Post-exploitation objectives (in authorized pen test): gain admin/domain admin, establish persistence, demonstrate lateral movement capability, access sensitive data (PII, IP, financial), demonstrate exfiltration capability, document entire attack chain.
Post-exploitation should demonstrate business impact, not just technical capability. "We got domain admin" is less impactful than "We got domain admin and demonstrated access to 500,000 customer records and your complete intellectual property." Impact drives remediation prioritization.