I have both done pentests and received pentest reports. My observation is that the perceived severity often varies between the tester and the customer.
I have both done pentests and received pentest reports. My observation is that the perceived severity often varies between the tester and the customer.
I’ve found that using relative terminology seems to pierce the veil of ignorance.
When WiFi was new/newish and absolutely no one was securing it, I would bring with me a 300ft / 100m of CAT 5, string it out across the lawn out of a window (etc), and sit in a folding chair with my laptop to visually represent the threat. It never failed to get the point across.
These days as a last resort I will verbally liken an intruder or vulnerability with sexual predation. That gets the attention of someone in a position of power usually.
The problems I have encountered are mostly with hostile IT Depts / MIS / DevOps teams who think I’m there to point out thier mistakes. I’m there to help prevent costly mistakes, you guys figure out blame on your own time, because I literally don’t give a shit who’s to blame if anyone at all, and after this engagement, I’ll disappear like a fart in the wind and on to the next client.