Improving efficiency and customer satisfaction with pentest reporting tools
Modern pentesting is very much about automation, efficiency, and saving time. Pentesters work Agile, might work from home, and often utilize automation and other tools to improve processes. Despite that, Pentest reporting is still a very manual process. In an average office, the pentester will manually import data using copy-paste to consolidate Nessus reports, Nmap output, and POCs generated by manual exploitation (etc.) into a custom Word template. Parsing automates some reporting but most methods fail to automate importing custom POC screenshots for use in Word and PDF reports. Large data-sets are most-often shared in CSV files, exported from Python using built-in modules like Pandas to auto-generate Nessus or Qualys reports. None of these options is ideal, optimized, or positive for the pentest firm or the client. They all necessitate manual copy-pasting, manually writing documents, and manually organizing a document.
It’s time for something better.
The Importance of Improving the Quality of Pentest Reports
Most pentesters think companies are paying for tests. Most companies think they’re paying for reports. It’s the report, with executive summary, classified vulnerabilities, screenshots, and actionable that is the deliverable. Delivering a 30+ page document doesn’t achieve the actionable or visible results clients may want. Even with screenshots and tables, long documents simply make it difficult to sift through information, mark when issues have been solved, or to directly track the progress of a finding. Most people find data dumps to be overwhelming, leading them to gloss over some of the data.
The report is the tip of the iceberg for most ethical hackers, consolidating hours and days of testing. It’s the only thing the client will ever see. Ensuring the client only ever sees a high-quality result is imperative to offering a quality service, because that is the quality the client will judge you by, and rightly so.
- Using Word templates to optimize reporting can result in forgetting to replace a client’s name, accidentally leaving in sample data or data from a previous report, or otherwise failing to share the right data. Human error is rife in traditional manual reporting.
- Charts and infographics are not normally included, which reduces readability for less tech-savvy clients. Developers may have to make their own reports to share to stakeholders.
- Formatting issues including font and style from copy/pasting that can affect the quality of the final report
Most importantly, Word documents fail to make work visible to the client. The customer gets a significant amount of data, but they only see what’s been delivered, not what’s been tested or why. It’s critical that clients be able to see the framework you’re using, what was tested, that it was cleaned up after, and your rating for that element of the test.
Time-Expenditure on Pentest Reporting
While pentest reports are the most important aspect of the pentest, they take up more time than they should. Most pentesters spend hours copy-pasting and compiling data into a Word or Excel file. With no way to automate the process, most pentesters copy-paste data from an existing template and update it for the current client. Unfortunately, this means manually copy-pasting findings registered in Excel and CSV files, resulting in mistakes, formatting issues, lost data, and technical errors.
Time expenditure sometimes leads to the phenomenon where pentesters simply don’t report findings. This relates to problems such as minimal time, deadline pressure, and failure to review everything imported from tools, simply because going through thousands of lines of results is difficult-to-impossible.
Introducing Cyver Core
Cyver Core works to eliminate the issues with pentest reporting by providing a centralized platform complete with tool integration, automation, and central management. Cyver Core links to scanners and client project management tools, so pentesters can import findings directly from tools, share screenshots and developer/hacker notes in an encrypted page, and automatically create tickets in the client’s project management system.
The result is a simplified and expedited reporting process, allowing pentesters to simply import findings and automatically upload in a client-friendly report format. For example, a pentester can directly export work data to Cyver Core to create individual findings reports with tasks linked to stakeholders and progress. Proof of Concept screenshots, developer notes, hacker notes, and real-time communication are all available on one findings page, which is completely encrypted.
Pentest firms can greatly reduce time-expenditure on creating reports, because most of the process is automated.
At the same time, customers also see value. Traditional pentest reporting means sifting through dozens of pages of information. With Cyver Core, they link their existing project management system and receive findings as tickets, complete with everything they need to recreate the issue, see severity, and discuss with the hacker.
Cyver Core also supports traditional PDF reporting. Clients can export Cyver Core reports and dashboard information to PDF. These reports include support for pentest norms like PCI, HIPAA, ISO2701, ISAE3402 and SOC-2, so reports contain all relevant information, including what was checked and why, without a manual writeup. This allows the pentester or the client to generate reports on demand, with report summaries and threat analysis in easy-to-read charts for management use.
Cyver Core is designed to improve the pentest process for cybersecurity teams and their clients. You save time, money, and boring manual work. Clients receive higher-quality reports in more accessible formats, and receive easier ways to track and manage findings.