If you've done penetration testing for any length of time, I'm sure you've encountered it. You perform a beautiful penetration test — technically rigorous, focused on real business risk, all wrapped up with a solid report. You don't wanna brag, but you feel pretty darned proud of completing a job well done.
And then....it happens. Target system personnel, the very people you've labored to help secure, blindside you with a barrage of criticisms of your findings in your draft report. Some penetration testers are shocked as target system personnel, both business decision makers and the technical people responsible for acting on the pen test findings, reject your results. It's almost as though they willfully don't understand your findings and the associated business risk. Your findings make perfect sense to you, yet they just don't get it despite your efforts to explain things as best you can. And, you still have to turn your draft report into a final report that is meaningful for the target organization. I've been there, my friends, right along side you. It can be soul crushing.
Man, this is so true I thought everyone should read it.