Enterprise Executive Review v2 — Deliverable Strategy
Core problem
Most organizations do not know what their automated processes, service accounts, and workflows can actually access across systems. Permissions, identities, and automations are managed in different tools, so excessive access, ownership gaps, and hidden execution paths accumulate unnoticed.
What Securityv0 does
Securityv0 shows where automated identities and workflows have authority across enterprise systems — and highlights where that access is excessive, unowned, or poorly governed.
The Insight
SecurityV0 serves three audiences at three different touchpoints:
| Audience | Touchpoint | What They Need | How They Get It |
|---|---|---|---|
| SecOps Analyst / IAM Admin | Daily in the platform UI | Full detail: paths, roles, evidence, remediation steps | The app as it exists today |
| Security Leader / CISO | Weekly in a summary | Cluster-level narrative, governance status, trend | Overview page + scheduled digest |
| CIO / Board / Partner Client | Monthly or per-assessment | Business risk, compliance mapping, cost of inaction, what to fix | Generated report (PDF/email) — NOT the platform UI |
The platform UI should NOT be dumbed down for Fortune 2000 CIOs. It should stay sharp for the people who use it daily. The executive layer is a separate output — a generated artifact that pulls from the same data but presents it in business language with compliance framing.
This is how every successful security platform works:
- Wiz has the console (analyst) + Wiz Executive Dashboard + PDF reports
- CrowdStrike has Falcon console (analyst) + Falcon OverWatch reports (executive)
- Quest gave partners a "summary PDF printout" tied to business risk (Sergey's reference)
What SecurityV0 Should Produce
Tier 1: The Platform (EXISTS — needs the sprint fixes)
- Daily-use tool for analysts and operators
- Full technical detail: authority paths, evidence packs, remediation steps
- The sprint work (Phases 0-3) makes this strong for its intended audience
Tier 2: The Digest (BUILD — low effort, high value)
Scheduled summary — email or Slack — after each scan or weekly.
Format: Structured email or markdown, auto-generated from posture summary + cluster data.
Content (template with placeholders — example values from demo-w1 shown in parentheses):
Subject: SecurityV0 Assessment Summary — {tenant_name} — {date}
EXECUTIVE SUMMARY
━━━━━━━━━━━━━━━━
Automated processes monitored: {workload_count} workloads across {system_count} systems
Observed executions (30 days): {total_executions} ({executions_delta}% from prior period)
Uncontrolled access chains: {active_paths} active
<!-- REVIEW [Sergey]: Could automated identities with excessive access or automations without clear ownership be better here? Uncontrolled access chains is not industry terminology. -->
Ownership gaps: {ownership_invalid_count} chains with no active human owner
<!-- REVIEW [Sergey]: Best if we can tie it to business impact. -->
TOP RISKS (auto-generated from top 3 risk clusters by priority)
━━━━━━━━━
{for each cluster, ranked by priority:}
{n}. {cluster.priority} — {cluster.identity_count} {glossary(cluster.description)}
{cluster.total_execution_30d} executions in 30 days.
→ Compliance: {compliance_refs from cluster finding types}
→ Fix: {cluster.remediation[0].action} (est. {effort_estimate})
<!-- REVIEW [Sergey]: Is it best to show top risks in absolute values instead of per cluster? Top risks should be framed as a combination of automations accessing sensitive systems, automations with excessive privileges, and automations without accountable owner. -->
GOVERNANCE STATUS (from cluster governance checklists)
━━━━━━━━━━━━━━━━━
{for each governance condition across all clusters:}
☐ {condition_label} ({affected_path_count} chains — {PASSING|FAILING|not assessed})
<!-- REVIEW [Sergey]: Same with risk. We should be a little more specific, like automations without owner, excessive permissions, or calling external AI services. More clear and concrete. -->
TREND (from posture summary delta)
━━━━━
Autonomous execution volume: {delta.executions_delta_pct}%
<!-- REVIEW [Sergey]: Consider replacing autonomous execution volume with increase in automated processes interacting with critical systems. -->
Active access chains: {delta.paths_delta_pct}%
Ownership gaps: {delta.ownership_delta} new since last period
<!-- REVIEW [Sergey]: Let's compare it to how Wiz shows posture changes. This would be a great example for us to learn from. -->
Full details: {platform_url}
Implementation: This is a template that populates from posture/summary + posture/risk-clusters + the compliance mapping table. Can be:
- A CLI script (
scripts/generate-digest.ts) that runs post-scan - A scheduled job in the worker pipeline
- Triggered by a webhook after ingestion completes
Effort: 2-3 sessions. The data already exists. The compliance mapping is a static lookup table. The template is string composition.
Tier 3: The Assessment Report (BUILD — medium effort, strategic differentiator)
Partner-ready PDF. The artifact that Deloitte hands to the client CISO. The "summary PDF printout" Sergey described from Quest.
Format: Multi-page PDF with sections. Generated from a scan, not from the UI.
Content:
Page 1 — Cover
- "[Client Name] — Exposure Assessment by Securityv0"
- Date, assessment period, SecurityV0 branding
Page 2 — Executive Summary (the "one-pager")
- 3-4 sentence problem statement in business language
- Key metrics: processes monitored, uncontrolled chains found, ownership gaps, compliance violations
- Risk rating: Critical / High / Moderate / Low with 1-sentence justification
- "Based on this assessment, [X] automated processes operate with excessive, unmonitored authority across sensitive business systems. [Y] have no accountable human owner. Immediate action is recommended on [Z] critical findings."
Page 3 — Findings Summary
- Table: finding category, count, severity, compliance framework reference, business impact
- No technical system names — use business translations:
- "Identity provider" not "EntraID"
- "IT service management platform" not "ServiceNow"
- "Automated account" not "service principal"
- "External AI service" not "Azure OpenAI Endpoint"
- Visual: severity distribution chart, risk cluster breakdown
Page 4 — Risk Detail (per cluster)
- One section per risk cluster, using the verdict sentence as the lead
- Compliance framework tags (OWASP ASI-XX, NIST AC-X)
- Affected business domains (not technical domain names — "Human Resources data" not "hr")
- Cost of inaction framing: regulatory exposure, audit implications
- Evidence grade: "Confirmed by execution logs" / "Inferred from permissions" / "Standing access only"
Page 5 — Remediation Roadmap
-
Prioritized actions in business terms:
- Action description (no technical jargon)
- Estimated effort: hours / days / weeks
- Responsible role: "IAM team" / "Security operations" / "Application owners"
- Complexity: Low / Medium / High
- Compliance frameworks addressed
-
Quick wins (< 1 day) vs. strategic improvements (1-4 weeks) vs. ongoing governance
Page 6 — Appendix: Methodology
- What SecurityV0 is (1 paragraph)
- What was scanned (systems, period, scope)
- How findings are determined (deterministic, evidence-based, no ML/scoring)
- Evidence integrity: SHA256-sealed packs, temporal provenance
Implementation options:
Option A: CLI report generator (recommended for MVP)
npx tsx scripts/generate-assessment-report.ts --tenant demo-w1 --format pdf- Pulls from the same API endpoints the UI uses
- Uses a template engine (e.g.,
@react-pdf/rendererorpuppeteerrendering a HTML template) - Includes the business glossary for term translation
- Includes the compliance mapping table
- Output: PDF file or markdown
Option B: In-platform export
- "Export Assessment Report" button on Overview page
- Generates the same content via the API
- Downloads as PDF
- More polished UX but more effort
Option C: Scheduled pipeline
- Post-scan webhook triggers report generation
- Sends PDF via email or uploads to a shared location
- Best for ongoing managed services (partner runs weekly scans)
Effort: 4-6 sessions for Option A. The hard parts are already solved — the data exists, the compliance mapping is a lookup table, the evidence packs have the detail. The new work is: PDF template, business glossary, effort estimation table for remediations.
What Changes in the Platform vs. What's a Separate Artifact
| Item | Where It Lives | Why |
|---|---|---|
| Compliance mapping (OWASP/NIST tags) | Platform API + UI | Useful at every level — analysts need it too for ticket justification |
| Evidence grades (A/B/C) | Platform API + UI | Core differentiator, visible to all users |
| Business glossary translations | Report generator only | The platform should use precise technical terms for analysts |
| Cost/effort estimates on remediation | Report generator (with optional platform API field) | Estimates are assessment-context-dependent, not universal |
| Board slides / executive summary | Report generator only | This is a deliverable, not a feature |
| Severity distribution charts | Both — summary strip in platform, visual in report | Platform uses it for filtering, report uses it for storytelling |
| "Export Report" button | Platform UI — triggers report generator | Convenience entry point |
Key principle: Don't pollute the analyst tool with executive formatting. Let the platform be precise and technical. Let the report be translated and business-ready. Same data, different presentation layer.
Implementation Priority
| Priority | Item | Effort | Value |
|---|---|---|---|
| Sprint (now) | Add compliance_references to API findings/clusters | 1-2 sessions | High — useful for platform AND reports |
| Sprint (now) | Create src/lib/compliance-mapping.ts static lookup | 1 session | Foundation for everything else |
| Next sprint | Build digest email template (scripts/generate-digest.ts) | 2-3 sessions | Quick win — partners can forward to clients immediately |
| Next sprint | Build assessment report generator (Option A) | 4-6 sessions | Strategic — the Quest "summary PDF printout" |
| Next sprint | Business glossary for report generator | 1 session | Enables non-technical output |
| Following | In-platform "Export" button wiring to report generator | 2 sessions | Convenience |
| Following | Scheduled report pipeline (Option C) | 2-3 sessions | Managed services enablement |
What This Means for the Review
The original Enterprise Executive review (v1) was right about the gaps but wrong about the fix. The fix is NOT to make the platform UI speak business language everywhere. The fix is:
- Keep the platform sharp for analysts (the sprint work)
- Add compliance mapping to the data layer (useful for everyone)
- Build a separate report generator that translates the same data into business deliverables
- Let partners use the report generator to produce their client-facing "handout"
The platform is the engine. The report is the output. Different audiences, different artifacts, same data.