8.2 Executive Summary Writing
8.2 Executive Summary Writing
What you're building: A one-page document that a CISO can read in 5 minutes, understand fully, and use to make a budget decision. No jargon. No technical detail. Pure business risk.
Communicate engagement outcomes to non-technical stakeholders clearly and persuasively. The executive summary is often the only section the decision-makers will read.
Technique: High-Level Risk Communication — translate technical findings into business consequences.
Tools/Templates: Risk Heat Map, One-page summary template
Procedure:
# Executive Summary
## 1. Engagement Overview
[1 paragraph, 3 sentences max. State the scope, dates, and primary goal.
Example: "During November 2025, [Firm] conducted a 10-day internal red team assessment
against Contoso's corporate network (in-scope: all hosts in 10.0.0.0/8). The objective
was to simulate a post-phishing internal attacker achieving domain compromise."]
## 2. Overall Risk Rating: [Critical / High / Medium / Low]
[One sentence. Example: "Contoso's internal environment presents a **Critical** risk
posture — a motivated attacker with internal network access could achieve full
Active Directory compromise within 4 hours."]
## 3. Key Findings (3–5 bullets, business language only)
- **Full Domain Compromise Achieved:** Credential theft from a shared service account
allowed escalation to Domain Admin, providing access to all 2,400 internal systems.
- **Sensitive Data Unprotected:** The finance database was accessible without authentication
from any internal host, exposing 8 years of transaction records.
- **No Detection During 10-Day Engagement:** Contoso's SOC received zero alerts during
the assessment, indicating significant gaps in detection coverage.
## 4. Strategic Recommendations (top 3–5)
- Implement MFA across all external-facing services within 30 days.
- Conduct an immediate audit of service account privileges and remove stale accounts.
- Deploy endpoint detection capabilities on all workstations and servers.
## 5. Risk Heat Map
| Severity | Count | Examples |
|---|---|---|
| Critical | 2 | Domain compromise, unprotected finance DB |
| High | 5 | LLMNR poisoning, ADCS ESC1, AS-REP roasting |
| Medium | 8 | SMB signing disabled, legacy protocols |
| Low | 12 | Information disclosure, banner grabbing |
Language & Tone Guidelines
- Avoid Jargon: Use "unauthorized access" instead of "RCE" or "LFI". Use "password theft" instead of "Kerberoasting". Use "impersonated a domain admin" instead of "performed Pass-the-Hash".
- Focus on Business Risk: Talk about data breaches, regulatory fines (GDPR, HIPAA), reputational damage, and operational disruption.
- Be Concise: If it doesn't fit on one page, it's too long.
- Action-Oriented: Every risk statement should have a matching recommendation.
- No Dates in Titles: Executives forward reports — don't make it look stale with a specific engagement year in the title.
NOTE: The executive summary is often the only part of the report read by leadership. Keep it jargon-free and focused on business risk. Write it last — after you know all the findings — but put it first in the document.