Pentest reporting is one of the most time-consuming aspects of pentesting, with most firms taking anywhere from 6-14 hours per pentest report. Today, there are options to automate pentest reporting, with everything from a hands-on approach to save about 60% of time on reporting to a fully automated reporting process where you’ll likely spend just minutes per pentest report. Both options are supported by Cyver Core and both fit different use case scenarios. 

In this article, we’ll cover what fully automated pentest reporting looks like and how it works. This means you set and forget pentest reporting, so every pentest fully generates itself with little or no hands-on writing and updates. Of course, you’ll be able to step in and edit at any step for as much manual control as you’d like. 

Set up Your Cyver Core Platform 

Setting up your Cyver pentest reporting platform means: 

  • Onboarding your team
  • Creating your pentest projects 
  • Onboarding clients
  • Creating pentest report templates 
  • Importing your vulnerability library
  • Adjusting settings for the pentest project 

If you don’t yet have an account, your customer success manager will help you with all of this during onboarding. You’ll also get full support with building your own custom reports in the platform. 

Connecting Scanners & Tools 

Step one of automating pentest reporting is to connect your scanners and tools. Cyver Core offers our own integrated scanner to automatically import files, plus a number of integrations for popular tooling like Nessus and Burp. Once you have this in place, you can automatically import findings after a run and automatically link those results to the right project with assets and customer data included. Cyver Core also merges duplicate findings and shows found instances across different assets. 

Adding the Vulnerability Descriptions 

Cyver Core adds vulnerability descriptions during the import process. This means: 

  • Matching vulnerability findings to your vulnerability library based on title. This means your vulnerability library content automatically shows up in imported findings 
  • Importing data from the tooling such as how the vulnerability was identified, impacted systems, and potential impact 
  • Using correlation to prioritize vulnerabilities based on severity and potential impact
  • Assigning severity ratings based on CVSS and CVE data 
  • Automatically importing reproduction steps and adding them to the finding ticket 
  • Mapping found vulnerabilities to requested compliance norms such as PCI DSS, ISO 2701, etc. This also includes options for benchmarking with pass/fail ratings for compliance norms or your own custom benchmarks 

Finally, Cyver Core integrates an AI copilot for further automation. This means you can: 

  • Fully generate custom content for findings based on the client’s tooling and tech stack 
  • Generate specific recommendations for fixes based on best practices and known fixes, with the client’s tech taken into account 
  • Generate findings descriptions 

In short, once you hit import, Cyver Core can fully automate every other part of the process, including generating new content when you don’t have that finding in your library and automatically adding your existing vulnerability library. 

Automatically Generate Pentest Reports 

Cyver Core uses template-based reporting for automated pentest report generation. This means you build out a report with sections and tokens as placeholders for content. Once the content is there, those tokens are replaced with data from the pentest results, the client information, and the asset information. 

  • Pull from imported vulnerabilities 
  • Automatically add client data like assets, 
  • Automatically add project data like pentest scope, methodology, etc.
  • Automatically generate charts and graphs with pie charts, bar graphs, and heat maps all available to illustrate findings and over 40 tokens available to display the specific data you want. That can include high-level information like number of findings per severity or per asset or more specific information like findings mapped to a compliance norm
  • Add trend analysis to show time-to-fix, security posture over time, etc. 
  • Pull from a library of content and sections to offer customized pentest reports per client 
  • Generate custom content such as report summaries and writeups specific to the client’s technology 

Essentially, one everything is set up, your report basically writes itself. The idea is that you use a mix of prepared or canned content, AI to generate new content, and generation to create charts and graphs, so you get beautiful and highly customized reports every time. 

Publishing the Report 

Once the report is ready, it’s up to you what happens next. Have a simple report with very little custom content? Automatically publish it to the client without having to do anything. Or, take time to review the report, add any custom insights you want, and review with your team if you prefer a more hands-on approach. 

Are you interested in automating your pentest report generation process? Contact Cyver Core for a demo to see the platform and how report generation works.