Disclaimer: Illustrative sample. Actual findings depend on environment scope, provider coverage, permissions, and available metadata.
Sample executive summary
Analysis of the [Company] production cloud environment (AWS + GCP, 1,847 assets, 3 accounts) identified 52 attack paths to crown-jewel assets. Three priority actions reduce crown-jewel reachability by 83% and eliminate the highest-severity publicly-reachable paths. The full remediation plan is prioritized by risk reduction impact, not by finding count.
Analysis of the [Company] production cloud environment (AWS + GCP, 1,847 assets, 3 accounts) identified 52 attack paths to crown-jewel assets. Three priority actions reduce crown-jewel reachability by 83% and eliminate the highest-severity publicly-reachable paths. The full remediation plan is prioritized by risk reduction impact, not by finding count.
Example executive metrics
| Metric | Current Value | After Priority Actions |
|---|---|---|
| Total cloud assets in scope | 1,847 | — |
| Attack paths to crown-jewel assets | 52 | 9 (83% reduction) |
| Publicly reachable entry points | 14 | 2 (86% reduction) |
| Identities with excessive permissions | 31 | 8 (74% reduction) |
| Unencrypted sensitive data assets | 7 | 1 (86% reduction) |
| High-severity misconfigurations | 22 | 4 (82% reduction) |
| Minimum-fix actions required | 3 | — |
| Estimated remediation effort | — | ~2.5 engineering days |
| Estimated risk reduction | — | 83% reduction in crown-jewel reachability |
Example top risks
| # | Risk | Business Impact | Recommended Decision |
|---|---|---|---|
| 1 | Publicly accessible EC2 instance with path to production database through over-privileged IAM role | Full production database exfiltration from internet-accessible entry point | Restrict public access to this instance; scope-down IAM role to required services only |
| 2 | GCS bucket with public read enabled containing encryption keys referenced by production workloads | Credential exposure enabling lateral movement to protected environments | Remove public access; enforce uniform bucket-level access; rotate referenced credentials |
| 3 | Lateral movement chain from dev environment to production via cross-account role assumption with no MFA requirement | Attacker with dev access can pivot to production without additional authentication | Require MFA for cross-account role assumption; isolate dev and production trust boundaries |
Example executive decisions
The executive report surfaces the three decisions that deliver the highest risk reduction with the lowest remediation effort. These are not the full finding list — they are the decisions that matter most.
Decision 1: Close publicly-accessible entry point and restrict IAM role scope. Eliminates 34 of 52 attack paths. Estimated effort: 4 hours.
Decision 2: Remove public access from storage bucket and rotate referenced credentials. Eliminates 12 additional attack paths. Estimated effort: 2 hours.
Decision 3: Enforce MFA for cross-account role assumption. Eliminates dev-to-production pivot path. Estimated effort: 3 hours.
After these three decisions, 43 of 52 attack paths are eliminated. The remaining 9 paths are medium-severity and addressed in the full remediation plan.
What the executive report includes
- Asset inventory summary by cloud provider and environment tier
- Attack path count with crown-jewel reachability estimate
- Top risks with business impact narrative
- Minimum-fix set with effort estimate and risk reduction impact
- Before/after risk narrative for board and risk committee
- Decision framing for each priority action
- Reference to full technical evidence in the technical report
For the full technical evidence, finding detail, and remediation checklist, see the Sample Technical Report.
Ready to receive your own executive report?
The pilot produces both the executive report and the technical evidence report from your actual cloud environment, not a demo dataset.