Executive summary

The executive summary will define the goals of the penetration test and provide an overview of the findings at a very high level. As the audience of the executive summary is usually the business decision-makers, you need to communicate on their level. In order to do that, the executive summary may contain the following sections:

• Background: In the background section, you need to explain the purpose of the penetration test. 
• Overall posture: Here, you will define how effective the penetration test was in relation to the goals defined during the pre-engagement phases.
• Risk ranking: This defines the overall risk rating that the business resides in. For example, the business might be at an extreme, high, moderate, or low risk. You have to explain this rating so that it is clear to the business why they fall into that risk rank.
• General findings: This section provides a brief summary of the issues that were identified during the penetration test. Charts are often found here that highlight security risk categories; for example, missing patches and operating system hardening.
• Recommendation summary: This outlines a high-level overview of what tasks should be performed to re-mediate the findings. Do not go into detail here, as details are covered in the technical report.
• Strategic roadmap: This provides the business with an actionable roadmap to remediate the findings. This roadmap must be prioritized and be in line with the business-level of potential impact. The roadmap can be broken down into parts, such as 1 to 3-month, 3 to 6-month, and 6 to 12-month plans. Within each section, there should be actions defined; for example, within the 1 to 3-month plan, the business should address missing patches that are low-impact.