When reporting vulnerabilities, which of the following should be included in an executive summary?

  1. Business impact and risk level of findings ✓
  2. Step-by-step exploitation instructions
  3. Technical details of each vulnerability
  4. Complete source code analysis

Correct answer: Business impact and risk level of findings

Option A is correct because an executive summary is written for non-technical stakeholders such as executives and board members, who need to understand the business risk and organizational impact of findings rather than technical mechanics. Option B is wrong because step-by-step exploitation instructions belong in the technical findings section, not an executive summary, and providing them at that level can create unnecessary exposure risk. Option C is wrong because granular technical details of each vulnerability are appropriate for the technical appendix, not the high-level executive summary. Option D is wrong because complete source code analysis is an extremely detailed technical artifact suited for developers, not executive leadership.

Topic: · penetration testing, reporting, executive summary, risk communication

Practice CompTIA PenTest+ (PT0-002) Questions Free