Most pentesters get into pentesting because they like hacking. Most clients pay for pentesting because they want a report. For most pentest firms, pentest reporting is the most time-consuming and tedious part of the process. Making the decision to automate pentest reporting is easy, it frees up a large portion of time, while freeing you from one of the most tedious aspects of the job.
This blog covers how to get started automating pentest reporting.
Why Automate Reports
While pentest reporting is one of the most crucial elements of pentesting – after all, it’s what the client is actually paying for – most pentesters hate doing it. That dislike is far from misplaced, considering reporting takes a minimum of 10% of the total time to pentest. Our research shows that even freelancers doing small tests spend up to 2 hours of an 8-12 hour pentest on reporting. That’s considerable for ethical hackers, considering it’s boring, repetitive, manual work involving simple parsing and compiling.
Cyver’s pentest report automation tools reduce that time expenditure by 70-85%.
While automating pentest reporting reduces overhead, frees up pentesters for, well, pentesting, and reduces the need to search for XML files, grepping, or slow copy-pasting to a Word template, it offers other benefits as well:
Less Manual Work – Reduced manual work means experts are available for more value-added tasks, allowing you to take on more pentests without hiring more pentesters or outsourcing work. Our data shows that most users reduce time-per-pentest by 70-85%, which might mean saving anywhere from a few hours to several days of work depending on the size of the project.
Reduced Manual Error – Automated imports mean data isn’t being copy-pasted into a report by a pentester who’s frankly, bored. Everyone has lost data at one point or another. You spend forever looking for the results of a portscan, struggle to keep track of data from an internal client with 800+ IPs, and have exports from 4-12 tools. Data gets lost, copy paste messes up, and sometimes you simply forget to update some fields. As a result, the report is incomplete or, worse, still includes data from a previous pentest. What now? Tools like Cyver allow you to import findings as soon as you finish, with results managed in a central dashboard, so everything is up to date. Just import as soon as the tool is done and the findings will automatically show up in the final report.
What’s Involved in Pentest Report Automation
For most pentesters, pentest reporting breaks into three equally important aspects: data management, the report template, and data compiling. Here, data management is about organizing, retaining, and finding exports from a tool. Compiling is about collating those exports into a single report template, complete with findings information and data. That means, to be complete, a pentest report automation tool has to handle everything.
Managing Data – We’ve all lost files, spent time figuring out where we left export data, and forgot to paste new findings in. Data management is the process of importing Findings and trusting them to a tool. Here, tools like Cyver import all Findings to a Pentest project template, link them to a client, and link to assets. This allows you to sort and manage findings per client, per project, and per asset. It also allows you to generate and re-use findings across pentest for the same client, to manage vulnerability history for the client, and to keep track of all findings in one place. If you upload exports to Cyver immediately following export from the tooling, findings automatically link to the client and you’ll never have to go searching for the file or grepping through a file again. All findings are uploaded as searchable, editable, and organizable tickets which you can immediately send to clients as-is. We support file formats like XML and CSV, ensuring complete support for tools like Burp, Nmap, OWASP Zap, Nessus, etc.
Report Templates – Many pentesters traditionally use Word or even Excel templates, where they simply paste findings into a pre-formatted file. Some pentest report automation tools still require you to paste report outputs into this sort of file. This works relatively well in that you can easily re-use sections and text, can use tools like “Find-Replace”, etc. However, it still means inefficiencies in the process in that manual work is required. Cyver resolves this with an integrated data management and reporting function, allowing us to pull live data from projects. Therefore, reports automatically generate from data you’ve already uploaded to the tool – from simple import actions. No copy-paste required.
Compiling Data – Data compilation tools vary significantly. For example, some import data and compile it into a single text file. Others build complete in-line reports with full customization and findings as tickets. Cyver’s pentest report automation solution uploads findings as tickets which can be pulled as live items. Then, we use tokens to fill report sections with live data, so everything is uploaded and published. Our reports use customizable sections with tokens, allowing you to fully edit and customize every part of the report.
Eventually, automating pentest reporting is a matter of choosing tooling and going from there. To learn more about how Cyver automates your reporting, visit our Automated Pentest Reporting page.