Reporting
Reporting module is a place where you can easily and quickly access reports on-demand, in any available reporting template, to save time & effort on manually creating or adjusting reports.
Using the Reporting module, you can:
download individual reports for your projects in PDF, DOCX, HTML, CSV & JSON formats
download individual ZIP archives for each of your projects
download multiple individual reports in one go for each of your projects using ReportGen
download consolidated report which contains all your data for multiple projects in one single report
JSON export contains all the data in the on-demand reports. This is also used by AttackForge ReportGen tool to create custom reports using your own DOCX template, or if you need to integrate AttackForge project & vulnerability data into other systems.
The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.
Reports can be customized by users within the application by clicking on Customize Reports from the page menu. This allows users to create content within the reports which is relevant to the reader, or purpose.
For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.
Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.
For more information on how to customize reports - check Getting Started.
AttackForge ReportGen helps you to create fully customized reports using your own DOCX templates. You can style and structure the reports however you need.
For Enterprise customers, you can access pre-existing report templates loaded by your Administrators.
!IMPORTANT ReportGen reports will be generated based on the meta tags included in the template. They do not work with your custom reporting options as they are already fit-for-purpose.
Administrators can:
Upload New Templates - they will be made available to all users to download custom reports
Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
View available custom reporting options.
Download reports on their project using any of the available reporting options.
Non-Administrators can:
View available custom reporting options.
Download reports on their project using any of the available reporting options.
Step 1: Select the projects you wish to download an individual report
Step 2: Select the template you wish to use, and click on
Download Individual Reportsbutton
A report will be created for each selected project using the selected template.
Step 1: Select the projects you wish to combine into a single report
Step 2: Select the template you wish to use, and click on
Download Combined Reportbutton
A single report will be created which contains all the data for the selected projects.
De-duplication is performed automatically to help reduce report size.
If you are an Administrator, start by first downloading the Base Template provided. This contains all the necessary meta tags to help you style your own Individual & Combined report templates.
You can download the Base Template from the page menu. Note the template is provided in DOCX format. ReportGen only works with DOCX templates.
After you have downloaded the Base Template, open it in a Word Processor and start making changes.
You will see there is two (2) sections - one for Individual Report, and one for Combined Reports.
After you have made your changes, save your DOCX template.
Now you can upload it to AttackForge using the page menu and selecting Upload New Template.
After your template is uploaded, it will show in the table at the bottom of the screen. You can now download reports using the new template.
All templates are global so keep this in mind. Any user can download reports using any ReportGen template uploaded.
You can create and upload as many templates as you need.
To update a template, first Delete the existing template using the actions menu and selecting Delete Template. The template will be removed from the table.
Then using the page menu, selecting Upload New Template. Your new template will be uploaded and will be immediately shown in the table at bottom of screen.
‌If you are experiencing issues generating the report(s) e.g. it won't download - try checking your browser console to see what the error is. AttackForge ReportGen has verbose errors enabled to help you identify the root cause of your problem.‌
AttackForge ReportGen is built on DOCXTemplater. They also include useful information on how the meta tags work, especially when it comes to loops and nesting.
We have included details below on how the tags work, to help you with creating your custom templates:
Reminder: ReportGen only works with AttackForge JSON Reports. To view all the tags available, inspect your JSON file using an JSON Beautifier that works offline/client-side (such as https://jsonformatter.org)
General Syntax rules: {<tag>} - displays value of the tag {#<tag>} - opens a for-loop for a tag. Used if accessing nested data e.g. a list or array {.} - display values of string array e.g. ['hello', 'sir', 'how', 'are', 'you?'] will translate to: hello sir how are you? {/<tag>} - closes a for-loop for a tag. {^<tag>}{/<tag>} - where tag is not defined, display following e.g. {^<tag>} Tag Not Defined / Value Not Found {/<tag>} {%<tag>} - display image
IMPORTANT: To render an Individual Report - you must have the following tags in your template, with all the template data between these tags:
{#individualReport} ... {/individualReport}
IMPORTANT: If you would like to use tags in the HEADER or FOOTER - you must include the tags above BEFORE and AFTER e.g. {#individualReport}{someTagInHeader}{/individualReport}
IMPORTANT: To render a Combined Report - you must have the following tags in your template, with all the template data between these tags:
{#combinedReport} ... {/combinedReport}
IMPORTANT: If you would like to use tags in the HEADER or FOOTER - you must include the tags above BEFORE and AFTER e.g. {#combinedReport}{someTagInHeader}{/combinedReport}
{#customTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports​
{projectName} - name of the project
{projectCode} - project code
{timestamp} - timestamp for when JSON report was downloaded
{totalUniqueVulnerabilities} - total unique vulnerabilities on the project
{totalCriticalVulnerabilities} - total unique critical vulnerabilities on the project
{totalHighVulnerabilities} - total unique high vulnerabilities on the project
{totalMediumVulnerabilities} - total unique medium vulnerabilities on the project
{totalLowVulnerabilities} - total unique low vulnerabilities on the project
{totalInfoVulnerabilities} - total unique informational vulnerabilities on the project
{totalZeroDayVulnerabilities} - total unique zero-day vulnerabilities on the project
{totalEasilyExploitableVulnerabilities} - total unique easily exploitable vulnerabilities on the project
{totalTestcases} - total test cases assigned to the project
{totalCompleted} - total completed test cases on the project
{totalInProgress} - total in-progress test cases on the project
{totalNotTested} - total not-tested test cases on the project
{totalNotApplicable} - total not applicable test cases on the project
{execSummaryNotes} - executive summary notes on the project
{startDate} - test window start date for the project
{progress} - percentage of test cases actioned on the project
{endDate} - test window start date for the project
{totalVulns} - total vulnerabilities across all assets on the project
{totalCriticalVulnsAllAssets} - total critical vulnerabilities across all assets on the project
{totalHighVulnsAllAssets} - total high vulnerabilities across all assets on the project
{totalMediumVulnsAllAssets} - total medium vulnerabilities across all assets on the project
{totalLowVulnsAllAssets} - total low vulnerabilities across all assets on the project
{totalInfoVulnsAllAssets} - total informational vulnerabilities across all assets on the project
{totalFixedVulns} - total fixed/closed vulnerabilities across all assets on the project
{totalRetestingVulns} - total vulnerabilities flagged as retesting across all assets on the project
{totalNotFixedVulns} - total not fixed/open vulnerabilities across all assets on the project
{#assets} - list of all assets on the project
{.} - name of each asset
{#projectTeam} - list of all project team members
{.} - name of each project team member
{#retestingHistory} - list of all rounds of retesting requested & completed on the project
{retesting_round_status} - whether the retest round was Requested or Completed
{retesting_round_actioned_by} - name of person who requested or completed the round of retesting
{created} - date when round of retest was requested or completed
{#vulnerabilities} - list of all vulnerabilities requested / completed on the round of retesting
{vulnerability} - contains name of the vulnerability
{#projectNotes} - list of all exportable project notes
{modified} - contains date when note was last created or last updated
{note} - contains note
{#criticalVulns} - list of all critical vulnerabilities & statistics for affected assets. You can also use {#highVulns}; {#mediumVulns}; {#lowVulns}; and {#infoVulns} to access details for vulnerabilities in each of the priority categories.
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{total_affected_assets_fixed} - total number of affected assets which are fixed / closed
{total_affected_assets_retesting} - total number of affected assets which are flagged for retesting
{total_affected_assets_not_fixed} - total number of affected assets which not fixed / open
{#attackchains} - list of all attack chains on the project
{title} - attack objective
{#links} - contains details for all links in the chain
{%icon} - icon displayed for the link in the chain
{type} - type of link e.g. Action, Vulnerability, Flag etc.
{description} - details for the link in the chain
{discovered} - details for when the vulnerability was discovered and by whom
{#vulnerabilities} - list of all the vulnerabilities on the project. You can also use {#criticalVulnerabilities}; {#highVulnerabilities}; {#mediumVulnerabilities}; {#lowVulnerabilities}; and {#infoVulnerabilities} to access details for vulnerabilities in each of the priority categories.
{title} - title of the vulnerability
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.
{description} - description of the vulnerability
{attack_scenario} - attack scenario for the vulnerability
{remediation_recommendation} - remediation recommendation for the vulnerability
{cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...
{cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0
{cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0
{cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0
{testcases} - list of all the test cases linked to the vulnerability
{#tags} - list of all tags
{.} - tag
{#affected_assets} - list of all affected assets for this vulnerability
{#customTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports​
{asset} - asset name
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open or Closed on <DATE>
{#remediation_notes} - list of all remediation notes for this affected asset
{created} - date stamp when remediation note was created
{note} - remediation note details
{#notes} - list of all notes for this affected asset
{note} - note details
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept} - details for proof of concept / steps to reproduce
{text} - proof of concept / steps to reproduce
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED
{#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.
{.} - asset name
{#evidence} - list of all evidence files uploaded to the vulnerabilities for each affected asset. De-duplication is performed to remove images which have already been displayed in the in-line screenshots
{%fileBase64} - display image (if evidence type is of image format)
{fileName} - name of the file uploaded
{#completedTestcases} - list of all completed test cases on the project. You can also access {#inProgressTestcases}; {#notTestedTestcases}; {#notApplicableTestcases}; {#passedTestcases}; {#failedTestcases}; {#remediatedTestcases} and {#abuseCases} to get details on test cases and their linked vulnerabilities.
{is_failed} - default is No. If at least one vulnerability is linked to the test case, value will be Yes.
{is_remediated} - default is Not Applicable. If at least one vulnerability is linked to the test case and is Open, value will be No. If all vulnerabilities linked to the test case are Closed, value will be Yes.
{remediation_status} - default is Passed. If at least one vulnerability is linked to the test case and is Open, value will be Failed. If all vulnerabilities linked to the test case are Closed, value will be Remediated.
{tags} - list of all tags presented as a string
{title} - test case details
{modified} - date stamp when test case was created or last modified
{modifiedBy} - user that created or last last modified the test case
{testcase_code} - code assigned to the test case.
{testsuite_name} - name of the associated test suite.
{testsuite_code} - code of the associated test suite.
{#notes} - list of all notes assigned to the test case
{modified} - date stamp when notes was created or last modified
{modifiedBy} - user that created or last modified the note
{note} - note details
{#evidence} - list of all evidence uploaded to the test case
{fileName} - name of the file for the evidence uploaded
{%fileBase64} - display image (if evidence type is of image format)
{#linked_vulnerabilities}
{title} - title of the vulnerability
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.
{description} - description of the vulnerability
{attack_scenario} - attack scenario for the vulnerability
{remediation_recommendation} - remediation recommendation for the vulnerability
{cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...
{cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0
{cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0
{cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0
{testcases} - list of all the linked test cases to the vulnerability
{#tags} - list of all tags
{.} - tag
{#affected_assets} - list of all affected assets for this vulnerability
{#customTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports​
{asset} - asset name
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open or Closed on <DATE>
{#remediation_notes} - list of all remediation notes for this affected asset
{created} - date stamp when remediation note was created
{note} - remediation note details
{#notes} - list of all notes for this affected asset
{note} - note details
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept} - details for proof of concept / steps to reproduce
{text} - proof of concept / steps to reproduce
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED
{#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.
{.} - asset name
{#evidence} - list of all evidence files uploaded to the vulnerabilities for each affected asset. De-duplication is performed to remove images which have already been displayed in the in-line screenshots
{%fileBase64} - display image (if evidence type is of image format)
{fileName} - name of the file uploaded
{#vulnerabilityAssetMapping} - list of all vulnerabilities mapped to their affected assets
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{vulnerability} - vulnerability title
{#assets} - list of all affected assets
{status} - remediation status e.g. Fixed / Not Fixed
{asset} - asset name
{#assetVulnerabilityMapping} - list of all assets on the project mapped to their vulnerabilities
{asset} - asset name
{#vulnerabilities} - list of all vulnerabilities the asset is affected by
{vulnerability} - vulnerability title
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{status} - remediation status e.g. Fixed / Not Fixed
You can define & create custom project-level fields which can be referenced in your template.
Open Project Notes section on your project:
2. Create a note which uses the following syntax. Ensure to set Include Note in Report? to YES.
{ReportGen} customField1=value; customField2=value; customField3=["value", "value"]; {/ReportGen}
3. Update your ReportGen DOCX template file to reference the custom tags. You can access the tags using following syntax from the root/project level in the report:
{#customTags}{#customField1}{customField1}{/customField1}{/customTags}
where {customField1} represents the value of this field.
4. Generate report and observe the custom tags are now referenced in your template.
Asset-Level Custom Fields
You can define & create custom asset-level fields which can be referenced in your template within Affected Assets {#affected_assets}.
Open an existing vulnerability and create a new note which uses the following syntax.
{ReportGen} customField1=value; customField2=value; customField3=["value", "value"]; {/ReportGen}
2. Update your ReportGen DOCX template file to reference the custom tags. You can access the tags using following syntax from the {#vulnerabilities} {#affected_assets} level in the report:
{#customTags}{#customField1}{customField1}{/customField1}{/customTags}
where {customField1} represents the value of this field.
3. Generate report and observe the custom tags are now referenced in your template.
{#projectName} - list of all projects combined in the report
{.} - name of the project
{#projectCode} - list of all project codes for all projects combined in the report
{.} - project code
{timestamp} - timestamp for when this report was created
{totalUniqueVulnerabilities} - total unique vulnerabilities across all projects
{totalCriticalVulnerabilities} - total unique critical vulnerabilities across all projects
{totalHighVulnerabilities} - total unique high vulnerabilities across all projects
{totalMediumVulnerabilities} - total unique medium vulnerabilities across all projects
{totalLowVulnerabilities} - total unique low vulnerabilities across all projects
{totalInfoVulnerabilities} - total unique informational vulnerabilities across all projects
{totalZeroDayVulnerabilities} - total unique zero-day vulnerabilities across all projects
{totalEasilyExploitableVulnerabilities} - total unique easily exploitable vulnerabilities across all projects
{#execSummaryNotes} - list of all executive summary's across all projects
{project} - name of the project
{notes} - executive summary notes on the project
{#testWindow} - list of all test windows and progress across all projects
{project} - name of the project
{startDate} - test window start date for the project
{progress} - percentage of test cases actioned on the project
{endDate} - test window start date for the project
{totalVulns} - total vulnerabilities across all assets across all projects
{totalCriticalVulnsAllAssets} - total critical vulnerabilities across all assets across all projects
{totalHighVulnsAllAssets} - total high vulnerabilities across all assets across all projects
{totalMediumVulnsAllAssets} - total medium vulnerabilities across all assets across all projects
{totalLowVulnsAllAssets} - total low vulnerabilities across all assets across all projects
{totalInfoVulnsAllAssets} - total informational vulnerabilities across all assets across all projects
{#assets} - list of all assets on the project
{name} - name of each asset
{project} - name of the project
{#projectTeam} - list of all project team members
{name} - name of each project team member
{project} - name of the project
{#retestingHistory} - list of all rounds of retesting requested & completed on the project
{retesting_round_status} - whether the retest round was Requested or Completed
{retesting_round_actioned_by} - name of person who requested or completed the round of retesting
{created} - date when round of retest was requested or completed
{project} - name of the project
{#vulnerabilities} - list of all vulnerabilities requested / completed on the round of retesting
{vulnerability} - contains name of the vulnerability
{#projectNotes} - list of all exportable project notes
{project} - name of the project
{modified} - contains date when note was last created or last updated
{note} - contains note
{#criticalVulns} - list of all critical vulnerabilities & statistics for affected assets across all projects
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{#highVulns} - list of all high vulnerabilities & statistics for affected assets across all projects
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{#mediumVulns} - list of all medium vulnerabilities & statistics for affected assets across all projects
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{#lowVulns} - list of all low vulnerabilities & statistics for affected assets across all projects
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{#infoVulns} - list of all critical vulnerabilities & statistics for affected assets across all projects
{retest_status} - contains status whether vulnerability is Fixed or Not Fixed. A vulnerability is only considered Fixed if ALL affected assets are also fixed/closed.
{title} - title of the vulnerability
{total_affected_assets} - total number of affected assets
{#attackchains} - list of all attack chains across all projects
{title} - attack objective
{#links} - contains details for all links in the chain
{%icon} - icon displayed for the link in the chain
{type} - type of link e.g. Action, Vulnerability, Flag etc.
{description} - details for the link in the chain
{discovered} - details for when the vulnerability was discovered and by whom
{#vulnerabilities} - list of all the vulnerabilities across all projects
{title} - title of the vulnerability
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.
{description} - description of the vulnerability
{attack_scenario} - attack scenario for the vulnerability
{remediation_recommendation} - remediation recommendation for the vulnerability
{cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...
{cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0 {cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0
{cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0
{#tags} - list of all tags
{.} - tag
{#affected_assets} - list of all affected assets for this vulnerability
{asset} - asset name
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open or Closed on <DATE>
{#remediation_notes} - list of all remediation notes for this affected asset
{created} - date stamp when remediation note was created
{note} - remediation note details
{#notes} - list of all notes for this affected asset
{note} - note details
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept} - details for proof of concept / steps to reproduce
{text} - proof of concept / steps to reproduce
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED
{#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.
{.} - asset name
{#evidence} - list of all evidence files uploaded to the vulnerabilities for each affected asset. De-duplication is performed to remove images which have already been displayed in the in-line screenshots
{%fileBase64} - display image (if evidence type is of image format)
{fileName} - name of the file uploaded
{#vulnerabilityAssetMapping} - list of all vulnerabilities mapped to their affected assets
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{vulnerability} - vulnerability title
{#assets} - list of all affected assets
{status} - remediation status e.g. Fixed / Not Fixed
{asset} - asset name
{#assetVulnerabilityMapping} - list of all assets across all projects mapped to their vulnerabilities
{asset} - asset name
{#vulnerabilities} - list of all vulnerabilities the asset is affected by
{vulnerability} - vulnerability title
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{status} - remediation status e.g. Fixed / Not Fixed