CybersecurityFirmC is a cybersecurity firm specializing in security and networking services, offering a wide-range portfolio of managed services, consultancy and assessments. These assessments include red/blue teaming, ethical hacking, and compliance assessments. That diversity allows the team to deliver full-service network security to its stable of clients – with a reduced focus on pentesting. The firm is large, with offices in Belgium and the U.S., and over 100 employees, of which three are currently part of the CybersecurityFirmC red team to perform offensive security assessments such as penetration testing.
We interviewed Keanu Nys, red teamer at CybersecurityFirmC, to discuss how they’re using Cyver Core for pentest and red teaming reporting.
- Clients: 120+
- Ethical Hackers: 3
- Projects on Cyver: >5
- Location: Belgium & USA
- Rates Cyver Core: 8 out of 10
In Search of More Secure Reporting
CybersecurityFirmC was using PwnDoc to generate reports – which was set up on a local server. However, it didn’t offer the secure file sharing that CybersecurityFirmC wanted.
“It wasn’t really a great fit for our use case, the biggest problem was that we had to use email for the PDF reports. To do that securely, we’d zip the report files with a password, then send the password over a different channel such as SMS – it was a lot of hassle”
PwnDoc also required more manual modifications than CybersecurityFirmC wanted. “We still had to spend a lot of time modifying the report after generating it, and that wasn’t ideal.”
Comparing Options
CybersecurityFirmC decided to opt for a pentest report generation tool and started comparing options. That quickly came down to Cyver Core versus Plextrac.
“Plextrac was suggesting the per user plan, which was still pretty expensive for us, even though we only had three users. Pentesting isn’t our core business, and we mostly wanted the report generation features. If we’re running pentests at a low volume, we need the tooling to be affordable within that.”
Cyver met those needs with the required features and pricing.
Using Cyver Core
CybersecurityFirmC is using Cyver Core to deliver pentest reports to its clients. While the firm onboarded in January of 2023, it’s already onboarding clients, using Cyver Core for reports, creating finding templates – and using almost all of the available features. CybersecurityFirmC is also very keen on customization, with its own custom report and findings templates.
“The delivery process is a lot better now; we don’t have to send reports over mail. The first client we onboarded was actually instantly using the insights and the follow-up features – they were marking findings as accepted, adding comments to the ticket, that was really nice to see as well.”
“Usually, we don’t really get feedback from clients, but with Cyver Core, we now see if they are actually following up, with the retests, comments, and marking findings as resolved or accepted. Our sales team can also use this feedback, because if we see a client hasn’t remediated a vulnerability, we can reach out to see if they need help – and that gives our sales team a better understanding of what the client can handle on their own, and where they might need some assistance.”
CybersecurityFirmC is also using Cyver to offer ongoing and recurring pentests, which they started off with a red teaming client.
“We have several clients requesting penetration tests or red team assessment on recurring intervals. Some of these are scheduled yearly, while others go as low as one assessment every quarter. With Cyver Core, it is really good that they can compare new reports to historical results in the portal itself.”
“Since we mostly rely on inbound sales, we’re not actively marketing for new clients, so we’re not using the pentest management platform as part of that. However, it might encourage existing clients to request additional assessments from CybersecurityFirmC in the future, because of the simplicity to schedule recurring assessments or by just requesting a pentest manually with the same scope.. This aspect allows us to keep clients, where we traditionally see that a lot of clients switch pentest firms regularly because they want to compare talent or results. But simplifying the process and offering ongoing value through insights and remediation data could help them stay with us, that’s a positive aspect.”
Ongoing Customization
“We spent a lot of time setting things up in Cyver Core. We did a lot of customization of the templates and a lot of time making things what we wanted. We do miss some of the customization features from Pwndoc to be honest – but it’s useable for us and we don’t have to modify Cyver Core any more – so it works for us.”
“Cyver really has a good vision on how pentesting reports and so forth should be delivered in the future. However, I think that comes at the loss of some customization features, it locks customers down on how much they can customize the platform – more customization would be nice – but PwnDoc, which offers more customization, also wasn’t ideal on other aspects.”
Red Teaming
CybersecurityFirmC is using Cyver Core to report on pentests as well as on red teaming. The team achieves this with customized report templates, observations, and different labels to mark projects and features.
“We obviously also have an infrastructure pentest template, however, I made a separate template for red teaming. This template utilizes findings observations instead of vulnerabilities, since the CVSS scores aren’t relevant here, and the template links everything to attack methodology. We added a new section for that custom methodology, with the steps and attack types we simulate.”
The report is built around the attack narrative, with techniques mapped to the MITRE attack framework, the unique finding ID, the tactic/technique used, and then recommendation and evidence.
The new templates include the MITRE technique in the finding title, with links to the MITRE website.
“Of course, we always want more customization, for instance, you have a token to generate the findings table completely – but you can’t change the layout and adjust the details of the findings, such as showing the evidence first, followed by the recommendations– instead of the other way around. We’d also like to see custom fields in the future, although it’s working for us for now”.
Looking Forward
CybersecurityFirmC has only been on Cyver Core since January of 2023. However, they’re already looking forward to new platform updates and features.
“Cyver Core is still pretty new but we’ve seen it make big progress in the time we’ve been using it. I’ve been sending feedback directly and it’s been very good to see that some of that is already being worked on. That’s one of the main positive points about Cyver, if I have an issue, it’s actually worked on. For example, we like to use a lot of images in our reports, and we’ve put in a request to update the image import process – which we talked to Luis about.”
“It’s really nice to see how quickly the Cyver team listens to feedback and takes up issues – some of those fixes have prevented a lot of waste time. I’m really looking forward to what Cyver brings in the future and what future improvements are made – I’d like to keep using it, and it’s being worked on a lot, so I’m sure it will be quite nice.”