Reporting

Overview

AttackForge provides high-quality reports on-demand when you or your customers need them.

Any team member on your project can download reports in custom templates. These reports are dynamic and will display the most current data on your project.

Every project can have an unlimited number of reporting templates available.

There is also a JSON export which contains all of the data for the reports. This is useful for creating reports offline or for backup purposes.

The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.

You can download any of the on-demand custom reports, JSON export or ZIP archive - directly from your project.

Custom Reports

AttackForge has a custom built reporting engine we call ReportGen which helps you create custom DOCX reports, on-demand and in a variety of templates.

For example - you can create:

  • Pentest reports

  • Retesting reports

  • Executive reports

  • Testing summary reports

  • Application and Infrastructure reports

  • Mobile testing reports

  • Red Team and Purple Team reports

  • Configuration Audit reports

  • Compliance reports, to name a few.

Custom reports can be generated by any user, on demand, from the project dashboard or reporting section on their projects.

Each user can only see reporting options which have been made available to them.

Every report template can be configured with access controls in the Report Templates module to restrict visibility and usage of templates for Roles, Groups and Users.

You can also control when the Executive Summary and Custom Reports become available to users on the project, and who is allowed to create reports on the project. This is configure in the project settings under Access.

For more details on how to create reporting templates for custom reports, please see Reporting.

Custom Report on Selected Vulnerabilities

You can select one or more vulnerabilities to create a custom report with only that selection.

This is useful when you need to get a report out to different teams, with only the context for vulnerabilities which are relevant to that team.

Start by selecting the vulnerabilities from your project vulnerabilities tab, then select Actions -> Custom Report. Choose your custom report. The report will be tailored to only the vulnerabilities in your selection.

Update Executive Summary

The reports contain an Executive Summary section. This is where you can include:

  • Objectives of the assessment

  • Overall observations or notable findings determined during the assessment

  • Positive security controls identified

  • Assumptions

  • Limitations

If you need to update the Executive Summary, you can do this by clicking on Reporting tab from the project.

Note you must have Edit permissions on the project in order to update the executive summary section.

Custom Reporting Fields

You can create custom sections and custom fields to personalize your Reporting data to the project.

Some ideas for Sections and Fields you can create:

  • Project Summary - including Executive Summary, Summary of Recommendations and Positive Security Observations

  • Testing Overview - including Background, Approach and Methodology

  • Document Control - including Author(s), Reviewer, Approver and Version History

To get started, go to Administration and click on Reporting.

Start creating Sections and Fields for the Reporting data you want to capture on your projects.

Set default values to make your reporting easier!

Now on your existing or new project, enable the Reporting section.

Add access levels based on the needs of your project.

Enter information and upload files based on your configuration.

!IMPORTANT: Only users with Edit access on the project can edit the Reporting fields

Add custom fields to your Reports. For more information how to do this, please visit https://github.com/AttackForge/ReportGen/issues/25

Export JSON Project Data

There is also a JSON export which contains all of the data for the reports. This is useful for creating reports offline or for backup purposes.

Evidence as ZIP

The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.

You can download any of the on-demand custom reports, JSON export or ZIP archive - directly from your project.

Custom Project Report Name Tags

You can use the following tags to dynamically change the name of the custom report which is downloaded on a project.

  • {project.id} - project Id.

  • {project.name} - project name.

  • {project.code} - project code.

  • {project.organization_code} - project organization code.

  • {project.status} - project status.

  • {project.start_date} - project start date.

  • {project.end_date} - project end date.

  • {project.custom_field.<key>} - project custom field. Replace <key> with the key on your custom field.

PreviousAttack ChainsNextRetesting & Remediation

Last updated