< BACK_TO_INDEX
[Communication]2023.05.28 // 2 MIN READ

Nobody Reads a Vulnerability List — They Read the Story Behind It

I've watched a pentest report with forty findings get skimmed and shelved, and I've watched a five-sentence walkthrough of how three of those same findings chain together into data exfiltration get a budget approved in the same meeting. The difference wasn't the data. It was whether anyone could see the story in it.

The report that didn't land

The findings list looked like this: SQL injection on a low-traffic endpoint, an overly permissive service account, and a misconfigured S3 bucket. Three separate line items, three separate severity scores, none of them individually urgent enough to jump the queue.

The version that did

Same three findings, reframed as a chain: the SQL injection leaks the service account's credentials, the service account has write access it doesn't need, and that access reaches the misconfigured bucket holding customer records. Same underlying data. The difference is showing the path an attacker actually walks instead of three isolated severity scores.

# turning a findings CSV into a chain instead of a list
import pandas as pd

findings = pd.read_csv("pentest_findings.csv")
chain = findings[findings["chains_to"].notna()].sort_values("step")
for _, row in chain.iterrows():
    print(f"{row['step']}. {row['finding']} -> enables -> {row['chains_to']}")

That's not sophisticated. It's just forcing the data into the shape people actually reason in — a sequence of causes and effects — instead of a sorted table.

What I actually do differently now

I ask what decision this data needs to drive before I build anything. A vulnerability list is for the engineer fixing it. A chain diagram with dollar signs or record counts attached is for the person deciding whether it gets fixed this sprint or next quarter. Same underlying data, different audience, different shape — and the shape is the part that actually changes the outcome.

Every version of the story needs to end somewhere specific, too. Not "here's what's wrong" — "here's what we do about it, and by when." A findings summary without a concrete next step just becomes something to acknowledge and file away, which defeats the entire point of framing it as a story in the first place.

Visuals help, but they're not the mechanism. A clean diagram of the wrong story still gets ignored — it just gets ignored more politely. The visual is what makes the chain legible at a glance; getting the causal chain right in the first place is what makes it worth looking at.

Where AI actually helps with this

Machine learning is genuinely useful for the unglamorous part: finding the chain in the first place. Correlating a service account's excess permissions with a specific vulnerable endpoint, across a findings list with hundreds of entries, is exactly the kind of pattern-matching that doesn't scale by hand past a certain size. I don't hand the narrative itself over to a model — the framing decision is still mine — but I'll happily let it surface the candidate chains I'd otherwise have to find by manually cross-referencing a spreadsheet.