Reporting

Overview

AttackForge provides high-quality automated reports, on-demand when you or your customers need them.

Any team member on your project can download reports in PDF, DOCX, HTML, CSV formats. These reports are dynamic and will display the most current data on your project.

There is also a JSON export which contains all the data in the on-demand reports. This is useful for creating reports offline or for backup purposes.

The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.

You can download any of the on-demand reports, JSON export, or ZIP archive - directly from your project dashboard or reporting tab.

The PDF, DOCX & HTML reports contain the following information:

  • Cover Page - including project name & timestamp

  • Table of Contents (PDF & HTML only) - dynamic table of contents for ease of navigation

  • Executive Summary - includes summary information for unique vulnerabilities, test cases and executive notes

  • Testing Summary - includes summary information for scope, test window, progress, all vulnerabilities & statuses, project team, & any remediation testing rounds.

  • Vulnerabilities - includes a list of all vulnerabilities ranked from Critical to Information, and includes number of affected assets with breakdown by fixed, flagged for retesting or not fixed.

  • Attack Chains - includes all attack chains discovered on the project, to provide reader with more context around certain types of vulnerabilities and also objectives/flags captured.

  • Details for Every Vulnerability - includes name, priority, description, attack scenario, remediation recommendation, tags, and for every affected asset - it includes name of asset; status e.g. when issues was closed/fixed; remediation notes; asset notes (with in-line screenshots); steps to reproduce (POC) (with in-line screenshots); and evidence.

  • Appendix Overview Explained - this section details all the various sections within the report & what it all means

  • Appendix Severity Definitions - this section details what the various priorities mean e.g. Critical, High, Medium, Low, Informational

  • Appendix Test Cases - this section lists all the Completed test cases, In-progress test cases, Not Applicable test cases, and Not Tested test cases. Each test case will include any notes or evidence that has been assigned to the test case.

  • Appendix Vulnerability-to-Asset Mapping - this section contains a list of all vulnerabilities discovered, mapped against the assets which are affected by the vulnerability.

  • Appendix Asset-to-Vulnerability Mapping - this section contains a list of all assets/scope, mapped against the vulnerabilities which were identified against the asset.

Custom Reports

AttackForge provides a utility - ReportGen - which helps you create custom on-demand DOCX reports in a variety of formats.

For example - you can create:

  • Pentest reports

  • Retesting reports

  • Executive reports

  • Testing summary reports

  • Application and Infrastructure reports

  • Mobile testing reports

  • Compliance reports, to name a few.

Custom reports can be generated by any user, on demand, from the project dashboard or reporting section on their projects:

Every report template can be configured with access controls to restrict visibility and usage of templates to designed Roles, Groups and Users.

For more details on how to create templates for custom reports, please see Reporting.

Custom Report on Selected Vulnerabilities

You can select one or more vulnerabilities to create a custom report with only that selection.

This is useful when you need to get a report out to different teams, with only the context for vulnerabilities which are relevant to that team.

Start by selecting the vulnerabilities from your project vulnerabilities tab, then select Actions --> Custom Report. Choose your custom report. The report will be tailored to only the vulnerabilities in your selection.

Update Executive Summary

The reports contain an Executive Summary section. This is where you can include:

  • Objectives of the assessment

  • Overall observations or notable findings determined during the assessment

  • Positive security controls identified

  • Assumptions

  • Limitations

If you need to update the Executive Summary, you can do this by clicking on Reporting tab from the project menu.

Note you must have Edit permissions on the project in order to update the executive summary section.

PreviousAttack ChainsNextRetesting & Remediation

Last updated

Check YouTube for more tutorials: https://youtube.com/@attackforge