For pentesters, the report is often an unfortunate part of pentesting. It’s part of your job, but it’s often a time-consuming and painful job where you copy-paste data from libraries, tools, and even the Internet to build out a final report for the client. The end result can be hundreds of pages of compiled vulnerability findings, complete with artifacts, generic recommendations, custom recommendations, methodology, and impact assessment. In the old days, pentesters would take days to complete these reports with most teams taking about 6 hours to 2 days per report – depending on the complexity of the report. 

Today, it’s much more common to use a pentest reporting platform to generate reports automatically. Depending on your process, that can still mean spending hours on the report, but our data shows that pentest report automation saves an average of 60% of your time across every use case scenario. For many pentesters, that means you can’t afford not to have a report generation tool. The question is; what do you look for from that tool. 

Basic Pentest Report Generation Features 

Your pentest reporting platform needs a set of basic features that will allow you to automate your report generation. 

  • Suitability for Your Workflow – Step one, your pentest report generation platform has to meet the needs of your processes and your workflow. To some extent, you’re always going to have to adapt to the tool you’re using. However, your report generation also has to meet the needs of your pentests. That’s why Cyver offers two types of pentest report automation, with full automation and report generation for simple pentests like webapp pentests and assessments and a more modular approach which we call narrative pentesting, with features to support red teaming, crown jewel scenarios, etc., where you don’t know the outcome of the pentest, the full methodology, or the types of findings you’ll encounter upfront. A good use-case fit is critical for ensuring that the pentest reporting platform actually works for your organization, because a generator based on static pentest report templates won’t be that useful for a red teaming firm – while a webapp pentest company would be spending more time than necessary with a more hands-on report automation process. 
  • Vulnerability Library – You need a vulnerability library integrated as part of your report generation. That should include the option to import your existing library. Cyver Core also includes generic libraries from OWASP and other resources, so you can pull from publicly available data as well. Here, you want some form of auto-matching content, usually by vulnerability finding title so your report generator can automatically fill that content and do away with the need to copy-paste. Cyver’s system also means that you can create a master finding template and then add that into your report – so the report data changes whenever you edit the master file. 
  • Reusable Content Library – Your vulnerability library is the most important part of the reusable content library. However, chances are high that you reuse a lot of different content from writeups to summaries to bios and boilerplates. With Cyver, you get pentest report templates which you can build out with tokens to automatically add your content, create libraries of text blocks which is suitable for adding boilerplates, individual descriptions, bios, and custom technology information or remediation information. You also get modular section libraries, so you can automatically add prepared sections for methodology, assessment types, compliance norms, vulnerability finding type, etc., at the click of a button, meaning you can very easily build out even a very complex report with existing content. 
  • Benchmarking – Benchmarking allows you to set up pass/fail scenarios for compliance norms like PCI DSS, ISO 27001, OWASP 10, and other norms. Having this as part of your reporting means you automatically share this data with the client, without having to review the results and work out the outcomes on your own. With Cyver, you can use existing benchmarks or build your own custom ones, which means you can easily share to clients when they pass/fail and highlight which items fail the norm – enabling easier prioritization and higher report value, without putting in extra work on your own.  
  • Methodologies & Compliance Norms – Integrating compliance norms and methodology into your report generation means you can automatically show how pentests aligned with norms, share what was checked and why, and then show how results map to the norm. This means you can more easily add value-added data for the client, while getting better insight into the security profile of the client, in light of the specific norm you’re testing or the methodology you’re using. 
  • Data Aggregation with Integrated Importers – You’re always going to use tooling, often multiple types of tooling. Your pentest report generation tool has to import that data and aggregate it into a single and consistent data repository. Ideally, your tool automatically cleans up imports, creates tickets from findings, and automatically pulls data from your vulnerability library, CVSS data, and other criticality data during the import. You’ll also want to ensure that your tool is capable of artifact capture, either by importing artifacts like screenshots from the tool directly or offering the option to upload artifacts to the finding ticket. 

“We had been using static writers like Google Docs and the problem with those is that you can’t get information from them.” Says Luciano, “So, we never knew how many findings we had, what their severity was, etc. We didn’t have any way to gather metrics.” _ Luciano Ciattaglia, Director of Services at Hacken

  • Data Automation – Your pentest reporting tool should automate as much of the copy-paste and manual workload of reporting as-is possible. That means automatically filling data fields with content from the vulnerability library. It should also mean leveraging tools to automatically match CVSS and criticality scoring based on your selected methodologies. Generative AI can also greatly reduce the workload of pentest reporting. For example, with Cyver Core, you get a ChatGPT integration in a private Azure OpenAI instance, plus custom prompts to write anything from high-level summaries to findings-level remediation data. With options to generate content per finding or for the full report at once, the process can be as hands-on or as automated as you want it to be. Even if you’re not using AI, you still automatically pull your vulnerability library data and use the scoring system to automatically add data. Plus, Cyver Core automatically merges duplicate findings uploads, which means you simplify manually reviewing and deleting duplicates. 

“Before Cyver, reporting would take us up to three days. They used to take us so long. We’d list all the evidence, all the attack chains, etc., for every vulnerability, that took so much time. Now, Cyver automates it all for us. You should see our reports, they’re beautiful, they’re curated, they have graphics and risk tables – and we spend less than thirty minutes on them. We normally sit down at 4 PM on the end-day of a pentest, look at the pentest, justify the findings, show the replication path, and prove findings are real and not false positives – then thirty minutes later we publish the report.” _ Peter Bassill, founder of Hedgehog Security

  • Pentest Report Templates (modular) – You need pentest report templates as part of your pentest reporting platform. That means integrated reports which you can use as-is as well as the option to build or modify your own. With Cyver, you get full control over pentest reports, with options to add branding, to implement fully custom markdown and CSS, and to integrate your own workflow into the system. Cyver Core uses a template system with tokens, so you can automatically fill relevant data from the platform, while keeping the text and structure the same. With the “narrative” reporting functionality, you can also add new sections, text blocks, and data on the fly as you’re generating the report, which means you get even more flexibility with reporting. 
  • Secure Delivery – Traditional pentest report delivery normally means using encrypting your pentest report and sending it to the client with a two-factor approach. Integrating secure delivery into your pentest reporting platform means you can skip that step and save time and hassle – while still giving the client the PDF report they need for regulatory compliance or internal management. 

“Time to report is still significant. We spend 4-8 hours on each one depending on the customer. But, without Cyver, reporting was a long, dragging process of Word document versions, work environments, and having 3-4 systems in place to share the pentest – and all of that took a lot of time. Now, we generate the pentest report in the portal, edit it there, and deliver it to the client.” _ Martijn Baalman, co-founder of Hacksclusive 

Team Management

Pentesters are very often used to working alone. But, today’s pentest teams are growing and more and more often, pentesters are working in larger teams, sharing work, and running tests as a team effort. That means you have to delegate work and building the report. Your pentest report platform has to support that – otherwise you’ll bottleneck on delegating work to one person. 

Your pentest report platform should include roles and the option for multiple people to import and add findings. In addition, the tool needs to send alerts to pentesters when items are uploaded, which means you won’t have issues with creating duplicate findings or writing up information that’s already there. With Cyver, you get assigned tasks, traceability to see which pentester added which content, and even change logs for better QA and traceability. 

“Our current process also means we upload findings and do write-ups immediately when we find issues. We don’t wait till the end of the month, if a pentester finds something, they immediately add it to the portal, so we don’t have other testers writing duplicate findings. Then, at the end of the test, we only spend about 2 hours reviewing the final report, which is pretty great.” _ Barna Szeghy, CEO Of Boltonshield Hungary

Extras: 

There are always extras that add to your pentest reporting. While these features aren’t necessary for generating a PDF pentest report, they’re increasingly necessary and useful for high quality pentest delivery to the client. 

  • Client Portal – Your pentest reporting platform should deliver a client portal where your clients can log in to see their pentests, download associated pentest reports, and hopefully directly communicate with their pentesters about remediation, pentest status, etc. 

“We’ve definitely had instances where a client decided to go with CyberInsight and not with a competitor because we had the Cyver portal.” _ Theodor Craggs, co-founder and director at CyberInsight

  • Ticketing for Findings – Pentesting is increasingly focused on remediation and that means delivering pentest results in a way that is easy for clients to break down into actionable tasks. By delivering vulnerability findings as tickets inside a platform, you give stakeholders a way to immediately start working on findings relevant to them, without waiting for a middleman to break down a larger report. For organizations that are testing for remediation rather than for compliance, you might not even need the full report, just the findings tickets. 

“The delivery process is a lot better now; we don’t have to send reports over mail. The first client we onboarded was actually instantly using the insights and the follow-up features – they were marking findings as accepted, adding comments to the ticket, that was really nice to see as well.”  _ Keanu Nys, Red Teamer

  • Integration with Client Ticketing Systems – Most clients will want and need a way to export findings from your portal into their own ticketing systems such as Jira. 
  • Context-Scoring Engine for Prioritization – Most pentesters manually add scoring for CVSS, EPSS, SSVC, etc., time to fix recommendations, and other data. That all takes time and for a pentest with several hundred findings, that can be a considerable amount of time. Implementing a reporting platform that automatically scores your findings with a context-scoring engine will save that time, while allowing you to deliver the same or more value to the client. For example, with Cyver you can implement one of our standard scoring systems or manually create your own, or manually edit each finding whenever you know there’s a custom factor influencing the scoring. 

Getting started with a pentest reporting platform means switching your processes over to a system designed to aggregate all your pentest data and client data. It also means taking the time to set up your workflows, report templates, and vulnerability library in the system. However, once you have everything set up, you should save about 60% of your time on every report. That will pay off, and quickly. 

If you’d like to learn more about how Cyver Core delivers pentest reporting functionality, with vulnerability and content libraries, findings import, content generation, and a ticketing system – contact us for a full demo – or visit our pentest report generation page to see more.