Cyver’s approach to pentest report automation has changed a lot from day one. The platform’s original approach was to skip the PDF report altogether. We quickly realized that’s not what our users wanted and needed.
Today, we’ve introduced a host of pentest report tools to allow for streamlined pentest reporting around custom layouts, custom pentest narratives, and adding custom content to the report. That’s a far cry from our original approach, but it’s a fully customer driven shift.
We sat down to talk with our founder and CEO, Luis Abreu about pentest reporting with Cyver Core, and what’s behind those changes.
“The thing is that when we started automating pentest reporting, I really took what I would call the factory approach. Cyver’s report tooling forced you to define the structure upfront. You’d have a single person or manager set up the report sections and template. Then, the software was designed to generate as much of the final content as possible, so something like 90% of the report would be automated and you’d only have to do final adjustments for high level descriptions, etc.” says Luis. “The focus was on making good finding descriptions and then pulling those into a report, and not on the report”
“That methodology was a great fit for a lot of web app pentesting. It still is and we still have it. A large number of our customers rely on it to automate simple pentest reports.”
At the same time, it quickly became obvious that this “factory approach” wasn’t what a lot of Cyver clients want and need. The pentest findings in the report are the deliverable. However, it’s the narrative where you differentiate yourself from competitors. And, for many complex pentests and cybersecurity assessments, you need a more dynamic approach.
“Now, we’re taking a different approach,” adds Luis, “I used to think it’s all about the findings, but I increasingly see that the narrative plays an important role as well. Our clients want to bring their narratives to the report, it’s how they differentiate themselves from competitors, and our tooling was limiting their creativity. In fact, we used to have requests to export reports to Word, because clients could add flexibility there”.
“Now, we’re building more support for that second scenario, which we’re calling ‘Narrative reporting’. We want to provide security professionals with the freedom and flexibility to create narratives on the fly by adding new sections, text blocks, etc. We also want to enable reusing content with text blocks, sections, and other forms of content library, so you can re-use content again and again across reports.”
The goal is that pentesters and security teams can streamline even the most complex pentest report and save time with prepared content, narratives, methodology, etc., and just easily pull it into the report.
“That’s a big change from our old strategy, where the pentester had no freedom to define the report. Now, once you enable the feature, every part of the report is completely modular. The ‘factory approach’ was the most logical place for us to start, because for that client it’s all about findings. But, we know that people report in different ways, and we want to support that. Now, we do.”
The new Narrative Reporting functionality includes dynamic report sections so you can adjust your template as needed. Your sections library means you can build out sections for any methodology or finding type you might find, and then add them to the report as necessary. You can also create the same kind of library for content blocks and then dynamically add them anywhere in your report – across clients and projects.
Those libraries are similar to the existing findings library, where you can prepare content upfront and then pull it into the report with a token or by manually adding it. Plus, that tooling allows you to either create a copy of the master template (so your report template updates every time you update the template) or clone it (so you can edit it to a unique version).
“Of course, we’re working on other new updates for Cyver Core’s reporting functionality. We want to further streamline custom content generation. Options to add more personalized comments and recommendations to findings and into reports, without investing a lot of time into writing custom content, would also add a lot of value to our users, so we’re working on it, with more updates expected throughout the year.”
If you’d like to know more about Cyver Core, our reporting features, or our new Narrative Reporting functionality, get in touch for a demo or a feature overview.