For most pentesters and security testers, the report is the deliverable that your clients are paying for. While your methodology, tooling, and expertise are your market differentiator, the client is eventually paying for a report showing them what vulnerabilities they have impacting their infrastructure and environments.
Automating and streamlining pentest reports allows you to cut manual work around building those reports. For example, with Cyver, streamlining report generation means automatically importing findings from tooling, automatically merging them with existing findings, automatically pulling data from the vulnerability library, etc. That automated approach to pentest reporting means you can set up templates and then auto fill that data, saving our users an average of 40-84% of time per report.
Still, a survey of our users showed that most of our pentesters are still spending most of their time writing unique content for each report. That works out to 50-75% of time spent on a pentest report spent on writing unique content. When a report takes those same users 2-4 hours (when using Cyver Core) on average, that’s a lot of time spent writing!
You need more flexibility and more ways to re-use content across your reports to ensure that you can continue to optimize how you spend your time writing reports.
Cyver Core offers a better way to generate your reports and then add your custom content, while reducing workload as much as possible.
We achieve that with:
- Pentest report templates
- A token system to auto-populate reports with vulnerability findings, client, project, methodology, asset, and other data
- Content libraries including vulnerability libraries, content blocks, and report sections that you can add and remove from your reports on the fly
- An integrated review process to speed up delivery to the client
- Report delivery in a secure web-app portal
- Remediation support, so you can automatically update the report following remediation and re-testing.
Let’s take a look at how you can use that to streamline how you add custom content to your pentest reports.
Preparing Pentest Report Templates
Your pentest report template should reflect how you normally report on pentests, with all of the basic elements laid out. Most of the time that means an executive summary, information about methodology, a section on scoping, a section on different types of findings, and potentially full findings details.
Cyver uses tokens so you can take that same pentest report and automatically populate it with data from any client, project, and scope. Providing you’re using the platform, you can pull any data in the platform in the report by adding a token where you want it. No more manually copy-pasting data into a report. Instead, it automatically imports that data, generates relevant tables and charts, and you’re good to go.
Once your report is ready to go, you automatically generate it complete with findings per section, with charts and other data automatically generated for you.
That process is enough whenever you have a straightforward pentest that never changes. However, when you want to add unique content, Cyver also supports that.
Write Unique Content as You Need it and Save It to a Library
You’re always going to need unique content for your pentest reports. At the same time, those writeups will often be very similar and will have a lot of overlap. If you’re using Word, it often doesn’t make sense to save those writeups because going through the process of finding the right file and adding it to your document might be as time-consuming as writing a few lines.
Cyver offers a workaround, so you can easily add a blank content block to your report, write your custom content, and then save it to your content library. In the future, when you add a custom content block, you can pull from that library, to re-use existing blocks. You can also do so by adding the master file, meaning that any changes you make go into the master file OR by creating a copy, which you can edit without updating the master file.
Of course, that does mean using labels and a naming scheme so that your content blocks are searchable. We recommend a labeling system by client, methodology, vulnerability framework, and type.
At the same time, it means you can build up a content library over time, so eventually, you can easily add a block of text, edit it to suit the report at hand, and minimize how much time you spend writing unique content. And, there will always be fringe cases of completely unique scenarios and writeups, but a content library will minimize the number of times you have to write something completely from scratch.
Want to try it out? Contact us for a demo or a feature walk-through.
