For most pentest teams, the pentest report is the deliverable for all your hard work. The actual testing and assessment are more important, but at the end of the day, the client only ever sees the report. For that reason, some pentesters spend as much as 40% of the total time of the pentest on the report. You want and need the report to be as good as the pentest, so the client sees the quality of the work, gets what they need out of the pentest, and has the data they need to remediate found vulnerabilities.
At the same time, you want to ensure you minimize time spent on your pentest reports, don’t re-do work you don’t have to, and manage the overhead for every pentest. If you’re looking for basic pentest reporting help, check our blog here. This blog is about improving your overhead and optimizing how you write reports.
Use Templates
A good pentest report template allows you to copy paste client-specific data in your report to simplify the time you spend on that report. Here, it’s often a good policy to maintain a template per client if you have recurring clients. That’s especially true when your clients always want the same types of pentests. Templates should also be compliance framework specific. For example, if you have a template built around the needs of a framework like PCI DSS, you can easily fill in the blanks and double-check that you’ve included everything the client needs for the audit.
Cyver Core achieves this by using pentest report templates that import data from your client, the specific project, and associated vulnerability frameworks. So, your template updates each time you change the scope of the test, allowing you to create dynamic pentest reports that customize to the specific project – based on client needs.
Maintain Your Vulnerability Library
A well-maintained vulnerability library keeps careful descriptions of vulnerabilities, with descriptions in-line with the compliance frameworks you use. Here, you can add standard descriptions, links to OWASP or other writeups and descriptions, and normal ratings. Then, when you add a vulnerability from your tools or scanners, you can simply use that as a template, customizing it to meet the specific needs of your pentest report.
When you use Cyver Core for this, you can save master versions of any vulnerability you upload. Then, when you import vulnerabilities from your tools, you can automatically link your master versions and import the data without copy and paste.
Use Automation to Minimize Manual Work
Pentest reports involve a significant amount of copy-paste and manual, repetitive work. Most of that is a good fit to automate, using logic and token-based systems to compile reports. Cyver Core does exactly that. You can import vulnerability findings directly from your tools. The Cyver Core platform will then break those imports down into individual reports, which you can then review, link to items from your vulnerability library, and customize individually. Cyver Core generates suggested descriptions and names and vulnerability ratings using CVSS scores, which you can then tweak, edit, and update before publishing to the client. Plus, providing you’re using the platform, Cyver Core automatically pulls client data like project scope, asset data, and methodology from the platform, filling in those parts of the report for you.
Of course, you’ll still have to customize writeups, ensure your template covers everything you want to cover, and review everything. However, with a large part of the manual copy paste and compiling out of the way, you’ll save a significant amount of time on the report. For a lot of Cyver Core users, that amounts to up to 70% of total time spent on the report.