Skip to main content

Executive Summary Template

Purpose

Summarize CTI judgments for senior decision-makers without losing uncertainty.

Fields

  • decision: Decision the summary supports.
  • bottom_line: One-paragraph conclusion.
  • why_now: Why the issue matters now.
  • confidence: Confidence and reason.
  • business_impact: Operational or risk impact.
  • recommended_actions: Specific executive-level actions.
  • limits: What is unknown or not proven.
  • owner: Accountable owner for follow-up.

Example Values

decision: Approve 30-day hunt for remote admin tooling abuse.
bottom_line: Public reporting and local exposure justify a scoped hunt, not emergency blocking.
why_now: Multiple recent reports describe RMM abuse after initial access.
confidence: Medium; sources are credible but local telemetry is untested.
business_impact: Potential unauthorized remote control of endpoints.
recommended_actions: Approve hunt, validate telemetry, review RMM policy.
limits: No evidence of compromise in this environment.
owner: SOC Lead.

Quality Gates

  • Decision is explicit.
  • No unsupported attribution.
  • Confidence is explained.
  • Actions are owned.

Common Failure Modes

  • Too technical for audience.
  • No decision.
  • Uncertainty hidden.

Practical Workflow

  1. Create the artifact only after the intelligence requirement or decision is clear.
  2. Fill required fields before writing narrative prose.
  3. Attach evidence labels, source references, confidence, and limitations.
  4. Review with the intended consumer.
  5. Update the artifact when evidence, telemetry, or decision context changes.

Analyst Checklist

  • Is the consumer defined?
  • Are required fields complete?
  • Are claims source-backed or marked Gap?
  • Is confidence justified?
  • Are limitations explicit?
  • Is there a next action or owner?

References

Required vs Optional Fields

Required: decision, bottom line, why now, confidence, business impact, recommended actions, limitations, owner.

Optional: risk rating, timeline, budget ask, appendix link.

Pass / Fail Example

Pass: Executive can approve, defer, or reject a concrete action.

Fail: Summary uses dramatic threat language but gives no decision or owner.

Complete Filled Example

decision: Approve a 30-day hunt for unauthorized RMM use.
bottom_line: Public reporting and local exposure justify a scoped hunt, not emergency blocking.
why_now: Recent reporting describes RMM abuse after initial access; local RMM baseline is incomplete.
confidence: Medium; reporting is credible but local telemetry is not fully validated.
business_impact: Unauthorized remote access could affect endpoint integrity and incident response.
recommended_actions: Approve hunt, validate telemetry, define approved RMM inventory.
limits: No local compromise evidence.
owner: SOC Lead and Detection Engineering.