rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md

@@ -0,0 +1,718 @@
+---
+name: rt-executive-report
+description: "Generate executive-level penetration testing report for CEO/CISO/Board. Non-technical language, business-focused. Sections: cover page, executive summary (risk rating, key findings, business impact statements), risk statistics (chart), attack narrative (story format), remediation roadmap (prioritized table with timelines), and conclusion. Supports Arabic and English output."
+---
+
+# rt-executive-report — Executive Red Team Report Skill
+
+## 1. Overview and Purpose in Engagement Lifecycle
+
+This skill generates the executive-facing deliverable at the end of a red team engagement. It is the final artifact consumed by decision-makers — the CEO, CISO, board members, and senior leadership — who need a clear picture of business risk without reading technical exploitation details.
+
+### Where it sits in the lifecycle
+
+```
+Reconnaissance → Exploitation → Post-Exploitation → Lateral Movement
+                                                              |
+                                                    finding_tracker.py
+                                                    (collects raw findings)
+                                                              |
+                                                    autodoc_engine.py
+                                                    (structures findings)
+                                                              |
+                                                [rt-executive-report] <-- YOU ARE HERE
+                                                    (executive output)
+                                                              |
+                                              Debrief with client leadership
+```
+
+The executive report is NOT the technical report. It does not contain CVE numbers, exploit code, or packet captures. It answers three questions leadership actually cares about:
+- Can an attacker reach what matters most to us?
+- How bad would it be if they did?
+- What do we do about it, in what order, and at what cost?
+
+### Supported output languages
+
+- English (default)
+- Arabic (right-to-left, formal business register — specify `lang: ar` in engagement metadata)
+
+---
+
+## 2. Step-by-Step Workflow
+
+### Step 1 — Pull findings from finding_tracker.py
+
+Run the tracker export before starting the report. The tracker holds all raw findings logged during the engagement.
+
+```bash
+python finding_tracker.py export --format json --output /tmp/findings_export.json
+```
+
+Expected output fields per finding:
+- `id` — e.g. `RT-2024-007`
+- `title` — short finding name
+- `severity` — Critical / High / Medium / Low / Informational
+- `cvss_score` — numeric (used for risk statistics section)
+- `affected_asset` — hostname, IP, application name
+- `business_function` — what the asset does in business terms
+- `evidence_refs` — list of screenshot/log file paths
+- `technical_detail` — full exploitation description (NOT used in exec report)
+- `business_impact` — one paragraph, business language (THIS is used in exec report)
+- `remediation_short` — one-line fix
+- `remediation_detail` — full fix guidance
+- `effort_estimate` — Low / Medium / High
+- `fix_timeline_days` — recommended days to remediate
+
+If `business_impact` is empty in the tracker, you must write it before proceeding. See Step 3 for guidance on writing business impact statements.
+
+### Step 2 — Pull document metadata from autodoc_engine.py
+
+```bash
+python autodoc_engine.py meta --engagement <engagement_id>
+```
+
+This returns:
+- `client_name` — organization name
+- `engagement_id` — unique reference code
+- `test_start` / `test_end` — dates of testing window
+- `scope_summary` — plain-English description of what was in scope
+- `overall_risk_rating` — computed from finding severity distribution
+- `red_team_lead` — name of report author
+- `report_date` — date of delivery
+
+If `overall_risk_rating` is not computed, calculate it manually:
+- Any Critical finding = **Critical** overall
+- No Critical but 3+ High = **High** overall
+- 1-2 High findings = **High** overall
+- Only Medium/Low = **Medium** or **Low**
+
+### Step 3 — Write business impact statements (if missing)
+
+Every finding needs a business impact statement before the exec report is written. This is the most important translation task. Use this formula:
+
+> "If an attacker exploits [vulnerability in plain terms], they can [action in plain terms], which means [business consequence — data loss, operational disruption, regulatory breach, reputational harm, financial loss]."
+
+Bad (technical): "SQL injection in the authentication endpoint allows unauthenticated retrieval of all rows from the users table via UNION-based extraction."
+
+Good (executive): "An attacker with internet access can bypass the login page and download the complete customer database — including names, email addresses, and encrypted passwords — without any credentials. A breach of this data would trigger mandatory notification obligations under Egypt's Personal Data Protection Law No. 151 of 2020, expose the organization to regulatory fines, and damage customer trust built over years of operation."
+
+### Step 4 — Determine overall risk rating and narrative arc
+
+Before writing, decide on the overall story. What is the single most important message for leadership?
+
+Common narratives:
+- "We successfully simulated an external attacker reaching your most sensitive internal systems — this report explains how and what to do."
+- "Your perimeter is stronger than expected, but an insider threat scenario revealed significant gaps in internal controls."
+- "Three critical vulnerabilities, if chained together, would allow a ransomware operator to encrypt your core systems within 6 hours of initial access."
+
+Write this narrative in one sentence. It becomes the opening of the executive summary.
+
+### Step 5 — Build the report section by section
+
+Work through sections in order. Each section is described in detail in Section 3 (Templates) below.
+
+1. Cover Page
+2. Executive Summary
+3. Risk Statistics
+4. Attack Narrative
+5. Remediation Roadmap
+6. Conclusion
+
+### Step 6 — Quality check
+
+Run through the quality checklist in Section 5 before delivering. Every item must pass.
+
+### Step 7 — Generate final document via autodoc_engine.py
+
+```bash
+python autodoc_engine.py render \
+  --template executive_report \
+  --input /tmp/exec_report_draft.md \
+  --engagement <engagement_id> \
+  --lang en \
+  --output ./deliverables/<engagement_id>_executive_report.pdf
+```
+
+For Arabic output:
+```bash
+python autodoc_engine.py render \
+  --template executive_report \
+  --input /tmp/exec_report_draft.md \
+  --engagement <engagement_id> \
+  --lang ar \
+  --output ./deliverables/<engagement_id>_executive_report_AR.pdf
+```
+
+---
+
+## 3. Templates with Example Content
+
+### 3.1 Cover Page
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+          RED TEAM ASSESSMENT
+          EXECUTIVE REPORT
+
+          Prepared for:
+          Nile Financial Group S.A.E.
+
+          Engagement Reference: RT-2024-NFG-003
+          Testing Period: 14 October 2024 – 1 November 2024
+          Report Date: 10 November 2024
+
+          Prepared by:
+          RTExit Security Operations
+          Confidentiality: RESTRICTED — Board and C-Suite Only
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+CLASSIFICATION NOTICE
+This document contains sensitive security information about Nile Financial Group S.A.E.
+Distribution is restricted to authorized executive personnel only. Unauthorized disclosure
+may facilitate attacks against the organization and is prohibited under the terms of the
+engagement agreement dated 1 October 2024.
+```
+
+### 3.2 Executive Summary
+
+The executive summary must fit on one page. It contains four components: overall rating block, one-paragraph assessment, key findings list, and immediate actions.
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+EXECUTIVE SUMMARY
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+OVERALL RISK RATING:  ██████████  CRITICAL
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+ASSESSMENT
+
+During the three-week red team engagement, our team — operating as a motivated
+external attacker with no prior knowledge of the organization — successfully
+gained access to Nile Financial Group's core banking platform, extracted a
+sample of 47,000 customer account records, and reached the internal payment
+processing network from the public internet. This was achieved in 11 days of
+active operation, well within the window in which a real attacker would act
+before detection.
+
+The organization's perimeter security tools detected our activity on Day 14
+of the engagement. By that point, we had already achieved our primary
+objectives and established persistence that would have survived a standard
+incident response procedure.
+
+This does not represent a failure of the security team — it reflects a gap
+between the current investment in security controls and the sophistication of
+threats targeting organizations of this scale and sector. The gaps are
+well-defined, prioritized, and remediable. This report is a roadmap.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+KEY FINDINGS
+
+  CRITICAL   Customer data accessible without authentication from the internet
+  CRITICAL   Payment network reachable from public-facing web application
+  HIGH       Employees can be manipulated into granting attacker full access
+             via targeted email (phishing simulation: 34% success rate)
+  HIGH       Administrative accounts lack multi-factor authentication
+  MEDIUM     Security monitoring does not alert on abnormal data downloads
+  MEDIUM     Third-party vendor portal shares network access with core systems
+  LOW        Password policy does not prevent predictable credential choices
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+IMMEDIATE ACTIONS REQUIRED (before next board meeting)
+
+  1. Isolate the customer database application from the public internet
+     immediately — this is the highest-priority action.
+  2. Enable multi-factor authentication on all administrator accounts
+     within 72 hours.
+  3. Segment the payment network so it cannot be reached from the
+     web application server.
+```
+
+### 3.3 Risk Statistics
+
+Render this as a visual section. When using autodoc_engine.py, the `risk_chart` component generates the bar chart automatically from the findings JSON. In the markdown draft, represent it as follows:
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+RISK STATISTICS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+FINDINGS BY SEVERITY
+
+  Critical    ██████████████████████████  2  findings
+  High        █████████████████          2  findings
+  Medium      ████████████████████████   3  findings  (1 informational excluded)
+  Low         █████████                  1  finding
+                                        ─────────────
+  Total                                  8  findings
+
+COMPARISON TO SECTOR BASELINE
+
+  Critical findings (this engagement):    2
+  Critical findings (financial sector avg, 2024):  0.8 per engagement
+
+  This result places Nile Financial Group in the highest-risk quartile
+  for organizations of comparable size and regulatory profile.
+
+RISK TREND NOTE
+  These findings reflect the state of the environment as tested. They
+  do not imply past compromise — only present exposure. The purpose of
+  red team testing is to identify these gaps before an actual attacker does.
+
+<!-- autodoc: insert risk_chart component here -->
+<!-- autodoc: insert severity_pie component here -->
+```
+
+### 3.4 Attack Narrative
+
+This is the most powerful section. Write it as a story — past tense, third person ("the team"), no jargon. The goal is that a board member who has never read a security report understands exactly what happened.
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ATTACK NARRATIVE: HOW AN ATTACKER WOULD REACH YOUR
+MOST SENSITIVE SYSTEMS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Day 1 — First Contact
+
+The team began with only the same information available to any member of
+the public: the organization's website and publicly registered internet
+addresses. Within two hours, automated tools identified 14 internet-facing
+systems belonging to Nile Financial Group, including a customer-facing web
+portal, a mobile API endpoint, and an administrative interface that appeared
+to belong to a legacy internal tool.
+
+The administrative interface was accessible from the internet. This is the
+equivalent of leaving a back door unlocked.
+
+Day 3 — A Door Left Open
+
+The legacy administrative interface was found to accept login attempts
+without any limit on the number of tries. Using a list of commonly used
+passwords (the kind available for free on the internet following years of
+data breaches at other companies), the team gained access to an account
+belonging to a former employee whose access had not been removed.
+
+This is not a sophisticated technique. It is the most common method used
+by criminal ransomware groups worldwide in 2024.
+
+Day 5 — Inside the Network
+
+The former employee's account had retained its original permissions from
+2021, including access to the application that serves customer account
+data. From that application, the team was able to download customer records
+— names, account numbers, national ID numbers, and in some cases loan
+repayment histories.
+
+The security monitoring system did not generate an alert. The download of
+47,000 records looked, to the automated systems, like normal business
+activity.
+
+Day 8 — Reaching the Core
+
+The web application server was connected to the same internal network as
+the payment processing infrastructure. Using the access established through
+the customer portal, the team moved laterally to a server involved in
+processing interbank transfers. At this point, the team stopped and
+documented the finding rather than proceed further — the purpose of the
+exercise is to demonstrate risk, not to cause harm.
+
+In a real attack scenario, an adversary with this level of access could
+potentially initiate fraudulent transfers, manipulate account balances,
+or deploy ransomware that encrypts the payment infrastructure.
+
+Day 14 — Detection
+
+On Day 14, the security operations team flagged unusual activity and began
+an investigation. By this point in a real attack, a sophisticated adversary
+would have already completed their primary objectives and established a
+secondary method of re-entry that would survive the response.
+
+This timeline — 14 days to detection, 8 days to critical access — is the
+central message of this engagement. It is the number the organization
+should work to reduce.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+WHAT MADE THIS POSSIBLE — IN PLAIN TERMS
+
+  Three things together created this outcome:
+
+  1. An internet-facing system that should not have been exposed
+  2. A former employee account that was never deactivated
+  3. A network that did not separate customer data from payment systems
+
+  Any one of these controls, had it been in place, would have stopped or
+  significantly slowed the attack chain.
+```
+
+### 3.5 Remediation Roadmap
+
+Present as a prioritized table. Group by timeline. Each item must have a plain-English description, an owner type (not a person's name — a role), and a realistic timeline.
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+REMEDIATION ROADMAP
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+IMMEDIATE (within 72 hours) — Stop active bleeding
+
+  ID        Action                                        Owner        Effort
+  ────────  ────────────────────────────────────────────  ───────────  ──────
+  RT-001    Remove the legacy admin portal from public    IT Ops       Low
+            internet access or shut it down entirely.
+            This system has no documented business need
+            for external exposure.
+
+  RT-002    Disable all accounts belonging to former      IT / HR      Low
+            employees. Conduct a full audit of all
+            active accounts and remove those not
+            associated with a current employee or
+            approved contractor within 48 hours.
+
+  RT-004    Enable multi-factor authentication on all     IT Security  Low
+            administrative and privileged accounts.
+            This single control would have prevented
+            the initial access in this engagement.
+
+SHORT TERM (within 30 days) — Close the critical gaps
+
+  ID        Action                                        Owner        Effort
+  ────────  ────────────────────────────────────────────  ───────────  ──────
+  RT-003    Separate the payment processing network       IT Arch.     High
+            from the web application servers using
+            network segmentation. These two environments
+            have no legitimate reason to communicate
+            directly.
+
+  RT-005    Implement automated alerting when large        Security     Medium
+            volumes of customer records are downloaded    Ops
+            within a short period. Establish a baseline
+            of normal data access and alert on deviation.
+
+  RT-007    Establish a formal process for reviewing       IT / HR      Low
+            and removing employee access when they
+            leave the organization (offboarding
+            checklist with IT sign-off required).
+
+MEDIUM TERM (within 90 days) — Reduce attack surface
+
+  ID        Action                                        Owner        Effort
+  ────────  ────────────────────────────────────────────  ───────────  ──────
+  RT-006    Review and restrict the third-party vendor     IT Arch.     Medium
+            portal's network access. Vendors should
+            only reach the specific systems their
+            service requires — not the broader internal
+            network.
+
+  RT-008    Conduct a security awareness training          HR /         Low
+            program for all staff, with a focus on        Security
+            recognizing phishing emails. The 34%
+            success rate in our phishing simulation
+            is significantly above the 10-15% benchmark
+            for well-trained organizations.
+
+LONG TERM (within 6 months) — Build resilience
+
+  ID        Action                                        Owner        Effort
+  ────────  ────────────────────────────────────────────  ───────────  ──────
+  RT-009    Develop and test an incident response plan     CISO         High
+            specific to a data breach scenario. Include
+            regulatory notification steps per Egypt
+            PDPL No. 151/2020 and CBE requirements.
+
+  RT-010    Establish a recurring penetration testing      CISO         Medium
+            program — at minimum annually, and after
+            any major system changes.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+INVESTMENT CONTEXT
+
+The remediations marked Low effort above are largely configuration and
+process changes that require minimal financial investment. The High-effort
+items (network segmentation) require project planning but represent a
+fundamental reduction in the organization's most serious risk exposure.
+
+The cost of implementing all remediations in this roadmap is a fraction of
+the potential cost of a data breach — which, under current Egyptian and
+international regulatory frameworks, could include regulatory fines,
+mandatory customer notification, legal liability, and reputational damage
+affecting customer retention and investor confidence.
+```
+
+### 3.6 Conclusion
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+CONCLUSION
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Nile Financial Group engaged RTExit to stress-test its defenses against
+a realistic attacker. The results of this engagement are serious but
+not unusual for organizations at this stage of their security maturity
+journey. More importantly, they are actionable.
+
+The most important message from this assessment is this: the gaps that
+allowed our team to reach your most sensitive systems are well-understood,
+well-documented, and fixable. None of them require novel technology or
+significant complexity. They require prioritization and follow-through.
+
+The roadmap in this report is sequenced to deliver the greatest risk
+reduction in the shortest time. Completing the immediate actions alone —
+within 72 hours — would eliminate the initial access vector used in this
+engagement entirely.
+
+RTExit is available to support the remediation process, answer questions
+from technical teams, and conduct a validation test once remediation
+activities are complete. We recommend scheduling a follow-up assessment
+within six months to confirm that the identified gaps have been closed
+and to identify any new exposure that may have emerged.
+
+We recognize that receiving findings of this nature is not easy. The
+value of this work is in knowing — and in the ability to act before
+a real attacker does.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+POINT OF CONTACT
+
+For questions regarding this report, please contact:
+
+  RTExit Security Operations
+  Engagement Reference: RT-2024-NFG-003
+  Report Date: 10 November 2024
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
+
+---
+
+## 4. Integration with finding_tracker.py and autodoc_engine.py
+
+### finding_tracker.py integration
+
+The executive report draws on two fields from each finding record that are most commonly incomplete: `business_impact` and `business_function`. Before running autodoc_engine.py, verify these fields are populated for every Critical and High finding.
+
+```bash
+# Check for findings missing business_impact
+python finding_tracker.py validate --field business_impact --severity Critical,High
+```
+
+If findings are missing `business_impact`, populate them directly:
+
+```bash
+python finding_tracker.py update RT-2024-007 \
+  --field business_impact \
+  --value "An unauthenticated attacker can download the complete customer database from the internet. This exposes personally identifiable information for all customers, triggering mandatory breach notification under PDPL No. 151/2020 and CBE Circular No. 7/2022, with potential regulatory sanctions and reputational harm."
+```
+
+The finding_tracker.py `export` command supports filtering by severity to focus the executive report on material findings only:
+
+```bash
+# Export only Critical and High findings for exec report
+python finding_tracker.py export \
+  --format json \
+  --severity Critical,High \
+  --output /tmp/exec_findings.json
+
+# Export all findings for remediation roadmap (includes Medium/Low)
+python finding_tracker.py export \
+  --format json \
+  --output /tmp/all_findings.json
+```
+
+### autodoc_engine.py integration
+
+The autodoc_engine.py script handles:
+- Merging the markdown draft with engagement metadata
+- Generating risk charts from severity data
+- Applying the RTExit PDF template with correct branding
+- Rendering Arabic output with RTL layout when `--lang ar` is specified
+
+Key commands:
+
+```bash
+# Validate that all required sections are present in draft
+python autodoc_engine.py validate \
+  --template executive_report \
+  --input /tmp/exec_report_draft.md
+
+# Generate English PDF
+python autodoc_engine.py render \
+  --template executive_report \
+  --input /tmp/exec_report_draft.md \
+  --findings /tmp/all_findings.json \
+  --engagement RT-2024-NFG-003 \
+  --lang en \
+  --output ./deliverables/RT-2024-NFG-003_executive_report_EN.pdf
+
+# Generate Arabic PDF
+python autodoc_engine.py render \
+  --template executive_report \
+  --input /tmp/exec_report_draft.md \
+  --findings /tmp/all_findings.json \
+  --engagement RT-2024-NFG-003 \
+  --lang ar \
+  --output ./deliverables/RT-2024-NFG-003_executive_report_AR.pdf
+```
+
+autodoc_engine.py injects the following automatically when rendering:
+- `risk_chart` — horizontal bar chart, severity breakdown
+- `severity_pie` — pie chart with Critical/High/Medium/Low proportions
+- `remediation_table` — formatted table from findings JSON sorted by fix_timeline_days
+- Cover page metadata (dates, engagement ID, client name) from engagement record
+
+---
+
+## 5. Quality Checklist
+
+Run this checklist before delivering any executive report. Every item is a hard requirement.
+
+### Language and tone
+
+- [ ] Zero CVE numbers visible in the document
+- [ ] Zero IP addresses or hostnames visible in the document (exception: cover page scope if client requests it)
+- [ ] Zero exploit tool names (Metasploit, Burp, Cobalt Strike) visible to executives
+- [ ] Every technical term has been replaced with a plain-English equivalent
+- [ ] Passive voice has been minimized — findings should feel real and active, not abstract
+- [ ] Business impact statements name a specific consequence (regulatory, financial, operational, reputational) — not generic phrases like "data could be exposed"
+- [ ] Report can be understood by a reader with no security background
+
+### Content completeness
+
+- [ ] Cover page has correct client name, engagement ID, date range, and report date
+- [ ] Overall risk rating is stated clearly and prominently
+- [ ] Every Critical finding appears in the executive summary key findings list
+- [ ] Attack narrative covers the full chain from initial access to deepest objective reached
+- [ ] Time-to-detection is stated explicitly in the narrative
+- [ ] Every Critical and High finding has a corresponding remediation roadmap entry
+- [ ] Remediation entries have owner role, effort estimate, and timeline
+- [ ] Conclusion includes a recommendation for follow-up testing
+
+### Accuracy
+
+- [ ] Finding count matches the finding_tracker.py export
+- [ ] Overall risk rating matches the autodoc_engine.py computed rating
+- [ ] Phishing success rate (if applicable) matches the tracker record
+- [ ] All dates in the narrative are consistent with test_start / test_end metadata
+- [ ] Regulatory references are correct for the client's jurisdiction
+
+### Arabic output (when applicable)
+
+- [ ] All section headers rendered in correct formal Arabic
+- [ ] Risk rating terms use agreed Arabic equivalents (Critical = حرج, High = مرتفع, Medium = متوسط, Low = منخفض)
+- [ ] Tables render correctly in RTL layout
+- [ ] No English text appears in Arabic sections except proper nouns (company names, product names)
+- [ ] Dates use the format agreed with client (Gregorian or Hijri)
+
+---
+
+## 6. Example Output — Finished Executive Summary Block
+
+This is what a completed, polished executive summary looks like. Use this as a reference for the quality standard required.
+
+```
+EXECUTIVE SUMMARY
+
+OVERALL RISK RATING: CRITICAL
+
+During a three-week controlled simulation conducted in October 2024, the RTExit
+red team — operating as an external attacker with no insider knowledge — gained
+access to Nile Financial Group's core banking platform and extracted a sample
+of 47,000 customer records from the public internet in 11 days.
+
+The security monitoring infrastructure detected this activity on Day 14 — after
+the primary objectives had already been achieved. In a real attack, this gap
+would have been sufficient for an adversary to complete a significant data theft,
+initiate fraudulent transactions, or deploy ransomware.
+
+The cause is not a single vulnerability. It is the combination of three
+conditions that, together, removed every barrier between an internet-connected
+attacker and the organization's most sensitive data:
+
+  First, a legacy administrative system was reachable from the public internet
+  with no business justification for that exposure.
+
+  Second, the account of a former employee — dormant for three years — remained
+  active with the same permissions it held during their employment.
+
+  Third, the network connecting the customer portal to the payment processing
+  infrastructure had no controls preventing movement between them.
+
+No one of these conditions alone would have produced this outcome. Removing any
+one of them would have stopped or significantly delayed the attack.
+
+This report details what happened, what it means for the organization, and
+exactly what to do — in priority order — to close these gaps.
+
+KEY FINDINGS
+
+  CRITICAL   Customer database accessible from the internet without login
+             credentials. Affects all 47,000+ customer records including
+             national ID numbers and account histories.
+
+  CRITICAL   Payment processing network reachable from public-facing web
+             servers. A motivated attacker could attempt fraudulent transfers
+             or disrupt core banking operations from this position.
+
+  HIGH       One in three employees provided credentials or clicked attacker-
+             controlled links during phishing simulation — more than double
+             the benchmark for trained workforces.
+
+  HIGH       Administrative accounts protect organization-wide systems with
+             passwords only — no second factor required. Any stolen password
+             gives full administrative access.
+
+IMMEDIATE ACTIONS
+
+  Before the next board meeting, three actions will materially reduce the
+  organization's exposure:
+
+  1. Remove the legacy administrative portal from public internet access today.
+  2. Audit and disable all accounts not linked to a current employee within 48 hours.
+  3. Enable multi-factor authentication on all administrative accounts within 72 hours.
+
+  These three actions would have prevented the attack chain demonstrated in
+  this engagement entirely.
+```
+
+---
+
+## 7. Common Mistakes to Avoid
+
+### Mistake 1 — Writing for the technical reader
+
+The executive report is not a place to demonstrate technical depth. Phrases like "the target was vulnerable to unauthenticated SSRF via the X-Forwarded-For header, enabling access to the EC2 metadata endpoint" belong in the technical annex. In the executive report, this becomes: "A flaw in the web application allowed the team to trick the server into revealing internal access credentials — which were then used to enter systems that should not have been reachable from the internet."
+
+### Mistake 2 — Burying the headline
+
+Some reports open with scope, methodology, and disclaimers before the reader learns what actually happened. Executives read the first paragraph and decide whether to keep reading. Lead with the result: what was achieved, how quickly, and what it means.
+
+### Mistake 3 — Using generic business impact language
+
+"This vulnerability could lead to data exposure" is not a business impact statement. It is a placeholder. Business impact statements must be specific: which data, how much, what regulatory framework applies, what the consequence is. If you cannot be specific, return to finding_tracker.py and fill in the details before writing.
+
+### Mistake 4 — Presenting the remediation roadmap as a flat list
+
+Executives need to know what to do first. A flat list of eight items creates decision paralysis. Group by timeline (Immediate, Short Term, Medium Term, Long Term). Put the three most important items at the top with explicit urgency language. Every item should have an owner type and an effort level so leadership can delegate and track.
+
+### Mistake 5 — Making the conclusion feel like a sales pitch
+
+The conclusion should leave the reader feeling informed and empowered, not sold to. Avoid phrases like "RTExit's world-class team" or "cutting-edge methodology." The conclusion should restate the key message, affirm that the gaps are fixable, and offer concrete next steps. Keep it honest and direct.
+
+### Mistake 6 — Inconsistent numbers
+
+If the executive summary says "six critical findings" and the risk statistics section shows a chart with five, the client will notice and trust in the entire document erodes. Always generate the risk statistics section from the same finding_tracker.py export used for the narrative. Run `autodoc_engine.py validate` before final render to catch mismatches.
+
+### Mistake 7 — Skipping the Arabic review pass
+
+Arabic output from autodoc_engine.py is accurate in structure but must be reviewed by a native Arabic speaker before delivery to an Arabic-speaking board. Pay particular attention to: risk rating terminology (agree on terms with the client before the engagement closes), passive/active voice (Arabic business writing has different conventions), and table formatting in RTL layout. Never deliver Arabic output without a review pass.
+
+### Mistake 8 — Omitting time-to-detection
+
+Time-to-detection is one of the most powerful data points in the executive report. It makes the risk concrete and time-bound. Always state it explicitly in the attack narrative: "The security monitoring system detected our activity on Day 14 — three days after we had achieved our primary objective." If the security team did not detect the activity at all during the engagement window, that is even more important to state clearly and directly.