Pentesting has come a long way from the days of hackers on a single laptop manually running tests. But, one thing hasn’t changed. Ethical hackers still use Excel for project management, tracking manual tests, delivering reports, and much more While scanners and tools like Pass-The-Hash, Nessus, and NMap have taken over manual scanning and tools like Empire have virtually eliminated relying on C2 infrastructure, Excel still remains a vital element of the pentest security world. Thousands of pentesters still use Excel as their only project management tool, despite the fact that most other industries have moved on to dedicated tooling like Trello, Jira, or Asana.
Some pentesters have moved to these tools as well, but non-dedicated tooling offers half a solution. Existing project management tools are typically designed around developers, without encryption, built-in checklists, or scanner compatibility, meaning most processes are still manual.
We firmly believe that should change.
A Demand for Quality Assurance
Today’s ethical hackers, penetration testers, and pentest firms deliver value in terms of quality, actionability, and transparency. This translates to a few principles such as:
- Work should be reproducible (so that developers can fix findings)
- Testers are responsible for loss in the system or information including information findings during testing
- Testers are obliged to keep information confidential
- Work should be transparent, so companies can see what pentesters checked and how
Manual project management in Excel doesn’t leave room for most of these quality assurances.
Issues with Excel
Excel is an amazing tool. We use it to share data, manage projects, launch manual attacks, and much more. But, it’s not optimized as a project management tool in any way. It’s the “Jack of All Trades” that loses value in highly specific fields.
The most notable of these weaknesses is a simple lack of ease of collaboration. Modern versions like Office 365 and alternatives like Google Sheets bring Excel to the cloud, but collaboration is difficult to impossible. It’s difficult to keep track of who’s working on what (even with color-coding and assignment tables), it’s difficult to tag and assign tasks to individuals, it’s easy to gloss over specific tasks because they’re in a long table, and it’s easy to constantly lose track of where you or someone else is at.
Excel project management means you have no overview of tasks, no checklists, and no way to assign work where it’s needed.
- Versioning – There’s no way to easily control versions or check template versions
- Copy-Paste – Pentesters will have to manually copy-paste frameworks, checklists, overviews, and data into the project management template, and then back into a report.
- Manual Error – Human error is the most common cause of errors in any field, and using Excel project management puts data in the hands of pentesters as it moves back and forth. This results in errors ranging from copying the wrong data to copying previous results into a new project, meaning the client will see the wrong data.
- Formatting Errors – Templates, Excel versions, and copy-pasting can tens of hours one very project
- Responsibilities – It’s difficult to assign responsibility to Excel tables
- Overviews – Overviews are impossible. More information can be added with comments and notes, but it remains difficult to read because it’s just an Excel table.
- Information Loss – It’s easy to lose information when copy-pasting, adding information, or moving things around. Once information is lost, formatting and lack of versioning makes it difficult to notice or recover data.
- Reporting – No Excel template is designed to export into a report for clients. Data will have to be copied over into a new report template.
- Encryption – Excel is not encrypted. You have to protect the client’s confidential information yourself.
While Excel has functioned as a project management tool in the past, it’s ill suited to the task. Switching to a dedicated Pentesting project management tool offers advantages that will reduce time spent on project management while improving accountability, shareability, and the quality of data.
What is Cyver?
Cyver is a dedicated platform for pentest professionals, complete with pentest project management, frameworks, and reporting. Centralized management tooling allows you to link scanners and tools to automatically import findings and reports to customer dashboards and set up customer accounts inside the application. This means developers save time copy-pasting information, while clients always see clear and timely reports and findings. Cyver also offers frameworks for pentests like PCI, HIPAA, ISO2701, ISAE3402 and SOC-2, which automatically load project stages and checklists, with customization options per client. The result? You save time while delivering a higher-quality result. Cyver brings all your data together, with screenshots and developer notes available for customers on a single, encrypted findings page. You reduce data loss, while giving clients easy access to actionable findings, which are listed individually, and linked to project management tools, with notifications in real time.
Cyver brings cloud technology, project management, and automation together into a single project management tool for pentest security professionals. If you’re still managing pentests in Excel, there is a better way. Sign up now to get started.