Cyver Core is a full-service pentest collaboration tool with everything you need to manage pentests, collaborate on remediation, deliver pentest-as-a-service, and streamline pentest reporting. But, how do our clients actually use the platform?
We interviewed clients across the platform to discuss what Cyver Core is actually used for on a day-to-day basis, giving you insights into what the platform is for and how it might work in your own business.
And, of course, if you want to learn more, you can always request a demo to see the platform in action.
Pentest Management
Cyver Core offers a full suite of pentest management tools. These include:
- Pentest project templates
- Client management with integrated billing
- Project scoping with asset management
- Team and role management with access management
- Tasks and checklists linked to compliance frameworks
- Workflows and runbooks
Essentially, you can build a project template for your client, linking their assets and company details. From there, you can set frequency, add a compliance framework, link the checklists you want to use, set a lead pentester, add client stakeholders, and you’re ready to go. When the project launches, everything automatically sets up – complete with calendar views so you can see when tasks are due.
That’s how Cyver Core Client Hedgehog Security uses the platform.
“Cyver Core is the central cog in our mechanism, it drives our Jira work, we replaced our file sharing portal.” says Peter Bassill, founder of Hedgehog Security, “(Read the case study here)
Pentest Collaboration
Cyver Core also offers a full pentest portal for your clients. This means you can onboard client stakeholders and collaborate on pentests, remediation, and cybersecurity.
- You can enable clients to request a pentest using the same scope as previous projects
- Pentests are schedulable
- Client stakeholders can talk to pentesters on tickets
- Vulnerabilities show criticality, time left open, affected assets for better vulnerability management
- Recommendations to fix and pentester support are available on every finding (if you choose)
- You can allow clients to request a retest of vulnerability findings they’ve fixed
Essentially, you can integrate your team further into the role of cybersecurity consultant, providing much-needed advice and assistance with remediating findings.
“Cyver Core optimizes the full pentest cycle from testing to onboarding clients to ingesting and categorizing test data more quickly than I could do manually,” says Richard Curteis of Realize Security, “while giving me a great platform to manage vulnerabilities, interact with clients, and present reports “
Pentest-as-a-Service Delivery
Cyver Core also provides a full-service solution for pentest-as-a-service delivery. This includes a client portal, where you can deliver findings as tickets, offer vulnerability insights and dashboards, and give clients a modern take on pentest delivery. When you import findings, you automatically create tickets and import descriptions from your vulnerability library. Then, that data can be used to show customizable client dashboards with charts and graphs for data like time-to-fix, vulnerabilities per asset, recurring findings, vulnerabilities per criticality rating, compliance data, and much more.
Plus, with team and role management, you can add the people responsible for fixing findings. Then, the devs, IT, and compliance officers who have to make changes can see the tickets, export them to their own tooling, and directly ask questions.
“We have clients that actively engage with us under every finding.” says Martijn Baalman of Hacksclusive, “We can offer them extra tips and recommendations and directly talk to the devs doing the work. That was never possible before, because they just had a PDF distributed by a team lead, and it was up to the dev to figure the process out. It’s one of the biggest improvements to the whole process.” (read the case study here)
Vulnerability Scanning
Cyver Core allows you to integrate vulnerability scanners, import findings directly from tools, and report on them as either once-off or ongoing projects. That makes it easy to deliver weekly scan results in a portal, where client stakeholders sees notifications, prioritization, and tips to remediate.
“The ongoing projects feature allows us to offer on-demand vulnerability scanning.” says Peter Bassil of Hedgehog Security, “We have backend code that checks if the client has requested a test – if it’s a vulnerability test, the code grabs the scope from the platform and simply runs it. So long as it’s a predefined scope, that takes a load of work off us.”
“Having the API just allows us to do really creative things with managing and publishing findings to our clients.” adds another of our users, who wanted to remain anonymous, “we linked our scanners and automatically import those findings – and it takes a load of work off our hands”. (read the case here)
Pentest Reporting
Cyver Core uses labeled findings, structured project templates, and pentest templates to pull data from your platform so you can quickly generate reports. That will save you time, whether you’re like Hedgehog Security and push your generate report button and go or prefer to spend a few hours editing and customizing the details.
On average Cyver Core clients cut reporting down to about 2 hours per pentest – but the fastest we’ve heard is as little as 8 minutes for simple reports and about 8 hours for long and highly customized reports.
“Time to report and do quality assurance is a fraction of what it used to be. That means our people can spend more time hacking and less time doing the mind-numbing work that is report writing. We went from spending about 8 hours to write plus four hours on quality assurance down to about two hours total.” says an anonymous pentester.
Martijn Baalman adds, “Time to report is still significant. We spend 4-8 hours on each one depending on the customer. But, without Cyver, reporting was a long, dragging process of Word document versions, work environments, and having 3-4 systems in place to share the pentest – and all of that took a lot of time. Now, we generate the pentest report in the portal, edit it there, and deliver it to the client.”
And, last but not least, “Before Cyver, reporting would take us up to three days. They used to take us so long. We’d list all the evidence, all the attack chains, etc., for every vulnerability, that took so much time” says Peter Bassil, “Now, Cyver automates it all for us. You should see our reports, they’re beautiful, they’re curated, they have graphics and risk tables – and we spend less than thirty minutes on them. We normally sit down at 4 PM on the end-day of a pentest, look at the pentest, justify the findings, show the replication path, and prove findings are real and not false positives – then thirty minutes later we publish the report.”
Red Teaming
Cyver Core also offers significant functionality for teams that want to report and manage red team exercises. That includes MITRE Attack Framework and Cyber Kill Chain frameworks and checklists, findings set up around red team needs, and report templates structured around your attack narrative. Those are available out of the box in Cyver Core. However, you can also build your own.
“We obviously also have an infrastructure pentest template, however, I made a separate template for red teaming. This template utilizes findings observations instead of vulnerabilities, since the CVSS scores aren’t relevant here, and the template links everything to attack methodology. We added a new section for that custom methodology, with the steps and attack types we simulate.” says an anonymous red teamer using the platform. (Read the case here)
And More
Cyver Core can also fit into many other use cases, including internal pentest team management, client management, and vulnerability management. You can look through our case studies here to lean more.
Or, request a demo and get a personalized walkthrough of the platform, its capabilities, and our use cases, so you can decide if Cyver Core is right for you.