Reporting
Last updated
Last updated
Check YouTube for more tutorials: https://youtube.com/@attackforge
AttackForge provides high-quality reports on-demand when you or your customers need them.
Any team member on your project can download reports in custom templates. These reports are dynamic and will display the most current data on your project.
Every project can have an unlimited number of reporting templates available.
There is also a JSON export which contains all of the data for the reports. This is useful for creating reports offline or for backup purposes.
The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.
You can download any of the on-demand custom reports, JSON export or ZIP archive - directly from your project.
AttackForge has a custom built reporting engine we call ReportGen which helps you create custom DOCX reports, on-demand and in a variety of templates.
For example - you can create:
Pentest reports
Retesting reports
Executive reports
Testing summary reports
Application and Infrastructure reports
Mobile testing reports
Red Team and Purple Team reports
Configuration Audit reports
Compliance reports, to name a few.
Custom reports can be generated by any user, on demand, from the project dashboard or reporting section on their projects.
Each user can only see reporting options which have been made available to them.
Every report template can be configured with access controls in the Report Templates module to restrict visibility and usage of templates for Roles, Groups and Users.
You can also control when the Executive Summary and Custom Reports become available to users on the project, and who is allowed to create reports on the project. This is configure in the project settings under Access.
For more details on how to create reporting templates for custom reports, please see Reporting.
You can select one or more vulnerabilities to create a custom report with only that selection.
This is useful when you need to get a report out to different teams, with only the context for vulnerabilities which are relevant to that team.
Start by selecting the vulnerabilities from your project vulnerabilities tab, then select Actions -> Custom Report. Choose your custom report. The report will be tailored to only the vulnerabilities in your selection.
The reports contain an Executive Summary section. This is where you can include:
Objectives of the assessment
Overall observations or notable findings determined during the assessment
Positive security controls identified
Assumptions
Limitations
If you need to update the Executive Summary, you can do this by clicking on Reporting tab from the project.
Note you must have Edit permissions on the project in order to update the executive summary section.
You can create custom sections and custom fields to personalize your Reporting data to the project.
Some ideas for Sections and Fields you can create:
Project Summary - including Executive Summary, Summary of Recommendations and Positive Security Observations
Testing Overview - including Background, Approach and Methodology
Document Control - including Author(s), Reviewer, Approver and Version History
To get started, go to Administration and click on Reporting.
Start creating Sections and Fields for the Reporting data you want to capture on your projects.
Set default values to make your reporting easier!
Now on your existing or new project, enable the Reporting section.
Add access levels based on the needs of your project.
Enter information and upload files based on your configuration.
!IMPORTANT: Only users with Edit access on the project can edit the Reporting fields
Add custom fields to your Reports. For more information how to do this, please visit https://github.com/AttackForge/ReportGen/issues/25
There is also a JSON export which contains all of the data for the reports. This is useful for creating reports offline or for backup purposes.
The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.
You can download any of the on-demand custom reports, JSON export or ZIP archive - directly from your project.
You can use the following tags to dynamically change the name of the custom report which is downloaded on a project.
{project.id} - project Id.
{project.name} - project name.
{project.code} - project code.
{project.organization_code} - project organization code.
{project.status} - project status.
{project.start_date} - project start date.
{project.end_date} - project end date.
{project.custom_field.<key>} - project custom field. Replace <key> with the key on your custom field.
