Skip to content

Executive Summary Report

The Executive Summary is designed for plant managers, utility executives, board members, and regulators. It presents your organization's vulnerability posture in plain language with clear risk statements and action recommendations. No technical jargon. No raw CVSS vectors. Just the information a decision-maker needs.

Audience

  • Plant managers who need to understand site risk without diving into CVE details.
  • Utility executives presenting security posture to their board of directors.
  • Compliance officers preparing for regulatory meetings.
  • Regulators requesting a security posture summary.
  • Insurance underwriters assessing cyber risk.

What the Report Contains

Overall Risk Score

A single numeric score (0-100) representing your organization's aggregate vulnerability posture across the selected environments. The score accounts for: total findings, severity distribution, KEV exposure, exploit availability, and acknowledgment coverage. A lower score means lower risk.

Finding Summary by Severity

A table and chart showing the count of active findings by severity:

Severity Count Percentage
Critical X X%
High X X%
Medium X X%
Low X X%

KEV Exposure

How many of your active findings are in the Known Exploited Vulnerabilities catalog. This number tells management: "X of our vulnerabilities are confirmed actively exploited in the wild right now."

Top 5 Critical Findings

The five highest-BCS findings across the selected environments, each described in plain English:

  • What the vulnerability does (one sentence).
  • Which asset is affected.
  • Whether a patch is available.
  • Recommended action.

SAGE generates these descriptions specifically for a non-technical audience.

OT vs IT vs Network Split

A breakdown showing how findings are distributed across layers:

  • OT findings: owned by the OT/process control team.
  • OS findings: owned by the IT patching team.
  • NETWORK findings: owned by the network team.

This tells management which teams are carrying the remediation workload.

Trend Analysis

Is your posture improving or worsening compared to the previous report?

  • New findings added since last report.
  • Findings acknowledged or remediated since last report.
  • Net change in active findings.
  • Trend arrow: improving (down), worsening (up), or stable (flat).

The top 3 actions management should authorize or prioritize, based on the current findings. Examples:

  • "Authorize emergency maintenance window for Water Plant Alpha to patch CVE-2025-32433 (KEV, CVSS 10.0, pre-authentication RCE)."
  • "Approve vendor engagement for Siemens S7-1500 firmware update across all environments."
  • "Fund network segmentation project for Substation Beta to isolate legacy PLCs from the IT network."

SAGE Executive Narrative

A full-page narrative written by SAGE summarizing the report findings in executive language. This section can be extracted and used directly in board presentations or regulatory submissions.

When to Generate

  • Monthly: For regular management review and trend tracking.
  • Before board presentations: Provides a current posture snapshot with trend data.
  • On regulator request: When a regulator asks for a security posture summary.
  • After a major CVE event: When a new CVSS 10.0 KEV entry drops and management needs to understand the impact.
  • Quarterly: For compliance review meetings and insurance renewals.

Generating the Report

  1. Navigate to Reports > Generate Report.
  2. Select Executive Summary.
  3. Select the environments to include (one or more).
  4. Set the reporting period (date range).
  5. Click Generate.

The report generates in 30-60 seconds depending on the number of environments and findings. You receive a notification when it is ready.

Download as PDF for sharing. The PDF includes the CITED Relevance LLC branded letterhead, page numbers, and a professional layout suitable for external distribution.