Today, most pentesters deliver pentest reports via PDF. That’s the way they’ve always done it. That’s likely how most pentest firms imagine they always will do it. But, customer demand is shifting away from the classic pentest report and towards pentest vulnerabilities delivered as tickets. This demand is driven by scanning tools like Acunetix and Qualys, by the increasing shift towards Agile work methodology, and by rising cybersecurity threats.
Organizations are increasingly pentesting for security rather than “just” for compliance. That means they need pentest reporting delivered around remediation. And pentest reports largely are not.
What are “Findings as Tickets”
When clients break a pentest report down, they will normally copy a vulnerability finding, proof of finding, and any remediation information you might have offered. They’ll move this data to a work management tool like Jira, assign it to a team, and push it to be remediated. In most cases, one person, normally the compliance officer, might be in charge of breaking down a 60+ page report. That takes time and often requires shifting back to top-down work methods, where one person pushes work out to the rest of the teams.
Findings as tickets mean you directly submit work in those tickets. Here, you push a vulnerability to the team directly as a ticket. If you’re using Cyver Core, you also send notifications to relevant stakeholders (e.g., the teams actually resolving issues) so they can export tickets to Jira themselves and add it onto their next sprint. Rather than waiting for one person to distribute work, teams see what work is needed as it comes in and are able to prioritize when and how to do it themselves.
Building Findings as Tickets
Uploading individual tickets for each vulnerability finding can be time consuming. Too much so for the average pentester, who already spends at least 20% of pentesting time on reporting. Investing more time simply isn’t an option.
That’s feasible using a combination of integrated data and automation using pentest management platforms like Cyver Core. In Cyver Core’s case, we automate vulnerability import and data management to greatly speed up the whole process.
- Pentest Management – Pentest management means you move the full pentest process onto Cyver Core. You use pentest templates, complete with checklists, assets, and compliance frameworks already mapped in.
- Automation – Cyver Core links to tooling like NMap, Nessus, and Burp to import findings. As it does, it automatically breaks them down into individual findings, delivered as tickets. You map these findings to your existing vulnerability library, add additional information, and set data like CVSS scores. The tool automatically maps it to assets, compliance frameworks, and other standards set in the pentest template. Once you’re done, you publish it to the client.
- Findings-as-Tickets – The client receives each finding as a ticket. These can be exported directly to Jira using the integration. And, clients can still export a traditional PDF report for use in compliance or for finance needs.
Not only does this process make delivering findings as tickets accessible, it reduces the total time spent on pentest reports. Our test cases saw most pentesters reducing time spent per pentest report by up to 75% over the first year of use.
Project and work management tools are also becoming increasingly popular, especially in tech industries. In one Capterra survey, just 55 of 422 respondents did not use project management software. Teams are increasingly reliant on vulnerability scanners which already submit findings as tickets. For example, scanners integrated into Azure, Google Cloud, and Amazon Web Services create individual ticket items for vulnerabilities. And, third-party vulnerability scanners like Qualys are part of a 15.5 billion international market, or approximately ¼ the size of the pentest market – but growing at 4.5% per year.
Delivering pentests around how people work, with tickets that implement into Agile work methods and sprints, is the future of pentesting. And, tools like Cyver Core are here to help you deliver those tickets, with automation, pentest management, and client collaboration tools on a secure, digital platform.
If you’d like to know more, visit our How it Works page, or contact us for a demo of our software.