Reporting
AttackForge provides high-quality automated reports, on-demand when you or your customers need them.
Any team member on your project can download reports in PDF, DOCX, HTML, CSV formats. These reports are dynamic and will display the most current data on your project.
There is a JSON export which contains all the data in the on-demand reports. This is also used by AttackForge ReportGen tool to create custom reports using your own DOCX template, or if you need to integrate AttackForge project & vulnerability data into other systems.
The ZIP archive contains all evidence which has been uploaded to the vulnerabilities on the project. It is useful if the customer needs high-resolution screenshots, or access to evidence which is not an image format and as such not already included in the reports - for example scripts, videos, etc.
You can download any of the on-demand reports, JSON export, ZIP archive, or access the ReportGen tool - directly from your project dashboard.
The PDF, DOCX & HTML reports contain the following information:
- Cover Page - including project name & timestamp
- Table of Contents (PDF & HTML only) - dynamic table of contents for ease of navigation
- Executive Summary - includes summary information for unique vulnerabilities, test cases and executive notes
- Testing Summary - includes summary information for scope, test window, progress, all vulnerabilities & statuses, project team, & any remediation testing rounds.
- Vulnerabilities - includes a list of all vulnerabilities ranked from Critical to Information, and includes number of affected assets with breakdown by fixed, flagged for retesting or not fixed.
- Attack Chains - includes all attack chains discovered on the project, to provide reader with more context around certain types of vulnerabilities and also objectives/flags captured.
- Details for Every Vulnerability - includes name, priority, description, attack scenario, remediation recommendation, tags, and for every affected asset - it includes name of asset; status e.g. when issues was closed/fixed; remediation notes; asset notes (with in-line screenshots); steps to reproduce (POC) (with in-line screenshots); and evidence.
- Appendix Overview Explained - this section details all the various sections within the report & what it all means
- Appendix Severity Definitions - this section details what the various priorities mean e.g. Critical, High, Medium, Low, Informational
- Appendix Testcases - this section lists all the Completed test cases, In-progress test cases, Not Applicable test cases, and Not Tested test cases. Each test case will include any notes or evidence that has been assigned to the test case.
- Appendix Vulnerability-to-Asset Mapping - this section contains a list of all vulnerabilities discovered, mapped against the assets which are affected by the vulnerability.
- Appendix Asset-to-Vulnerability Mapping - this section contains a list of all assets/scope, mapped against the vulnerabilities which were identified against the asset.
Reports can be customized by users within the application. This allows users to create content within the reports which is relevant to the reader, or purpose.
For example, if the report needs to go to an Executive - they may not have the time to read through hundreds of pages of technical analysis. You can create a report that is structured to provide only the information the Executive cares about.
Another example is when reports need to be provided to 3rd parties or auditors. Considering vulnerability reports contain sensitive data on how to exploit issues, this information may need to be redacted before it is sent to the party. You can create a report that will omit any screenshots, steps to reproduce findings, etc. which may be deemed too sensitive to share with external parties.
To customize your reports, click on
Customize Vulnerability Reports from your project menu.
You will see a list of reporting options which allows you to toggle independent sections within the report.
You can click on any of the pre-set options including Executive Report, Risk Manager Report, Auditor/3rd Party Report or Developer Report - to select reporting options which are most relevant to the reader.
You can also create your own custom reporting options based on your preferences by manually toggling each section.
Once you have selected the sections you would like included in the report, click the
Update button to save your settings to your profile. Any report that you download going forward will apply your report preferences, until you next update the report settings.You can also upload a new logo which is displayed on the cover page of the report using the
Upload Logo button.
The PDF, DOCX & HTML reports (including JSON export) contain an Executive Summary section. This is where you can include:
- Objectives of the assessment
- Overall observations or notable findings determined during the assessment
- Positive security controls identified
- Assumptions
- Limitations
If you need to update the Executive Summary, you can do this by clicking on
Executive Summary Notes option from your project.Note you must have Edit permissions on the project in order to update the executive note section.
You can use any of the following meta tags to map to your project data:
- {projectName} - project name
- {projectCode} - project code
- {projectStart} - project start date
- {projectEnd} - project end date
AttackForge ReportGen is a client-side tool to help you create fully custom reports based on
your own DOCX report templates.
It works by using the AttackForge Project JSON Export to map data to meta fields in the DOCX template. This means you can use AttackForge to create a variety of reports, for any purpose you desire, using a single JSON export file.
AttackForge ReportGen runs locally in your browser. You do not need to install anything. It is self-contained therefore requires no external dependencies (can operate in offline environment) and is supported by most major browsers including Chrome, Firefox, Safari, Edge, Internet Explorer and others.
For more information on ReportGen including how to build templates & customize reports - check ReportGen.
Last modified 2yr ago