While pentesting involves scanning, manual research, human insight, and often hours of testing and putting one and two together to find and check vulnerabilities – the end product is the report. Unfortunately, the pentest report is often mostly compiled data, where you collect everything from your tooling, compile it together, add data from your vulnerability library, add custom insights where necessary, and then send it off to the client.
That process takes the average pentest firm about 8-14 hours when using no tooling other than Microsoft Word or Excel but can take 20+ hours depending on the complexity of the report. When you switch to using pentest reporting software, that time can dramatically drop, with timelines of anywhere from a few minutes for fully automated pentest reporting to about 4-5 hours when you still want to add custom insights across the report.
At Cyver Core, we deliver pentest report automation and generation tooling to support most use case scenarios. In this article, we’ll look at those different options from use case scenarios so you can see which case best-fits your organization.
Fully Automated Pentest Reporting
Compile Data and Automatically Generate a Report
Many pentests require relatively simple reports because the outcomes are straightforward, and the vulnerabilities are always straightforward. Some great examples of this include web app pentests or compliance assessments like a DigiD pentest. You often check for a specific list of vulnerabilities – all of which you likely already have content for in your vulnerability library.
This gives you the opportunity to fully generate your pentest report. In Cyver Core that means:
- Build a pentest report template and connect it to your project, compliance data, and vulnerability library
- Build a project that covers scope, methodology, and client details
- Set compliance and controls for the report
- Make sure you’ve imported your vulnerability library to Cyver Core
From there, you can fully generate your report by importing findings from your tooling and automatically converting it to a ticket in the Cyver platform. Then, your report is generated automatically, using tokens to fill in client details, found vulnerabilities, and even to generate graphics based on results. You get a simple and professional report at the click of a button. And, you can review it and add your own details or automatically send it to the client.
This case also allows you to generate custom data with recommendations based on your client’s stack, new vulnerabilities you don’t have in your library, and summaries like executive summaries using AI. Cyver uses a private deployment of ChatGPT, which you can review, edit, and re-use in your report.
Essentially, the idea is that once you validate all your findings, this type of pentest reporting should take you minutes, not hours.
Red Team Pentest Reporting
Compile Data and Add Your Own Custom Insights
In many cases, pentest firms aren’t selling “just” finding vulnerabilities but rather expertise, security consultancy, and help understanding risks. That can translate into “complex” cybersecurity exercises like red team exercises and crown jewel scenario pentests where you exploit vulnerabilities as far as you can. In this case, you can’t use a simple static template to generate a static report because your report and the found vulnerabilities will change every time.
In most cases, this kind of pentesting also means you’ll want to take more time to talk about the vulnerabilities and the issues at every stage, which means you’ll spend more time on the writeups and the report.
Here, Cyver Core offers two primary solutions:
- Modular report templates mean you can prepare report sections in your template and then use them or not based on what you find in the test. You can also add modular blocks of text on the fly – so you can easily prepare content for common scenarios and common technologies or vulnerabilities – so reporting is still fast and easy. Plus, with options to save content blocks and report sections to your library, you can always re-use content even if you’ve custom-written it for a new report.
- ChatGPT integration means you can quickly generate a draft of a new section complete with summary, best practices, technology, and recommendations in place. You can then tweak and edit that to fit your needs in a faction of the time of starting from scratch.
In each case, you’ll get the same option to import findings from tooling and to automate the manual work of copy-pasting from tooling and your vulnerability library. The bulk of the manual repetitive work is handed for you – which is why teams doing complex pentests often see pentest reporting times drop from 22-14 hours to 5-6 hours when they switch to Cyver Core.
In each case, you’ll have the opportunity to automate as much of the process as you want. Whether that’s fully automating the pentest report process, using AI to generate all custom content, and then manually reviewing or just using automation to handle the heavy lifting of moving findings out of tooling and into your report is up to you.
If you’d like to see how it works or to learn more about how different pentest scenarios fit into Cyver Core, contact us for a demo.