A penetration test report lands on your desk. Forty pages of findings, CVSS scores, and technical jargon. Your account manager forwards it with a note: “Customer just got their pen test results back. They want to talk.”
This is one of the highest-value moments in the pre-sales cycle. A pen test report is not just a security document — it is a prioritized list of problems that your solutions can solve, validated by an independent third party. The question is whether you can translate technical findings into a business conversation that drives action.
This guide walks through the anatomy of a pen test report, how to map findings to solutions, and how to build a remediation roadmap that positions you as a trusted advisor rather than an opportunistic vendor.
Anatomy of a Pen Test Report
Before you can translate a report into a sales opportunity, you need to understand what you are reading. Most pen test reports follow a standard structure, though formatting varies by testing firm.
Executive Summary
The executive summary is written for non-technical stakeholders — CISOs, CFOs, and board members. It typically includes:
- Overall risk rating (Critical, High, Medium, Low)
- Scope of the engagement (what was tested and what was excluded)
- Key findings summarized in business language
- Top recommendations prioritized by risk
This is the section your account manager should read first. It tells you how severe the findings are and what the customer’s leadership will be focused on.
Methodology
The methodology section describes how the test was conducted:
- Type of test: Black box (no prior knowledge), gray box (limited credentials), or white box (full access and documentation)
- Scope: External perimeter, internal network, web applications, wireless, social engineering, or a combination
- Tools and frameworks: Common references include OWASP Testing Guide, PTES (Penetration Testing Execution Standard), and NIST SP 800-115
- Duration: How many days the testers spent and any time constraints
- Rules of engagement: What was off-limits (production databases, DoS testing, physical access)
Understanding the methodology matters because it tells you what was NOT tested. If the pen test only covered the external perimeter, internal network vulnerabilities remain unknown — and that is a conversation worth having.
Findings
The findings section is the core of the report. Each finding typically includes:
- Title: A descriptive name (e.g., “SQL Injection in Customer Portal Login”)
- Description: What the vulnerability is and why it matters
- Affected systems: IP addresses, hostnames, URLs, or application names
- Proof of exploit: Screenshots, command output, or data samples demonstrating the vulnerability was successfully exploited
- Risk rating: Usually CVSS v3.1 score with a qualitative label (Critical, High, Medium, Low, Informational)
- Remediation recommendation: The tester’s suggested fix
Risk Rating Matrix
Most reports use the Common Vulnerability Scoring System (CVSS) to rate findings:
| CVSS Score | Severity | Typical Meaning |
|---|---|---|
| 9.0-10.0 | Critical | Immediate exploitation possible, full system compromise likely |
| 7.0-8.9 | High | Significant risk, exploitation feasible with moderate effort |
| 4.0-6.9 | Medium | Moderate risk, exploitation requires specific conditions |
| 0.1-3.9 | Low | Limited risk, exploitation difficult or impact minimal |
| 0.0 | Informational | Best practice recommendation, no direct exploit path |
Some testing firms also map findings to NIST CSF categories, MITRE ATT&CK techniques, or CIS Controls. If the report includes these mappings, they are valuable for connecting findings to compliance requirements.
Mapping Findings to Solutions
This is where the SE adds value. The customer has a list of problems. Your job is to show them how each problem category maps to a solution domain — and how your specific product addresses it.
Finding Category: Critical Unpatched Vulnerabilities
What the report says: Systems running outdated software with known CVEs. Missing security patches on servers, workstations, or network devices. End-of-life operating systems still in production.
The underlying gap: The organization lacks a systematic vulnerability management and patch management program. They are either unaware of their exposure or unable to patch at scale.
Solution mapping:
- Vulnerability management platform (continuous scanning and prioritization)
- Patch management automation (OS and third-party application patching)
- Asset inventory and lifecycle management (identifying EOL systems)
NIST CSF alignment: Identify (ID.RA - Risk Assessment), Protect (PR.IP - Information Protection Processes)
Finding Category: Lateral Movement
What the report says: Tester gained access to one system and moved to others without detection. Flat network architecture with no segmentation. Unrestricted SMB, RDP, or SSH access between subnets.
The underlying gap: No network segmentation, no east-west traffic inspection, and no behavioral detection for internal movement. Once inside, an attacker can reach everything.
Solution mapping:
- Network Access Control (NAC) for device profiling and segmentation enforcement
- Microsegmentation (software-defined segmentation at the workload level)
- Network Detection and Response (NDR) for east-west traffic analysis
- SIEM/SOAR for correlation and automated response
NIST CSF alignment: Protect (PR.AC - Access Control), Detect (DE.CM - Continuous Monitoring)
Finding Category: Credential and Identity Issues
What the report says: Weak passwords, password reuse across systems, lack of MFA on critical systems, overprivileged service accounts, cleartext credentials in scripts or configuration files, successful Kerberoasting or pass-the-hash attacks.
The underlying gap: Identity hygiene is poor. The organization treats identity as an IT convenience rather than a security control. Privileged access is not managed, monitored, or rotated.
Solution mapping:
- Privileged Access Management (PAM) for service account and admin credential management
- Multi-Factor Authentication (MFA) across all critical systems and VPN
- Identity Governance and Administration (IGA) for access reviews and least privilege
- Active Directory security monitoring for Kerberos and NTLM attack detection
NIST CSF alignment: Protect (PR.AC - Access Control, PR.AT - Awareness and Training)
Finding Category: Web Application Vulnerabilities
What the report says: SQL injection, cross-site scripting (XSS), insecure direct object references (IDOR), broken authentication, server-side request forgery (SSRF), or API security issues.
The underlying gap: Applications are deployed without adequate security testing in the development pipeline. There is no WAF in front of public-facing applications, and secure coding practices are not enforced.
Solution mapping:
- Web Application Firewall (WAF) for runtime protection
- Dynamic Application Security Testing (DAST) for continuous scanning
- Static Application Security Testing (SAST) integrated into CI/CD pipelines
- API security gateway for API-specific protections
NIST CSF alignment: Protect (PR.DS - Data Security), Detect (DE.CM - Continuous Monitoring)
Finding Category: Configuration and Hardening Issues
What the report says: Default credentials on network devices, unnecessary services running, overly permissive firewall rules, missing encryption on sensitive data at rest or in transit, insecure protocol usage (Telnet, FTP, SNMPv1/v2).
The underlying gap: Systems are deployed without security hardening baselines. There is no configuration management or compliance monitoring to detect drift from secure configurations.
Solution mapping:
- Configuration compliance and hardening automation
- Cloud Security Posture Management (CSPM) for cloud environments
- Encryption solutions for data at rest and in transit
- Network device management platforms with compliance baselining
NIST CSF alignment: Protect (PR.IP - Information Protection Processes, PR.DS - Data Security)
Building the Remediation Roadmap
A list of findings is overwhelming. A roadmap is actionable. This is where you transition from “here are your problems” to “here is how we solve them together.”
Step 1: Prioritize by Business Risk, Not Just CVSS
CVSS scores measure technical severity, but business risk depends on context. A Critical-rated vulnerability on an isolated test server is less urgent than a High-rated vulnerability on a production database containing customer PII.
Work with the customer to rank findings using this matrix:
| Factor | Weight | Questions to Ask |
|---|---|---|
| Data sensitivity | High | Does this system store PII, PHI, financial data, or IP? |
| Business criticality | High | What is the revenue impact if this system goes down? |
| Exposure | Medium | Is this internet-facing, internal only, or air-gapped? |
| Exploitability | Medium | Does a public exploit exist? Is it trivial to execute? |
| Compliance impact | Medium | Does this finding create a compliance violation? |
| Remediation effort | Low | How difficult is the fix — config change vs. architecture redesign? |
Step 2: Group into Remediation Phases
Organize findings into three phases based on priority and effort:
Phase 1 — Immediate (0-30 days): Critical and high-severity findings on internet-facing or business-critical systems. These are the findings that could lead to a breach tomorrow. Typically includes patching critical CVEs, disabling default credentials, and enabling MFA on administrative access.
Phase 2 — Short-term (30-90 days): High and medium-severity findings that require more planning. Network segmentation projects, PAM deployment, and WAF implementation typically fall here. These require procurement, design, and staged deployment.
Phase 3 — Strategic (90-180 days): Medium and low-severity findings plus architecture improvements. This is where long-term projects like microsegmentation, zero trust architecture, and security operations maturity live. These are multi-quarter initiatives.
Step 3: Map Solutions to Each Phase
For each phase, identify the specific solution that addresses the finding category:
PHASE 1 — Immediate (0-30 days)
├── Finding: Unpatched critical CVEs on 12 servers
│ └── Solution: Vulnerability management + emergency patching
├── Finding: Default credentials on 3 network switches
│ └── Solution: Configuration hardening + credential rotation
└── Finding: No MFA on VPN gateway
└── Solution: MFA deployment for remote access
PHASE 2 — Short-term (30-90 days)
├── Finding: Flat network, unrestricted lateral movement
│ └── Solution: NAC deployment + VLAN segmentation
├── Finding: 15 overprivileged service accounts
│ └── Solution: PAM platform for credential vaulting and rotation
└── Finding: SQL injection in customer portal
└── Solution: WAF deployment + DAST scanning
PHASE 3 — Strategic (90-180 days)
├── Finding: No east-west traffic monitoring
│ └── Solution: NDR + microsegmentation
├── Finding: Insecure development practices
│ └── Solution: DevSecOps pipeline (SAST/DAST/SCA integration)
└── Finding: No centralized logging or correlation
└── Solution: SIEM deployment + SOAR automation
Step 4: Attach Costs and Timelines
For each solution in the roadmap, provide:
- License/subscription cost (annual or per-endpoint)
- Implementation services estimate (professional services hours)
- Internal resource requirements (customer staff needed)
- Deployment timeline (weeks to production)
- Expected risk reduction (qualitative or quantitative)
This transforms the remediation roadmap from a technical document into a budgetable project plan. The customer can take this directly to their CFO.
The Consultative Approach vs. Scare Tactics
How you present findings matters as much as what you present. There are two approaches, and one of them will destroy your credibility.
The Scare-Tactic Approach (Do Not Do This)
- Cherry-pick the worst findings and open with them
- Use alarming language: “Your network is completely exposed,” “You could be breached any day”
- Imply the customer’s team is incompetent
- Create artificial urgency: “You need to buy this now before something happens”
- Focus exclusively on negative findings and ignore what the customer does well
This approach occasionally works for a quick, small deal. But it burns the relationship. The customer will resent the pressure, question your motives, and be less likely to expand or renew. Their CISO will tell peer CISOs that you used scare tactics. Your reputation in the market takes a hit.
The Consultative Approach (Do This)
Start with what works. Before discussing findings, acknowledge the attacks that were blocked. If the pen test report notes that the external firewall stopped certain attacks, or that MFA prevented credential stuffing, call that out. It shows you read the entire report and respect the customer’s existing investments.
Present findings as opportunities, not failures. Frame each finding as “here is an area where we can strengthen your posture” rather than “here is where you failed.” The customer’s team likely knows about many of these gaps and has been asking for budget to fix them. Your findings validate their internal requests.
Use industry benchmarks for context. Instead of saying “this is bad,” say “this finding is consistent with what we see in 60% of organizations your size” or “organizations in your industry are moving toward zero trust segmentation to address exactly this type of lateral movement risk.” Benchmarks normalize the findings and reduce defensiveness.
Prioritize by business impact. Do not just rank by CVSS score. A CVSS 7.5 vulnerability on a system that processes credit card transactions is more urgent than a CVSS 9.0 on a development server. Show the customer you understand their business, not just their vulnerabilities.
Always pair findings with remediation. Never present a problem without a solution. Every finding should have a clear, actionable next step. This is what separates an advisor from a critic.
Presenting to Different Audiences
The same pen test findings require different presentations depending on the audience.
For the CISO / Security Director
- Lead with the overall risk posture and trend (improving, stable, or declining)
- Map findings to their existing security strategy and gap analysis
- Focus on metrics: number of critical findings, mean time to remediate, findings per asset
- Discuss how remediation aligns with their compliance roadmap
- Propose specific solutions with deployment timelines
For the CIO / VP of IT
- Lead with business risk and operational impact
- Translate technical findings into availability and productivity terms
- Discuss integration with existing IT infrastructure
- Address staff and resource requirements for remediation
- Present the phased roadmap with resource planning
For the CFO / Finance
- Lead with the one-page business case: risk cost vs. solution cost
- Use the breach cost comparison model
- Highlight compliance penalties that could result from unaddressed findings
- Present cyber insurance implications
- Show the phased investment model to distribute spend across quarters
The Follow-Up Cadence
Converting a pen test review into a closed deal requires disciplined follow-up:
Day 1-3 after the meeting: Send a summary email with the prioritized remediation roadmap, solution mapping, and proposed next steps. Include a one-page executive brief for the CISO to share with leadership.
Week 1: Schedule a technical deep-dive on the Phase 1 solutions. Bring product specialists or a solutions architect if needed.
Week 2-3: Deliver a scoped proposal for Phase 1 remediation. Include pricing, timeline, and success criteria.
Week 4: Follow up on the proposal. Address objections (reference the objection handling frameworks). Schedule a POC if appropriate.
Ongoing: Check in monthly on remediation progress. As Phase 1 completes, begin scoping Phase 2. Each phase is a new opportunity.
Pen Test to Pipeline Checklist
Use this checklist every time a customer shares pen test results:
- Read the full report, not just the executive summary
- Note the methodology and scope — identify what was NOT tested
- Categorize findings by domain (network, identity, application, cloud, configuration)
- Map each category to your solution portfolio
- Identify the 3-5 most business-critical findings
- Build the three-phase remediation roadmap
- Prepare audience-specific presentations (CISO, CIO, CFO)
- Calculate the cost comparison (breach cost vs. solution cost)
- Identify cross-sell and upsell opportunities across phases
- Schedule the findings review meeting within one week of receiving the report
The SE who masters pen test translation becomes indispensable to their account team. You are not just responding to RFPs — you are creating pipeline from technical events that competitors overlook. Every pen test is a roadmap of funded projects waiting to happen.
Related Posts in This Series
- The SE’s Guide to Reading a Vulnerability Report — Master CVE and CVSS scoring to prioritize pen test findings effectively
- MITRE ATT&CK Framework Explained for Solutions Engineers — Map pen test findings to ATT&CK techniques for stronger customer conversations
- How to Build a Business Case for NAC — Convert network access findings into a funded NAC project
- Handling the 5 Most Common Security Objections — Overcome resistance when presenting remediation recommendations
- How to Run a Technical Discovery Call for Security Deals — Use pen test insights to drive deeper technical discovery
Practice with free flashcards, quizzes, and hands-on lab scenarios at cciesec.it-learn.io — built specifically for the CCIE Security v6.1 written (350-701 SCOR) and lab exam.
