated. |
| No MFA on VPN | ~£8 per user per month for MFA licensing. Implementation: 2–4 weeks for 300 users. | Credential stuffing attack using breach database credentials provides direct internal network access from the internet. Bypasses the entire perimeter. Equivalent to handing the attacker a VPN client with valid credentials. |
| 11 Global Admins (recommended 2–4) | £0. Reduce to 4 dedicated admin accounts. 2 hours of AD work. Use PIM for just-in-time elevation. | Any compromised Global Admin account provides complete control of M365: every mailbox, every SharePoint site, every Teams channel, every OneDrive. 11 accounts means 11 attack targets instead of 4. |
When the cost of remediation is £3,000 and the cost of inaction is measured in millions, the board's decision is self-evident. But they can only make that decision if the report provides both numbers. A finding that says "Critical — CVSS 9.1 — remediate immediately" doesn't give the board a comparison. A finding that says "£3,000 to fix, £4.8m–£12m if exploited" does.
Even the best-written pen test report requires a translator — and that translator is typically the CISO or security manager. The provider writes the report. The CISO presents it. The quality of the translation at this stage determines whether the board acts.
| What the CISO Should Do | What Often Happens Instead |
|---|---|
| Extract the three most critical findings and present them as business risks with financial impact ranges. "If I could have ten minutes of board time, these are the three things that keep me awake at night and here's what they would cost us." | Present the full report's executive summary verbatim — which was written by the tester, not by the CISO, and may not match the board's priorities or vocabulary. |
| Frame remediation as an investment decision with a clear return: "£3,000 now eliminates a £4.8m–£12m exposure. Here's the business case." | Request budget without quantifying the risk: "We need to address the critical findings from the pen test." The board asks "how much?" and "why?" and the conversation stalls. |
| Show progress over time: "Last year, we achieved 0% detection. This year, 64%. Here's what we invested and here's the measurable return." | Present each engagement in isolation, without comparison to previous results. The board has no way to assess whether the security programme is improving or stagnating. |
| Acknowledge what's working: "The external perimeter is strong. Our web applications are well-written. The investment in endpoint protection has reduced our exposure in these specific areas." — before presenting what needs attention. | Lead with the bad news exclusively. The board concludes that all prior security investment was wasted, becomes sceptical of further requests, and asks why the last three years of spending didn't prevent these findings. |
The CISO's translation is the final mile of the pen test's value chain. A brilliant test, an excellent report, and a poor board presentation still results in no action. The translation must be complete — from the tester's technical analysis, through the report's structured communication, to the CISO's boardroom narrative.
A pen test finding has no inherent business value until it's translated into the language of business risk. "Kerberoasting achieved Domain Admin" is a technical fact. "An attacker can access every customer record in the organisation within four hours and our monitoring won't detect it" is a business risk. "The fix costs £3,000 and the exposure is £4.8m–£12m" is an investment decision. The translation is what makes the finding actionable at the level where budgets are approved and priorities are set.
The translation has three stages: the provider expresses findings in business terms within the report, the CISO contextualises the findings for the specific organisation, and the board presentation frames the remediation as an investment decision with quantifiable returns. If any stage fails — if the report is pure jargon, if the CISO presents it verbatim, if the board receives numbers without context — the finding doesn't translate. And findings that don't translate don't get fixed.
Boards don't manage vulnerabilities. They manage risk. A pen test report that speaks the language of risk — financial exposure, regulatory liability, operational disruption, reputational damage — gets attention, gets budget, and gets results. A pen test report that speaks the language of CVSS scores and ATT&CK technique IDs gets filed.
Our pen test reports include business impact analysis, cost-of-inaction estimates, and executive summaries written for non-technical decision-makers — because a finding that doesn't reach the board doesn't reach the budget.