The pentest report is still the culmination of work for many pentesters. While “just” a document, it’s what many organizations pay for. And, while more and more organizations are moving away from using pentest reports to remediate vulnerabilities and towards using findings as tickets delivered via pentest management platforms like Cyver Core, the pentest report is still necessary for compliance, for external reporting, and for finance. You still need pentest reporting, but you also likely want to minimize the amount of time you spend on creating those reports.
Pentest report generation uses automation to create high quality reports complete with client, vulnerability finding, compliance framework, and methodology data. While you’ll still have to put in time to write high level overviews and custom recommendations for clients, it can save you considerable time over putting the report together manually. In fact, with Cyver Core’s report generation, pentesters save up to 75%, or an average of 4 hours per report.
How it works in Cyver Core
Cyver Core uses an integrated system to generate reports based on data already in the platform. We do this for two reasons. The first is that Cyver Core is primarily a pentest management platform, intended to enable pentest-as-a-service, reduce overhead managing clients, and provide a vulnerability library and a vulnerability findings as tickets platform. So, if you’re using the platform, all of the information that you’d need to generate a report is already in the platform. The second is that while many tools generate reports based on findings, they rarely pull all of the data from client, project, and methodology – you’d often have to copy-paste or use a template and update that per client. With Cyver Core, that’s all integrated.
- Add a client to the portal
- Set up a Pentest Project with methodology, scope, and client selected
- Create a pentest report template, either using our free template or by importing your own
- Import vulnerability findings from your scanners and tooling and automatically map them to your vulnerability library in the portal. Add new descriptions and custom data where applicable
- Publish those findings to the client
- Generate a report based on all of that data
In this way, Cyver Core works to automate and reduce manual work at every step of the process.
Automating Manual Work
Pentesters spend a significant amount of time on manual and repetitive tasks that often boil down to copy and paste. Cyver Core focuses on automating as much of this as possible, from initial project setup and scoping to importing findings from scanners to generating reports.
“There are so many reasons to automate data entry,” Says Luis Abreu, co-founder of Cyver, “for example, reducing human error to enhance data quality, improving results while reducing time investment. The best part is that the more you invest, the more you can re-use. If you already have Findings in your Library, you don’t have to add data when you import those Findings from your tooling. If you already have the Findings in the portal, Cyver Core will simply import them to the report using a token – and if you’re delivering Pentest-as-a-Service, which we believe is the future of pentesting, you likely already have those findings in the portal anyway”.
“We’re invested in automation, so we’re even running trials using ChatGPT to generate high level summaries for pentest reports, with quite a bit of success so far. Automation is going to be the future and it does save us time”
Tokens
Cyver uses tokens to intelligently pull data from the rest of the platform. This includes mapping Vulnerability Findings to assets, to compliance frameworks, and by severity or CVSS score. Cyver Core also generates graphics for the report – so you can very easily create a beautiful and informative pentest report.
“Pentesters should use as many tokens as possible to take advantage of data they’ve already uploaded to the portal. If you don’t know what you can do with the tokens, we’re happy to give you a demo or to help you figure out options. We often see people start out still writing up small summaries instead of using a token to generate it – but once they do they save so much time on the report”.
“PDF pentest reports are always going to be necessary for legacy reasons. You’ll always have auditors and external stakeholders who want to see them. But, at Cyver Core, we believe there’s a huge value potential in offering the end customer more actionable results than just a static PDF. So, we have a great pentest report generation tool – but it’s built around our tooling to automate Findings import, project and scoping, client management, and delivering pentest results as tickets rather than “just” a PDF. So Cyver’s solution really is designed for people looking to deliver pentest-as-a-service.”
If you’d like to learn more about Cyver’s pentest reporting tooling or about pentest management, schedule a demo to talk to us.