Step 1: Compile the assessment report
Open materials/report-template.md.
This report integrates everything: passive reconnaissance findings, threat model results, network service exploitation (Metasploit sessions, Hydra brute-force), web application findings, CVSS-based prioritization with environmental context, remediation decisions with rationale, and detection rule documentation. Previous reports covered web application findings. This one covers two attack domains.
Direct Claude to compile the findings into the template. Each finding needs: a description, the evidence (screenshots, command output, session logs), the impact on patient data, the CVSS score with environmental context, the remediation action taken, and the verification result.
Step 2: Write the executive summary
The executive summary is not a condensed technical report. It is a document Marie-Claire will hand to the European Health Development Foundation.
The donor needs to see three things: the assessment was thorough, critical findings were addressed, and the clinic network is on a path to reasonable security. Write for that audience. The people reading this summary are not penetration testers. They are program officers deciding whether to renew funding for a health organization that serves 350,000 patients.
Direct Claude to draft the summary. Review it for audience. If the language reads like a technical report compressed into two paragraphs, it needs rewriting.
Step 3: Translate network findings into patient impact
Technical findings need translation. "SSH credentials brute-forced in under three minutes" is an accurate finding. Marie-Claire cannot present it to the donor as-is.
The translation: someone with basic tools and common techniques could access the server that stores every patient's medical history, including HIV diagnoses, mental health records, and pregnancy status. In a community of 350,000 people, that exposure is not just a data breach. It endangers patients.
Direct Claude to translate each network exploitation finding into patient impact language. Review every translation. AI tends to either stay too technical or become dramatic. The right register is factual, specific, and grounded in what the exploitation actually proved.
Step 4: Present CVSS with environmental context
The report includes CVSS scores. It also explains why the prioritization differs from a simple score ranking.
Include the comparison you built in Unit 7: the CVSS-ordered list alongside the environmentally-adjusted priority list. Explain the reasoning for each priority adjustment. The internet-facing login page with direct access to patient records takes priority over the higher-scored internal-only finding because of exposure and data sensitivity.
This section demonstrates professional judgment. The donor does not need to understand CVSS scoring. They need to see that priority decisions were made with care, not applied mechanically.
Step 5: Handle the BYOD scope question
After reviewing the findings, Marie-Claire mentions that Frantz told her some staff are using personal phones to access patient records. She asks: "Is that something you should look at too?"
This is a legitimate security concern. BYOD risk -- personal devices accessing sensitive medical data -- is real. But it is outside the scope of this network security assessment.
The right response is not "no." The right response is: note it as a recommendation for a separate assessment. The report's recommendations section should include a line about BYOD risk and the suggestion to scope a separate evaluation covering personal device access to patient data.
Scope management is a professional skill. Saying "yes, I'll add that" to every client request turns a focused assessment into an unbounded engagement. Saying "that is a real concern and here's how to address it" respects both the client's worry and the engagement's boundaries.
Step 6: Send the report to Marie-Claire
Send the completed report to Marie-Claire through the client interface.
She reads it carefully. She is not a fast scanner. She focuses on whether patient records are safe now and what to present to the donor. Her response will reflect both relief and the weight of what was found.
Review her response. If she asks follow-up questions, answer them in terms she can use with the donor. The assessment is over, but the communication continues until Marie-Claire has what she needs.
Step 7: Push to GitHub
Commit the project and push to GitHub. The commit message should capture the assessment outcome.
git add -A
git commit -m "p4-t8: complete assessment report for reseau sante du nord"
git push origin main
The project is complete. You assessed a health clinic network's EHR system across two attack domains -- network services and web application -- built a threat model from passive intelligence, configured SIEM infrastructure with designed labels, wrote detection rules from scratch, and made remediation decisions with environmental judgment. The report you delivered integrates all of this for a donor audience.
✓ Check: Report contains: executive summary with donor framing, network findings with Metasploit/Hydra evidence, CVSS prioritisation with environmental reasoning, remediation decisions with rationale, and recommendations. The patient data impact is described in terms Marie-Claire can use with the donor. Project pushed to GitHub.