Reporting is one of the most time-consuming manual tasks related to pentesting. While there are dozens of pentest report automation tools available, with different solutions, Cyver Core takes a full automation approach, by using data you’ve already uploaded to build comprehensive reports. Getting the full pentest report automation experience means using Cyver Core’s software to manage pentests, manage clients, and to share data with clients.
In this article, we’ll go over the full process of automating pentest reporting in Cyver Core, so you can see what’s involved, why it’s important, and what you get out of it.
These steps include:
- Building Pentest Project Templates
- Creating Report Templates
- Uploading Findings
- Adding Finding Data
- Generating the Report
Each step is an important part of automating the report process.
Getting Started with Cyver Core: Pentest Templates
Building a pentest template is the first step to generating a report. Why? The report is based on project data. The pentest template allows you to:
- Set project type
- Add clients
- Add responsible teams including a lead pentester
- Set scope and assets
- Add compliance norms (if any)
- Choose checklists (or build one)
This basically sets the tasks, responsible parties, and assets to be tested. The client will have to set scope and assets if they request the pentest themselves. The important part for reporting is that this data is already in the system.
Creating Report Templates
Cyver Core delivers a basic report template with 6 sections which you can tweak, update, and edit at your discretion. You can add or remove sections. You can also build a new template from the ground up. This is a simple matter of using CSS, markup, and content boxes to fill in information as desired.
We’ve created a full guide to building a pentest report template in Cyver Corehere.
The Pentest Report Template uses Tokens to refer to data already in the platform. This allows you to refer to Client data, Project Template data, and Vulnerability Findings Data in the Project.
Cyver Core uses a combination of automated Findings import and manual data. For example, you can batch import findings from a tool like Burp or Nessus. You can also manually add findings to reflect manual research.
- Go to the pentest the Findings are related to
- Click Findings
For example, you can import XML files, select which Findings you want to import, and then add details after import is finished. Cyver Core automatically creates individual tickets per finding, which are then added to the Project and to your Vulnerability Library.
The first time you add or upload a finding is the most work. You’ll have to either copy-paste data in from your existing Vulnerability Library or create new writeups. If you already have similar vulnerabilities in your library, Cyver Core maps uploads to the library, pulling CVE scores, descriptions, and other information as relevant.
Generating the Report
Once you’ve uploaded Findings to the pentest, you can generate a report at the click of a button. This uses the pre-written sections from the report and uses Tokens to fill in information around the client, assets, pentest team, compliance framework, vulnerability findings, recommendations, etc. These are pulled as dynamic data from the Pentest project, so everything is always up to date.
Once you hit “Generate”, you can go over each section to edit data, to tweak content, or to add whatever information you think is necessary. For example, if you want to add a large amount of custom information, you can easily do so. When you’re done, you can publish the report to the client.
They can download your report as a PDF, view it in the cloud portal, and use it to assign tickets as work. This allows you to deliver a full report to meet the needs of finance and compliance as well as to Dev teams looking to resolve issues.
Cyver Core’s approach to pentest report automation means that you can’t just upload findings and generate a report. Instead, you have to use the full process of managing your pentests and clients in Cyver Core. While that means you need more upfront effort to automate your reports, it means the report is more complete, leverages client-specific data, and integrates project data. Which, according to us, is a lot better. But, it’s our tool, so of course we think that.
If you want to learn more, visit our automated pentest reports page.