This one comes up a lot when we wrap up penetration tests, so I thought it was time to discuss. Sometimes, after we deliver a pentest report, a client reaches out and asks us to change the risk rating of a finding. I totally understand where this request comes from, after all, these findings often go in front of leadership, boards, or even regulators. I’ve been in enough of your review meetings to know that a High can feel like a flashing red light you’d rather dim a bit.

But here’s the thing: we can’t change a risk rating just because it would be easier for your organization. And honestly, doing so wouldn’t be right for you or for us. Let me explain why.

The Purpose of a Risk Rating

When we assign a risk rating, we’re not just throwing a dart at a board. We consider a number of key pieces:

• Impact: If it’s exploited, how bad would it be?
• Reproducibility: How easy is it to repeat the attack?
• Exploitability: How realistic is it that someone could exploit this issue?
• Who is Affected: How many user would be affected?
• Discoverability: How easy is it for an attacker to find the attack path?

We also look at context-specific factors, like whether you’ve already got controls in place that lower the risk in your environment. In other words, we do adjust the risk rating when it makes sense. If a vulnerability is technically severe but you’ve got strong compensating controls, we reflect that. We’re not here to make things scarier than they need to be.

But what we don’t do is change the rating just because the number or label causes concern in a presentation.

Why We Won’t “Downgrade for Comfort”

Here’s the ethical side: imagine if we marked something as Low because it felt more convenient. Then, six months later, someone breaks in through that exact issue. Imagine the questions that would be asked: 

“The pentesting company said this wasn’t a big deal. Why didn’t they warn us?”

At that point, it wouldn’t just be your company feeling the consequences. It would also mean our team failed in our responsibility to give you accurate, honest risk information. That’s not something we’re willing to bend on, because you’re trusting us to call it like it is.

How We Can Help Instead

So, if you ever find yourself uneasy about a risk rating, let’s talk it through. My team’s job is to make sure you understand:

• Why we assigned that rating
• What factors we took into account
• What steps could bring the risk down

Sometimes, the conversation reveals controls you already have that we didn’t know about, and, with proof of those mitigating controls, that does change things. Other times, it’s a matter of building an action plan so you can explain to leadership how the risk is being addressed, even if the rating stays where it is.

At the End of the Day

Our reports are meant to be tools you can rely on when making security decisions. If we start softening them just to make things “look better,” we’re not helping you, but instead we’re setting you up for a worse conversation later if attackers take advantage of those same findings.

So, no, we won’t move a High to a Moderate because it will land better in tomorrow’s board deck. But we will be there to help you understand it, mitigate it, and have the right story ready when you present it. Because our job isn’t just testing systems, it’s also helping you strengthen them and protecting your reputation along the way.

One Last Thing

Have you ever had to present a pentest report to leadership and gotten tough questions about the ratings? What helped you explain them?

We’re always happy to jump on a debriefing call at the end of your engagement after you’ve had time to review your report. If you’re concerned about how to present your findings, why not use your debriefing call to ask for advice. Your pentester may have tips on how to use the opportunity to open the door for a larger budget to buy the tools or hire the people you need to fix the issues. We are also happy for you to invite management and others to the call so that we can help you explain the situation.

Each pentest finding may seem like a problem at the time, but our goal is to give you the tools you need to remediate our penetration test findings before a malicious actor causes harm. 

Thanks for reading. If you found this blog interesting, please take a look at my Accepting Penetration Test Risks & How Compensating Controls Can Help blog as well.