From Basecamp to Collaborating on Features for Pentest Delivery
“It’s not just clients who benefit from us using Cyver Core, it’s our consultants as well. We’ve reduced overhead and manual work. Time to report and do quality assurance is a fraction of what it used to be. That means our people can spend more time hacking and less time doing the mind-numbing work that is report writing. We went from spending about 8 hours to write plus four hours on quality assurance down to about two hours total.”
Like many modern pentest firms, PentestFirmA wanted to deliver vulnerability scanning alongside human-driven pentesting as part of ongoing service for clients. As part of its transition to a pentest portal with Cyver Core, the firm worked with us to develop the platform features needed to deliver those ongoing and real-time vulnerability scanner results to clients, as tickets in the Cyver Core platform.
Background
Cyver Core is a pentest collaboration and management platform, supporting pentest firms in digital pentest delivery, client collaboration, and pentest-as-a-service. Our platform uses digital work management, automates repeatable manual work, and enables team management across small and large pentest projects.
As a pentest management platform, we work with pentest firms who are concerned about their privacy and the security of their customers. For that reason, this case study is anonymous. We interviewed the founder and CEO of the firm to discuss his last year of using Cyver Core.
The Pentest Firm
PentestFirmA is a mid-size pentesting firm that launched in 2020. Today, the firm employs a team of 10+ ethical hackers, serving roughly 20 clients with pentesting (web application, network, internal, external, mobile apps, iOT, cloud, etc.)
PentestFirmA started working with Cyver in early 2022.
- Clients: 20+
- Ethical Hackers 10-15
- Projects on Cyver Core: 100+
- Location: Georgia: USA
Problems with Traditional Pentest Management
PentestFirmA was using Basecamp for project management with email for client communication and Microsoft Word for writing reports. After facing challenges using this tooling, the firm made the strategic decision to move away from solutions not designed for pentesters.
PentestFirmA was facing issues with:
- Consistent Reporting – With 10+ consultants/ethical hackers, the pentest firm was facing issues with consistent and quality reporting.
- Time on Reporting – PentestFirmA was spending roughly 8 hours to write a report with an additional two sessions of two hours each for quality assurance, for a total of 12 hours per report.
- Asynchronous Communication – Aligning projects across larger teams was a challenge, especially with email communication. PentestFirmA wanted a way to align communication to simplify it.
- Delayed Vulnerability Sharing – Using a PDF report meant clients were only aware of vulnerability findings three weeks later, after the pentest was finished. PentestFirmA wanted to deliver those results more quickly with a ticket system.
“We needed a way to help our consultants focus on their strengths, hacking, and not on writing and taking notes for meetings. Basecamp, email, and Word were obviously terrible for client and employee experience, so we wanted a single, centralized solution.”
Choosing Cyver Core
PentestFirmA considered PlexTrack, AttackForge, Security Reporter, and Cyver Core. Cyver Core was chosen.
“Ultimately, we chose Cyver Core because of the responsiveness of the team. It was quick. If we needed help or support or even an answer, we got it, sometimes in a matter of minutes. That’s been pretty huge for us.”
“The flexibility and customizability of the platform was also a major factor. We wanted a white-label solution for branding and for security reasons. It was really important to us that our portal looks good to our clients and Cyver Core has that”.
“And, of course, Cyver Core has API access. We knew we were developing some services where we couldn’t physically have someone log into the portal every time. Having the API just allows us to do really creative things with managing and publishing findings to our clients.”
Custom Development Tracks with Cyver Core
Part of PentestFirmA’s value model is to deliver ongoing vulnerability scanning to its customers. Initially, the firm planned to deliver this in its own front-end system. However, they decided to work with Cyver Core as its only customer front-end portal. Because their goals for the project – an interface for delivering vulnerability scanner results to clients – mapped to the Cyver Core Roadmap, Cyver Core worked with them to make it a reality.
PentestFirmA signed onto Cyver Core’s custom development project program. The Cyver Core team developed wireframes for the required features, updated on feedback, and collaborated on making the required features a reality. The result of that project is Ongoing Projects, which is now available to all Cyver Core users. As part of the ongoing collaboration, Cyver Core is also working on a new Dynamic Dashboard view for those projects.
Additionally, PentestFirmA required tenant isolation to cope with their constant push of data from vulnerability scanners. The firm pushes data to Cyver Core via API, meaning they have more data transfer than a traditional pentest supplier.
Using Cyver Core
“Cyver Core has greatly improved our client experience and it is a differentiator when we go to market”
Today, PentestFirmA has been on the Cyver Core platform for roughly a year. The firm uses most of the features, although they do not use Cyver Core to deliver scheduled pentests. This includes client management, project management, finding management, importing findings from tooling, report generation, and much more.
“Reporting is outdated, clients are concerned with knowing what vulnerabilities are, being able to log into a portal and fix them – with the support they need to do so from the pentest firm. Cyver Core enables us to deliver that. Compliance still necessitates having a report, so automating it and cutting time down to 2 hours really helps”
PentestFirmA uses most Cyver Core Features, including project management and delivering vulnerability findings as tickets.
“Our clients now have real-time visibility into findings published by our team. They can begin fixing their vulnerabilities before their boss even hears about them. That’s been a big win. The smiles on our clients’ faces says it all.
We also really like role-based access control, which means we can have some users who can see every project for the client and others that are project-specific.”
Many of those features are also internal, for the pentest team:
“All communication is now in the portal, with a single point of communication per client. Everyone is notified when there’s a question or an answer, whenever a client has requested a retest, or when another consultant sets something up. So, everyone is on the same page. That means less chaos and less time spent taking notes, breaking down calls, and updating everyone on what went on in a private email chain.” “We get a lot of help from the team, if we ask for something they work with us to make it happen. There’s nothing we could want from the Cyver Core team that we could ask and haven’t already talked about. So, a special shoutout to Luis, Monique, and Scott, they’ve been incredible to work with”.