Pentesting with business impact

The value of pentesting is not in accumulating findings. It is in showing risk chains the business can understand. A test that produces 200 vulnerabilities with no real-impact context does not help decision-making — it paralyses it.

The report must separate cosmetic weaknesses from vectors that can truly impact continuity, fraud or data exposure. A CVSS 9.8 vulnerability on a development server with no production access does not carry the same weight as a medium flaw in the ERP authentication system.

• Classification by real business impact, not just CVSS technical severity
• Demonstrated attack chains: how vulnerabilities would be chained to achieve an objective
• Distinction between immediate risk and latent risk
• Findings separated by system, responsible team and remediation window
• Executive section of maximum two pages covering the three or four priority risks

It is also essential to turn results into an executable backlog. Without ownership, evidence and follow-up, the test becomes a picture that ages fast. Most pentests we review have findings from previous versions of the same test that are still open months later, because they were never properly assigned.

• Every finding has a remediation owner and a target date
• Evidence (screenshots, logs, proof of concept) is attached to each finding
• There is a verification process once each item is remediated
• Security and operations share the same backlog, not separate reports
• A follow-up meeting exists at 30 and 90 days after report delivery

A good pentest costs between 3,000 and 15,000 euros depending on scope. An incident resulting from not acting on its findings can cost ten times more. The difference is not in the test — it is in what you do with the result.