Cyver Core has always offered significant project management tooling for pentesters. Our project templates allow you to seamlessly set up and run a pentest based on an existing scope, methodology, and goals, so setting up a new pentest is as simple as clicking a button. You can then see those projects in your timeline, assign tasks and responsibilities, and send notifications as findings become available for review or for the clients.
Those “one off” pentests, where you perform a pentest, find vulnerabilities, and then work with the client to remediate those vulnerabilities are the “bread and butter” for many traditional pentesters. However, that may not be all you do.
That’s why we’re introducing a new type of project in our system, Continuous Projects. These add to rather than replacing existing project types. This means you can run both simultaneously, for the same clients, to meet different cybersecurity needs.
What is a Continuous Project?
Cyver Core has a base project type, the “pentest project”. This project is time based, it has a start and end date, and it has defined goals and scope. You do the test, deliver the vulnerabilities, have a remediation phase, and then close the pentest.
That’s great for typical pentests, for audits, etc. And, you can always reschedule the exact same pentest to be recurring.
However, if you perform a pentest more often or add scanning, you might need a different use case scenario.
Continuous Projects are a new type of pentest project that does not have a goal or an end date. Instead, you schedule runs of the assessment, adding new vulnerability findings into the same project, so clients can see ongoing and long-term results of their pentest.
A continuous project does not have a single goal, it’s not based around sending a report or helping with a one-time security goal. Instead, you share ongoing scans, assessments, and pentest data to the same project, so you can track current, new, and remediated vulnerabilities.
That makes it ideal for:
- Cybersecurity Assessments
- Scans and Automated Scans
- Pentests that are scheduled to recur on a quarterly or even monthly basis
What Happens When You Create a Continuous Project in Cyver?
To use Continuous Projects in Cyver, first, activate the project format under settings. Then, you can choose a name for the base template, e.g., “scans”, “assessments”, etc.
You start by creating a new project template, just like for a standard project. Then, the client can add their scope, details, and any access information you need via their assets management. They decide on a frequency for the assessment. You automatically get a draft “Run” of the project, which contains the applicable methodology, assets, and scope. Then, you can upload your vulnerability findings from your scan, assessment, or pentest. Depending on the needs of your continuous project you can automate imports or take the time to manually process every finding and verify it. You can also use more limited information than for your full pentest. E.g., you decide which information goes into the finding, how findings are listed, and which fields you’re using.
Then, customers receive notifications of the findings, just as they would when you run a standard pentest project. They can collaborate with you on remediation, mark remediated findings as fixed, and otherwise process everything. You can also choose to automatically generate a report based on those findings and your report template – although you can leave that to be manually generated as well.
When you have a new run, you upload findings to the new run. They’re automatically compared to the existing findings. If you have 27 findings in the portal and you upload 35 findings, you’ll only see the ones that aren’t in the existing portal, so you’ll get something like 39 total findings if 4 findings from the last run were fully remediated and you found 12 new vulnerabilities. Once you publish, clients can see:
- When a finding was remediated and is no longer in the results
- When a finding is still there, even if it’s been marked as remediated,
- Which runs the finding showed up in
And, the continuous project will automatically generate a new draft run, ready for the next scheduled assessment.
Reporting on Continuous Projects
You can generate reports for continuous projects just like you would for a standard pentest project. The default report shows the run and will, by default, use the assessment template rather than the full pentest template, meaning that most of the vulnerability finding details are in the portal and not the report. However, you can use any pentest report settings you’d like.
You can also automatically generate the pentest report after uploading the findings. If you prefer to manually verify and review everything, you can also manually generate the report. That means you get the same reports and report templating you would with your standard pentest, even if you’re just using a single tool to scan for an ongoing assessment for the client.
When to Use Continuous Projects
Continuous Projects are a great solution for pentesters running assessments, frequent pentests, and scans for clients. They save you and the client time by ensuring that vulnerability findings are consolidated between runs, tracked between scans, and everything is always presented in the same way, in the same portal, and with the same information.
On the other hand, this project type isn’t right for every type of cybersecurity assessment and traditional pentests, red team assessments, and other one-off projects still benefit from the standard project template.
Best of all, our Continuous Projects allow you to bring your own scanner or use our integrated scanner. You choose!
If you’d like to learn more or to see it in action, contact us for a demo.