Reporting

Overview

AttackForge provides high-quality automated reports, on-demand when you or your customers need them.
Any team member on your project can download reports in PDF, DOCX, HTML, CSV formats. These reports are dynamic and will display the most current data on your project.
There is a JSON export which contains all the data in the on-demand reports. This is also used by AttackForge ReportGen tool to create custom reports using your own DOCX template, or if you need to integrate AttackForge project & vulnerability data into other systems.
The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.
You can download any of the on-demand reports, JSON export, ZIP archive, or access the ReportGen tool - directly from your project dashboard.
The PDF, DOCX & HTML reports contain the following information:
    Cover Page - including project name & timestamp
    Table of Contents (PDF & HTML only) - dynamic table of contents for ease of navigation
    Executive Summary - includes summary information for unique vulnerabilities, test cases and executive notes
    Testing Summary - includes summary information for scope, test window, progress, all vulnerabilities & statuses, project team, & any remediation testing rounds.
    Vulnerabilities - includes a list of all vulnerabilities ranked from Critical to Information, and includes number of affected assets with breakdown by fixed, flagged for retesting or not fixed.
    Attack Chains - includes all attack chains discovered on the project, to provide reader with more context around certain types of vulnerabilities and also objectives/flags captured.
    Details for Every Vulnerability - includes name, priority, description, attack scenario, remediation recommendation, tags, and for every affected asset - it includes name of asset; status e.g. when issues was closed/fixed; remediation notes; asset notes (with in-line screenshots); steps to reproduce (POC) (with in-line screenshots); and evidence.
    Appendix Overview Explained - this section details all the various sections within the report & what it all means
    Appendix Severity Definitions - this section details what the various priorities mean e.g. Critical, High, Medium, Low, Informational
    Appendix Testcases - this section lists all the Completed test cases, In-progress test cases, Not Applicable test cases, and Not Tested test cases. Each test case will include any notes or evidence that has been assigned to the test case.
    Appendix Vulnerability-to-Asset Mapping - this section contains a list of all vulnerabilities discovered, mapped against the assets which are affected by the vulnerability.
    Appendix Asset-to-Vulnerability Mapping - this section contains a list of all assets/scope, mapped against the vulnerabilities which were identified against the asset.

Customise On-Demand Reports In-App

Reports can be customized by users within the application. This allows users to create content within the reports which is relevant to the reader, or purpose.
For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.
Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.
To customize your reports, click on Customize Vulnerability Reports from your project menu.
You will see a list of reporting options which allows you to toggle independent sections within the report.
You can click on any of the pre-set options including Executive Report, Risk Manager Report, Auditor/3rd Party Report or Developer Report - to select reporting options which are most relevant to the reader.
You can also create your own custom reporting options based on your preferences by manually toggling each section.
Once you have selected the sections you would like included in the report, click the Update button to save your settings to your profile. Any report that you download going forward will apply your report preferences, until you next update the report settings.
You can also upload a new logo which is displayed on the cover page of the report using the Upload Logo button.

Update Executive Summary

The PDF, DOCX & HTML reports (including JSON export) contain an Executive Summary section. This is where you can include:
    Objectives of the assessment
    Overall observations or notable findings determined during the assessment
    Positive security controls identified
    Assumptions
    Limitations
If you need to update the Executive Summary, you can do this by clicking on Executive Summary Notes option from your project.
Note you must have Edit permissions on the project in order to update the executive note section.
You can use any of the following meta tags to map to your project data:
    {projectName} - project name
    {projectCode} - project code
    {projectStart} - project start date
    {projectEnd} - project end date

Customize Reports with AttackForge ReportGen

AttackForge ReportGen is a tool to help you create fully custom reports based on your own DOCX report templates.
For Enterprise customers, you can access pre-existing report templates loaded by your Administrators directly from your Project Dashboard by clicking ReportGen button. You can download reports on-demand in any available reporting template, to save time.
Administrators can:
    Upload New Templates - they will be made available to all users on all projects to download custom reports
    Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console). This should be performed before uploading any new templates which will be available to customers, to ensure it is working as expected.
    Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
    Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
    Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
    View available custom reporting options.
    Download reports on their project using any of the available reporting options.
Non-Administrators can:
    View available custom reporting options.
    Download reports on their project using any of the available reporting options.
To download a report in a custom template, click on the Download Report button. Reports will automatically download in your browser.
For more information on ReportGen including how to build templates - check Reporting module.
Last modified 8mo ago