Release Notes
[ENTERPRISE / ENT]
Updates applied to AttackForge Enterprise
[CORE]
Updates applied to AttackForge Core
[COM]
Updates applied to AttackForge.com
[ALL]
Updates applied to all AttackForge products
Portfolios help you to track & monitor the progress of your penetration testing programs.
Want to know how your internal systems compare to your external systems? Or wanting to track security posture for your applications or compliance requirements? Portfolios makes this easy!
Portfolios represent high-level grouping for segments within your pentesting program(s).
Every portfolio is made up of Work Streams (Streams) – a collection of pentests which focus on specific areas within your portfolio.
Portfolios and Streams can help you track Business-as-Usual (BAU) pentesting and better understand where to focus your time and resources more effectively.
Projects can be assigned to many streams and portfolios. This ensures you are tracking the right vulnerabilities, across your enterprise. See examples below:
Portfolios can help you to answer the following questions. Check out our blog on Portfolios to read how.
What is the exposure of our Internet facing applications? How many critical vulnerabilities are currently open on these platforms?
How can we be sure that each business division has pentested everything they need to have tested?
How are platforms fixing vulnerabilities? Is it done within the required timeframes agreed in our internal policies or set by external regulators?
How do our applications compare between 1st quarter and 2nd quarter? Are we getting any better?
How are different business divisions and platforms comparing against each other? Where are you going to focus resources for next period?
Which external suppliers are lagging?
Every Portfolio and Stream has a unique dashboard which includes details on vulnerabilities, projects & assets - helping you make more informed business decisions when it comes to tracking and remediation.
Using Portfolios, you can reduce the amount of time you spend reporting to your boards, executives, committees, and auditors!
Portfolios is currently only available to Administrators on AttackForge Enterprise.
With this release, we are launching an entirely new Self-Service API – Events API.
Events API provides you with real-time notifications on important events, such as new vulnerabilities discovered or testing progress updates.
Events API helps you to easily automate workflows. It’s perfect for customisations and integrations into your enterprise ecosystem.
For example, you want vulnerabilities to be raised in both ServiceNow & JIRA immediately when they are discovered, and emails to be sent to relevant teams so they can action it. This is now possible using the Events API!
Events API complements our existing RESTful API. You can combine both APIs to have seamless two-way integrations and workflows between AttackForge and your tools.
Events API allows you to:
Receive real-time notifications on new vulnerabilities – automatically export them into your vulnerability management and/or ticketing systems.
Update your applications with live testing & vulnerability feeds.
Notified immediately when vulnerabilities are ready for retesting, closed or re-opened.
Know exactly when changes are happening on your projects, for example when testing starts and stops.
Receive audit logs for users in real-time.
Every event contains the same level of details information you can find in our Self-Service RESTful API.
Getting started with the Events API is a breeze and takes only minutes to set up.
We have done the hard work for you – you can access our production-ready example clients within AttackForge or directly from our GitHub repository.
Our example clients are available in NodeJS, Python, Java, .NET and Go – providing flexibility for your engineering teams.
Getting started with any client is as simple as 1,2,3!
Download the client from our GitHub repository
Install the dependencies (single command)
Run the client & start receiving events
If you’re interested in seeing a live demo of the Events API in action – reach out to us to schedule it in!
In this release, we have launched a new workflow to help make QA easy for your vulnerabilities. Introducing Review Notes!
Your pentest team can now create & reply to Review Notes for each of your vulnerabilities, as they perform QA.
Email notifications are enabled to ensure that people are made aware when they need to action changes for a vulnerability.
To perform efficient reviews & QA, you can select multiple vulnerabilities that you wish to review, and then add review notes to each vulnerability one-by-one. Best of all - you can do all of this from just one screen!
Once you have finished reviewing all vulnerabilities, you will see the Next option is no longer available - meaning you have reached the end of the review.
AttackForge ReportGen is by far the easiest to use reporting tool available right now – and it’s made even easier with its “no code” design, allowing your teams to create new reporting templates quickly and with minimal knowledge/effort required.
In this release, we have launched a library of ReportGen templates that you can use to create powerful custom reports out-of-the-box.
Every template comes with an example end-result so you can see the finished product.
The templates included in this release are:
Asset Report
Auditor / 3rd Party Report
Critical & High Vulnerabilities Report
Executive Report
Internal & External Findings Report
Pentest Report
Retest Report
Technical Report
Testing Progress Report
Web App & Infrastructure Report
Templates are provided in DOCX format. You can adjust each template to your desire/requirements, then upload back into AttackForge when ready to use on you projects.
You can also access sample project data files (JSON) to test your own templates with.
You can now bulk select many or all assets to delete on a project.
AttackForge will prevent deleting any assets with exiting vulnerabilities.
Every time you export or sync a vulnerability with JIRA, the evidence/screenshots/files are now also exported/synced to JIRA.
This makes it easier for your engineering teams to access screenshots to help them reproduce & fix vulnerabilities fast!
The Executive Summary now supports ability to upload files.
This reduces the manual effort required to insert screenshots into your reports for the executive summary.
You can now add captions to each of your images in the report.
Captions will be automatically applied in ReportGen and displayed under the images.
You can now create custom names for each round of resting.
Administrators can now see all vulnerabilities for a given asset in the Assets module.
This makes is fast & easy to identify all known vulnerabilities for an asset.
You can now assign multiple test suites to users during project creation.
This eliminates the manual effort of assigning users to multiple test suites.
This release is jam-packed with updates to the user experience, to make AttackForge experience even better for you and your customers.
Projects will now display a status of Overrun and Retest in the projects & various modules.
This helps to quickly identify projects which require immediate attention.
Overrun status applies when a project has exceeded the test window, and the test cases have not yet been completed.
Retest status applies when a project has all test cases completed, and at least one vulnerability is flagged as ready for retesting.
You can now collapse vulnerabilities into unique vulnerabilities, and toggle back to individual vulnerabilities.
This helps to determine how many types of vulnerabilities have been discovered.
You can now see the affected project when viewing vulnerabilities in the global dashboard.
To improve experience for your customers, Admins can now enable/update progress notifications on behalf of your users.
Progress notifications provide daily/weekly breakdowns of projects, vulnerabilities and testing progress – essential for your busy project managers and platform leads.
You can now see which vulnerabilities were not retested for a new retest round, in addition to the vulnerabilities which were retested.
This can help to identify vulnerabilities which need further attention.
Admins can now view and restore users. All user data is preserved on restore.
We have published an Access Control Matrix on our support site to help your teams with setting up the right levels of access for your users and projects.
We have redesigned the Reporting Module interface to make it easier to select multiple projects and to download custom reports, as well as access new template library and uploaded/available templates.
In this release, we have introduced new global tenant configuration options, to help you personalize and improve your AttackForge experience even further.
You can start using these new options via the Configuration section in the Administration module.
Vulnerabilities – Add Placeholder Steps to Reproduce/Proof of Concept for all new vulnerabilities
Vulnerabilities – Add Placeholder Notes for all new vulnerabilities
Users – Enable/Disable Local Authentication
Users – Enable/Disable SSO Authentication
This release includes updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.
The updates in this release include:
New Filter – FilterBy
New Metatags
For more information please visit Reporting.
You can use this filter in order to extract filtered data for vulnerabilities using various conditions.
This filter is useful if you are creating custom sections in your reports, for example a section for ‘Web App Vulnerabilities’ or ‘Infrastructure Vulnerabilities’.
Currently the following conditions are supported:
filterBy:'AffectedAssetReportGenTags'
This filter can be used to retrieve a list of vulnerabilities which have affected assets that meet conditions in their ReportGen tags.
filterBy:'AffectedAssetReportGenTags-CountVulns'
This filter can be used to retrieve a count of vulnerabilities which have affected assets that meet conditions in their ReportGen tags.
We have introduced the following new tags & updates to existing tags:
{#retestingHistory} --> {retesting_custom_round_name} - custom round name (optional)
{#retestingHistory} --> {retesting_custom_status_name} - custom status name (optional)
{#retestingHistory} --> {#vulnerabilities} – Forty-seven (x47) new tags for vulnerabilities retested on the retesting round
{#retestingHistory} --> {#vulnerabilitiesNotTested} – Forty-seven (x47) new tags for vulnerabilities not retested on the retesting round
In this release we have made updates to the Self-Service RESTful API to improve the data points available to you for vulnerabilities and test cases.
GetVulnerabilities, GetVulnerabilitiesByAssetName, GetVulnerabilitiesByGroup, GetVulnerabilityById & GetProjectVulnerabilitiesById received the following new fields:
vulnerability_alternate_id
vulnerability_cvssv3_vector
vulnerability_cvssv3_base_score
vulnerability_cvssv3_temporal_score
vulnerability_cvssv3_environmental_score
vulnerability_steps_to_reproduce_HTML
vulnerability_remediation_notes
vulnerability_project_code
vulnerability_project_groups
vulnerability_evidence
vulnerability_custom_fields
vulnerability_library_custom_fields
vulnerability_project_custom_fields
GetProjectTestcasesById received the following new fields:
locked
Themes have been a popular feature for AttackForge, with now Fourteen (x14) themes supported!
In this release we have introduced five new themes: Midnight Ocean, Predator, BumbleBee, Purple Panther & Nebula
In this release we have introduced the ability for AttackForge Pro users to add more test suites to a project after the project has been created.
In this release we have introduced the ability for AttackForge Free & Pro users to invite their connected team members to their projects, at time of project creation.
In this release we have a significant number of improvements we have made to AttackForge to enhance the experience for you and your users.
These improvements are a direct result of the feedback from our customers over the recent months, and includes the following:
You can now invite your entire project team during the project creation or approval process, and assign their roles, test suites & manage their notifications – in one easy step!
You can define the following for each project team member:
Access Level
Set the access level for the user on the project. This can be either View, Upload & Edit.
Project Role
Set the users' project role on the project e.g. pentester, customer, developer, etc.
Email Notifications
Set the emails which the user will receive on the project.
Assign to Test Suite
Assign the user to a test suite. The user will be assigned to each of the test cases loaded on the project for the nominated test suite.
AttackForge now supports an alternative vulnerability code that is configurable and used to generate user-friendly unique vulnerability identifiers for all vulnerabilities on the project.
For example, if you set a vulnerability code as SEC01 - the first vulnerability created on the project will have an alternate user-friendly unique identifier of SEC01-1. The next vulnerability will be SEC02-2 and so on.
You can update the vulnerability code on a project at any time, so long as it's a unique value (has not been used on any other projects) and is between three (3) to eight (8) characters in length.
When you update a vulnerability code on a project - all of the existing IDs for any of the projects' vulnerabilities will also be updated to match.
You can now validate the project code to check whether an existing project exists using the same code.
You can also fetch the latest project code, to help with sequencing.
.png?alt=media&token=44bca14f-dd31-485e-a603-abfe7658f566)
You can now set & control which email notifications a user will receive on a project.
Project Team Notifications are intended to help keep you informed throughout the lifecycle of a project. For example, you can choose to be notified when testing has commenced or stopped daily, when new vulnerabilities are discovered, or when a project is on-hold - plus more.
To receive these notifications, you must be a member on a project team. Your administrators and project coordinators will invite you to the relevant project teams. In addition, project-level notifications must be enabled on the project. Your administrators and project coordinators will configure this for you, per project.
The Project Team Notifications include the following:
No Emails - Under normal circumstances, you will not receive any email notifications for any projects you are a team member.
All Emails - You will receive all enabled emails for all projects you are a team member.
Daily Start/Stop Testing - You will receive notifications each time a team member starts or stops testing each day, where this option is enabled on the project.
New Critical Vulnerability - You will receive notifications each time a team member discovers a new critical vulnerability, where this option is enabled on the project.
New High Vulnerability - You will receive notifications each time a team member discovers a new high vulnerability, where this option is enabled on the project.
New Medium Vulnerability - You will receive notifications each time a team member discovers a new medium vulnerability, where this option is enabled on the project.
New Low Vulnerability - You will receive notifications each time a team member discovers a new low vulnerability, where this option is enabled on the project.
New Informational Vulnerability - You will receive notifications each time a team member discovers a new informational vulnerability, where this option is enabled on the project.
Project Role Updated - You will receive notifications each time your role on a project has been updated, where this option is enabled on the project.
Project On-Hold/Off-Hold - You will receive notifications each time the project is placed on-hold or off-hold, where this option is enabled on the project.
Retest Completed - You will receive notifications each time a round of retesting has been completed, where this option is enabled on the project.
A user can choose to opt-out of project email notifications via Notifications module.
If you decide to disable certain types of emails, even when they are enabled for you on the project - you will not receive them. You ultimately control the project notifications you will receive.
However, under certain circumstances - an administrator or project coordinator may decide to force an email to be sent, for example new critical vulnerability that you should be aware of. Your administrators and project coordinators will configure any forced emails, per project.
We have also introduced new email notifications when a users’ role on a project is changed, and we also now include their role on the project invitation email.
We have introduced links in all emails which provide a friendly URL that will redirect the user to the relevant page on AttackForge, even if they are not yet logged in.
This helps to improve user experience by allowing the user to access a project, vulnerability, or event - with a single click!
This feature is also fully compatible with Single-Sign-On.
When creating a new user via Users module, the user will now receive a welcome email that can be configured via Administration module.
You can configure this email to contain a warm welcome message, or instructions on how to access the portal.
The email supports full HTML.
We have included extra column on Projects table to include project team.
This helps to easily find & search who is on which projects.
We have included a new table which helps to separate which users are on a project team, and which users have access to the project via their group memberships.
This makes it easier to know who is actively involved with the project.
We have included an additional column with the Resolution status when viewing project vulnerabilities.
This helps to quickly determine whether a vulnerability has been resolved, and also the reason it was resolved – for example had been fixed, risk accepted, etc.
.png?alt=media&token=e8d08ab6-62d1-4573-b7c3-d30b5d45dcde)
When setting a vulnerability as Ready for Retesting, you can now add a remediation note at the same time – to help pentesters understand what fixes were put in place.
We have also included the following UX improvements in this release:
Admins can now Personalize Analytics for Other Users
Performance Enhancements on downloading JSON Exports & Using ReportGen
Major Bug Fixes in Various Parts of the Application, including when Creating/Editing Vulnerabilities in Projects & Library
Upgraded Library to Handle Conversion of HTML-to-Text addressing number of Issues in Reports
Pop-Up Warning Alert Now Included When Attempting Bulk Updates
Improvements in Filtering & Comparison in Analytics
AttackForge provides a rich set of global tenant configuration options - allowing you to customize your workflows, features & user experience.
In this release, we have made these options available to you via the Administration module – allowing you to customize your tenant on-demand!
You can personalize your email templates, change workflows, introduce or remove fields, set default values, configure your security settings – and much more!
The list of supported configuration options is regularly updated and can be found on our support site: https://support.attackforge.com/attackforge-enterprise/configuration-options
You can access the following Configuration modules from the Administration module in your AttackForge tenant:
Emails
Vulnerabilities
Projects
Reporting
Modules
Integrations
Users
Security
Miscellaneous
In our previous May release, we introduced a new Notifications module to provide centralized & dashboard-style email notifications to keep your teams informed even whilst on the go.
In this release, we have extended this module to include Daily & Weekly Project Updates, as well as Daily & Weekly Admin Updates.
We have also included more information in these emails such as Projects Overrun, Projects Completed, and more detailed information for each project.
Every email notification is designed to provide important information relating to projects, vulnerabilities & user activity.
You can access Notifications via the global menu.
In this release, we have introduced new global tenant configuration options, to help you personalize and improve your AttackForge experience even further.
You can start using these new options via the Configuration section in the Administration module.
Projects – New Organization Code field for Projects
Emails – Create Custom Email Subject & Body for Invited Users
Vulnerabilities – Enable/Disable Severity Field in Vulnerability Library
Vulnerabilities – Enable/Disable Likelihood of Exploitation Field in Vulnerability Library
Vulnerabilities – Enable/Disable CVSS Scoring Fields in Vulnerability Library
Modules – Enable/Disable Project Request Workflow
This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.
The updates in this release include:
New Filter – Store
New Filter – FindVuln
New Reporting Option - Remove Duplicate Proof-of-Concepts/Steps to Reproduce
New Reporting Option - Remove Duplicate Evidence
New Metatags
For more information please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting
You can store custom data in arbitrarily defined tags using this filter.
For example we can create a new custom tag called 'AllVulns' and reference it, along with its data, later in the template.
This is useful if you are dynamically creating custom subsections/tables to reference in your report.
You can use this filter to find a vulnerability based on a Title & Priority.
This option can be set at the beginning of your template in order to remove duplicate Proof-of-Concepts/Steps to Reproduce for vulnerabilities which have multiple affected assets and each affected asset has the same POC & Notes.
This option is useful to reduce duplicate entries where the POCs/Notes are the same, significantly reducing report size and making content more useful to the reader.
This option can be set at the beginning of your template in order to remove duplicate Evidence for vulnerabilities which have already used/included the evidence within the Proof-of-Concept or Notes for any of affected assets, for example the screenshots have already appeared in-line within the Proof-of-Concept or Notes.
This option is useful to reduce duplicate evidence displaying, significantly reducing report size and making content more useful to the reader.
We have introduced the following new tags & updates to existing tags:
{#affected_asset} --> {alternate_id} - user-friendly id associated with the vulnerability, set via project settings
{#assetVulnerabilityMapping} - list of all assets on the project mapped to their vulnerabilities
{asset} - asset name
{#vulnerabilities} - list of all vulnerabilities the asset is affected by
{vulnerability} - vulnerability title
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{status} - remediation status e.g. Fixed / Not Fixed
{#vulnerabilityDetails}
{#vulnerabilityCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within ReportGen Reports
{title} - title of the vulnerability
{priority} - priority of the vulnerability e.g. Critical, High, Medium, Low, Info
{remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.
{description} - description of the vulnerability
{attack_scenario} - attack scenario for the vulnerability
{remediation_recommendation} - remediation recommendation for the vulnerability
{cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...
{cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0
{cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0
{cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0
{testcases} - list of all the linked test cases to the vulnerability
{#tags} - list of all tags
{.} - tag
{#affected_asset} - details for the affected asset - see {#assetVulnerabilityMapping} - {asset}
{#assetCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports
{alternate_id} - user-friendly id associated with the vulnerability, set via project settings
{asset} - asset name
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> / Closed on <DATE>
{#remediation_notes} - list of all remediation notes for this affected asset
{created} - date stamp when remediation note was created
{note} - remediation note details
{#notes} - list of all notes for this affected asse
{note} - note details
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept} - details for proof of concept / steps to reproduce
{text} - proof of concept / steps to reproduce
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED
{#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.
{.} - asset name
{#affected_assets} - list of all affected assets for this vulnerability
{#assetCustomTags} - you can define & use custom tags/fields in ReportGen. For more details check out Creating Custom Fields within Individual Reports
{asset} - asset name
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> / Closed on <DATE>
{#remediation_notes} - list of all remediation notes for this affected asset
{created} - date stamp when remediation note was created
{note} - remediation note details
{#notes} - list of all notes for this affected asset
{note} - note details
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept} - details for proof of concept / steps to reproduce
{text} - proof of concept / steps to reproduce
{%inlineScreenshot} - display inline images where they are included in the note
{#proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{#assets_equally_affected_title} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the heading for this section e.g. LIST OF ASSETS EQUALLY AFFECTED
{#assets_equally_affected} - in order to cut-down report size, de-duplication is performed for each asset where #notes and #proof_of_concept are the same. This tag is used to display the names of all the assets which have the same POC & Notes as the vulnerability above.
{.} - asset name
{#evidence} - list of all evidence files uploaded to the vulnerabilities for each affected asset. De-duplication is performed to remove images which have already been displayed in the in-line screenshots
{%fileBase64} - display image (if evidence type is of image format)
{fileName} - name of the file uploaded
You can now easily perform trend analysis by comparing key data such as projects, vulnerabilities, SLAs, etc. across periods of time & groups.
This can help you to discover if you are getting better or worse. You can compare business units or customers over time.
You can easily compare last year/month/quarter against this year/month/quarter using pre-defined filters.
Or you can select a custom date range for the time periods you want to compare.
You can also include Groups to track & compare how a business unit, supplier or team are performing over a given time period.
To compare Analytics, click on Compare button in the top-right of your Analytics dashboard.
You can now access global dashboard email notifications to keep you & your teams informed, even whilst on the go.
Every email notification is designed to provide a dashboard summary of key information – for example projects, vulnerabilities, SLAs, group activity, user activity etc.
The first notification we have included in this release is the Daily Admin Update.
This email dashboard is intended to provide an overview of activities happening in AttackForge over the past 24 hours, and also to provide key information to help plan & prepare for the upcoming week.
The Daily Admin Update Email includes the following:
Total number of Vulnerabilities discovered in past 24 hours, including Critical, High, Medium, Low & Info
Total number of Vulnerabilities Closed in past 24 hours
Total number of Vulnerabilities Ready for Retest in past 24 hours
Total number of Projects Requested in past 24 hours, including project name & desired test window
Total number of Projects In-Progress, including name, test window & total number of vulnerabilities
Total number of Projects Waiting to Start in next 7-days, including project name & test window
Total number of New Users in past 24 hours, including first & last names
Daily Admin Update Email supports following options:
Enable/Disable - depending on whether you would like to use the feature or not. Default is Disabled.
Selection of users to send the email to - you can individually add users to receive the email.
Time each day the email will be sent - this is based on the geographical region assigned to your tenant. The emails will be sent at any given point during the selected hour.
You can access Notifications via the global menu. It is currently restricted to admin users only.
Administrators can link Identity Provider (IDP) or Active Directory (AD) groups to AttackForge Groups.
This feature is available for Single-Sign-On (SSO) enabled tenants to help automate provisioning and removal of users to AttackForge Groups and their related projects, based on the users' IDP/AD groups.
This feature can help to ensure that users accessing AttackForge receive sufficient access to projects based on the Enterprises' own access control groups; and remove access to projects which they should not have access.
This option is Disabled by default. It is only enabled, on a AttackForge Group-by-Group basis, when an IDP/AD group is linked to the AttackForge Group.
For more information on how this feature works, please visit https://support.attackforge.com/attackforge-enterprise/modules/groups#linking-identity-provider-active-directory-groups
You can now access revision history for every change made to a vulnerability on a project or in the library.
This feature can help with tracking changes, for quality assurance or auditing.
The revision history includes:
Field that was changed
Datestamp when the change happened
The user who performed the change
The data before the change
The data after the change
When viewing a vulnerability on a project or in the library you can click on the Revision History tab to see the changes.
The landing page is the first page a user sees when they log into AttackForge.
The default login landing page is the Global Dashboard; however you can now configure your own landing page to another area within AttackForge – for example Analytics, Vulnerabilities, Projects, Users, etc.
Admins can also update the login landing page on behalf of another user. This is useful to ensure smooth user experience for your customers.
Users can update their own landing page via Profile section. Admins can update landing page for another user via Users module.
You can now access project logs on-demand, to help with troubleshooting or auditing.
Admins can access project logs from the project dashboard page menu.
The new administration module helps you to:
Track & manage your AttackForge licensing
Configure & customize your tenant
Access Ticketing System (Backlog) and monitor support credits
The Licence tab provides overview of your AttackForge licence, including:
Licence Type
Licence Plan
SKU
Licence Start Date
Licence End Date
Project Credits Used
Project Credits Remaining/Available
You can also top-up your project credits via credit-card to avoid any disruption to your customers or business.
This is available for tenants on the Cloud or Core licence (with exception of Unlimited plan).
The Configuration tab provides tenant configuration options to customize your AttackForge experience. For a detailed list of all support configurations, please visit https://support.attackforge.com/attackforge-enterprise/configuration-options
NOTE: This section is new and still in progress. More configuration options will be included over the coming releases.
The Support tab provides a link and information on how to access Backlog - the AttackForge ticketing system for Core & Enterprise customers.
If your SLA includes Support Credits - they will also be listed on this page, including total number of support credits used and support credits remaining.
This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.
The updates include:
New Filter – Includes
New Filter – Excludes
New Filter – Count
New Filter – Find
New Metatags
For more information please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting
You can now check to see if a tag contains a specified value, or array of values, and continue if true/exists.
You can now check to see if a tag does not contain a specified value, or array of values, and continue if true/doesn't exist.
You can now use a 'count' filter to set an arbitrary counter for a condition, then reference that counter later on.
You can now search a tag which contains an array of objects to return an object which meets a specific condition.
We have introduced the following new tags & updates to existing tags:
{#statusUpdates} - details for each project status update e.g. when project goes on-hold or off-hold
{status} - e.g. 'On-Hold' or 'Off-Hold'
{note} - reason why project was on-hold or off-hold
{created} - timestamp when project went on-hold or off-hold
{asset_library_created} - timestamp when asset was added to Assets module library. NOTE: requires tenant configuration with Assets module enabled.
{asset_library_id} - Assets module library id. NOTE: requires tenant configuration with Assets module enabled.
{asset_external_id} - user-defined external id for the asset. NOTE: requires tenant configuration with Assets module enabled.
{asset_type} - asset type e.g. Web App, API, Network, etc. NOTE: requires tenant configuration with Assets module enabled.
{asset_details} - asset details. NOTE: requires tenant configuration with Assets module enabled.
{projectGroups} - details for each linked Group
{name} - name of the group
{#retestingHistory} --> {retesting_round} - e.g. 1, 2, 3, etc.
{remediation_status} - includes the remediation status of the vulnerability for the affected asset e.g. Open / Ready for Retest on <DATE> [NEW] / Closed on <DATE>
We have added new configuration options in this release which can be enabled on your tenant:
Custom Email Template Header
Custom Email Template Body Style
Custom Email Template Footer
Replace Likelihood of Exploitation with CVSS Score in Project Vulnerabilities pages/tables (default Disabled)
Default ReportGen Project Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Project Custom Tags on a project (default None)
Default ReportGen Vulnerability Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Vulnerability Custom Tags in the library (default None)
Default ReportGen Affected Assets Custom Tags, to pre-fill & display on every project when a user attempts to create new ReportGen Affected Asset Custom Tags on a project (default None)
Enable Password-Protection for all PDF Reports. Prior to download, user will be prompted to enter in strong password (default Disabled)
This release is actioned-packed with user experience improvements.
UX has been improved by:
Alternate Flow to Approving a Project Request to includes changes to Project before approving it
Improved report generation & download speed by up to 20% using new optimized compression algorithms
Better feedback when importing vulnerabilities and file is being parsed
Option to use Affected Domain or Affected URL when importing from Netsparker
Button to create an asset when creating a new vulnerability on a project
Performance improvements by up to 15% on page load times when accessing Global Dashboard Vulnerabilities & Global Search
New layout for Analytics Personalization to make it easier to build your personal dashboard
Option to add a Remediation note at same time when Re-Opening or Closing a vulnerability
Option to download project reports via page menu when viewing the project vulnerabilities
Automated email to user when they are added as a group member to a project
Improved consistency in project breadcrumbs
This release is action-packed with updates to ReportGen – to help you create tailored, custom on-demand reports to meet your reporting requirements, and to reduce the time wasted on manually adjusting reports.
The updates include:
Support for Conditions, Loops, Filters, Data Aggregation, Data Formatting & Assignments
Support for Custom Tags
New Tags Available
You can now add logic conditions to your ReportGen templates. These logic conditions can help make decisions on how your report should render, providing you with greater precision in your reports.
For example, if you want to create a section within a report which just contains the details for all PCI-DSS or SSL/TLS vulnerabilities, or results from the Internal/External vulnerability scanning – you can now do this!
Combining this new functionality with Custom Tags (also included in this release) provides you with full-control over custom sections within your reports.
For more information on how to use the new logic conditions in your report template, check out following support page for more details: https://support.attackforge.com/attackforge-enterprise/modules/reporting#general-syntax-rules
AttackForge ReportGen now lets you define your own custom fields/tags which can be referenced anywhere within your report templates.
Custom fields can be used to capture additional information for projects, vulnerabilities and affected assets. This could include metadata, scoring, client information, or simply used for logically separating data within your reports - for example you can create a template to show just PCI-DSS vulnerabilities, or External vulnerabilities, etc.
Custom fields/tags are arbitrarily defined – this means you can control the name & value of each field, to then reference in your ReportGen templates.
Custom fields/tags can be set at three (3) different levels:
Project-Level
You can now define custom project-level fields which could be used to capture and include information relating to the overall project, for example client details, report classifications, test-related information, etc.
Vulnerability-Level (in library)
You can now define custom vulnerability-level fields which could be used to provide supporting details for a vulnerability in the library, for example technical risk score, industry classifications, type classifications, references to internal sources/mappings, etc.
Affected Asset-level (vulnerability on project)
You can now define custom affected asset-level fields which could be used to provide supporting details for a vulnerability on a project, for example whether its derived from internal or external scanning, whether it’s PCI related finding, etc.
You can also perform bulk-add/update to apply custom fields/tags across a selection of vulnerabilities on a project at one time (see following link for more details: https://support.attackforge.com/attackforge-enterprise/getting-started/updating-vulnerabilities#bulk-add-reportgen-fields-tags)
Project-Level Example:
To start creating Custom Tags at Project-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#project-level-custom-fields
Vulnerability-Level Example:
To start creating Custom Tags at Vulnerability-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#vulnerability-level-library-custom-fields
Affected-Asset Level Example:
To start creating Custom Tags at Affected Asset-Level, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#affected-asset-level-project-custom-fields
New Tags Available
We have added new ReportGen tags which can be used in your report templates.
The new tags include:
{#criticalVulnerabilities} – details for just the Critical vulnerabilities on the project. Includes details for affected assets.
{#highVulnerabilities} – details for just the High vulnerabilities on the project. Includes details for affected assets.
{#mediumVulnerabilities} – details for just the Medium vulnerabilities on the project. Includes details for affected assets.
{#lowVulnerabilities} – details for just the Low vulnerabilities on the project. Includes details for affected assets.
{#infoVulnerabilities} – details for just the Info vulnerabilities on the project. Includes details for affected assets.
{testcases} – list of all the test cases linked to the vulnerability
{#passedTestcases} – details for all the Passed test cases on the project.
{#failedTestcases} – details for all the Failed test cases on the project. Includes details for the linked vulnerabilities which lead to test case being failed.
{#remediatedTestcases} – details for all the Remediated test cases on the project. Includes details for the linked vulnerabilities which lead to test case being failed then remediated.
For more information on new tags and the data available for each tag, check out the following support page: https://support.attackforge.com/attackforge-enterprise/modules/reporting#available-tags-for-individual-reports
In this update we have included ability to track Passed, Failed & Remediated test cases for every project.
Failed test cases can help to identify tests which need to be re-performed as part of remediation testing.
Remediated test cases help to identify which failed test cases have had all vulnerabilities fixed/closed.
You can fail a test case automatically by linking a vulnerability to a test case.
When creating or updating a vulnerability on a project, select the failed test case(s) to link them.
You can also add a vulnerability directly from the test cases page, to quickly link the test case to the new vulnerability.
We have also included the ability to filter test cases by Passed, Failed & Remediated when viewing the test cases on the project.
You can also access the data for Passed, Failed & Remediated test cases in ReportGen (see above).
See example below for Failed Test Case:
See example below for Remediated Test Case:
You can personalize analytics based on the data you want to see on your Analytics dashboard. Fine tune your SLAs based on how your organization tracks and measures them.
To personalize Analytics, click on Personalize Analytics button in the top-right of your Analytics page.
In this release we have also added additional analytics widgets for the items below.
Each widget can also be filtered based on time/date and groups.
Zero(0)-Day Vulnerabilities
Easily Exploitable Vulnerabilities
OWASP Top 10 Vulnerabilities
CWE Top 25 Vulnerabilities
Critical Vulnerabilities
High Vulnerabilities
Medium Vulnerabilities
Low Vulnerabilities
Total Vulnerabilities
Closed Vulnerabilities
Open Vulnerabilities
Ready for Retest Vulnerabilities
Closed Vulnerabilities
You can select the analytics you want to display on your own Analytics dashboard:
We have added new configuration options in this release which can be enabled on your tenant:
Disable default reports (PDF/DOCX/HTML) for all users or just client users – to force use of ReportGen custom reports (default Enabled)
Default option for whether a new vulnerability is Visible or Pending – depending on your QA workflow (default Visible)
Support for US date format e.g. MM/dd/YYYY (default Disabled)
Default value for Project Name field when creating a new project (default None)
Default value for Project Code field when creating a new project (default None)
Default value for Scoring System field when creating a new project (default CVSSv3.1 Baseline)
Default Project Groups when creating a new project (default None)
Default Project Team Notifications (e.g. New Critical Vuln, New High Vuln, etc.) when creating a new project (default None)
Default Project Admin Notifications (e.g. Vulnerability Ready for Retesting, Vulnerability Closed, etc.) when creating a new project (default None)
Support for Middle-East work week e.g. Sunday to Thursday when requesting a new project (default Disabled)
Auto-redirect to SSO login on visiting application login page (recommended for SSO-integration tenants with no self-registration workflow) (default Disabled)
As a reminder we also have the following configuration options already available:
Custom domain for accessing the application
Enable/Disable emails (default Enabled)
Custom domain for all emails (default [email protected])
Whitelisted domains for self-registration (default None)
Session length (default 30 minutes)
Assets Library Module (default Disabled)
Give project coordinators access to all new created projects (default Disabled)
Email on change if IP address form last login (default Enabled)
Local account self-registration (default Enabled)
Admins require AF MFA on login via SSO (default Disabled)
Simultaneous user sessions allowed (default Disabled)
Custom email body for new registrations
Custom blacklist for file upload extensions
Self-password reset from login page (default Enabled)
Custom value for Project Code in the UI (default Project Code)
CIA ratings in the Vulnerability Library (default Enabled)
Enable Slack (default Disabled)
Enable Teams (default Disabled)
Enable Discord (default Disabled)
Custom default email body for daily start/stop testing email notifications
Custom default additional email addresses for daily start/stop testing email notifications
Custom default email body for project team email notifications e.g. new critical vulnerability
Custom default additional email addresses for project team email notifications
Rich-Text Editor or Text Area for Steps to Reproduce (POC) for project vulnerabilities (default Rich-Text Editor)
Text area will disable HTML conversion in reports & exports – to allow for verbatim POCs
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
Updates to getVulnerabilities, getVulnerabilitiesByAssetName, getVulnerabilitiesByGroup getVulnerabilityById, getProjectVulnerabilitiesById
Added new fields to return date stamp when status of vulnerability was last updated
Added new fields to return the Asset Library id & external Id values
createAssetInLibrary
this new method allows authorized users to create new assets in the Assets Library
updateAssetInLibrary
this new method allows authorized users to update assets in the Assets Library
getAssetInLibrary
this new method allows authorized users to get an asset in the Assets Library by its Id
getAssetsInLibrary
this new method allows authorized users to get assets in the Assets Library by filters
This release is actioned-packed with user experience improvements.
UX has been improved by:
Allowing users inspect & override vulnerability data before it get’s imported on a project
Project tracking page and tooltips (when hovering over project) now includes dates for each test suite, to help track when rounds of testing were performed on the project.
Attack Chains now link to MITRE ATT&CK® framework website – to help provide more detailed information on tactics used by adversaries in the attack chains
Better error handling for all tools when importing vulnerabilities on a project, including guides for the CSV imports to indicate required fields
Better mapping for CVSS scores, including to Likelihood of Exploitation, from tools when importing vulnerabilities on a project
Better support for importing vulnerabilities form Netsparker
Updates to editing multiple vulnerabilities on a project, to include:
Select All Vulnerabilities (currently filtered in the table)
De-select All Vulnerabilities
Select Critical Vulnerabilities (currently filtered in the table)
De-Select Critical Vulnerabilities (currently filtered in the table)
Select High Vulnerabilities (currently filtered in the table)
De-Select High Vulnerabilities (currently filtered in the table)
Select Medium Vulnerabilities (currently filtered in the table)
De-Select Medium Vulnerabilities (currently filtered in the table)
Select Low Vulnerabilities (currently filtered in the table)
De-Select Low Vulnerabilities (currently filtered in the table)
Select Info Vulnerabilities (currently filtered in the table)
De-Select Info Vulnerabilities (currently filtered in the table)
Bulk Add Tags
Bulk Add ReportGen Custom Tags
Stop Editing Multiple Vulnerabilities
Scheduling & planning projects is now even easier with the following updates in this release:
Availability checker now available when grating user access to a project – making it easier to see which consultants are available (or not available) for the project & to help you with effective planning of resources.
Calendar now available when grating user access to a project – making it easier to see which projects are currently scheduled or planned. You can also filter this calendar by user or time period.
All calendars now have On-Hover feature which allows you to access key project status/progress information without having to leave the page.
You can also now filter the schedule by user role, for example to see all projects for Consultants.
When creating or updating a project, you can now set a custom email body for the new vulnerability notifications which are sent to the project team.
You can also send the emails to additional recipients which are not already on the project team, for example SOC teams.
When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format.
You can adjust the standard template which is already pre-loaded in the form for you, please contact us for more details on how to do this.
The following meta tags will map to the following details when the email is sent:
{{firstName}} - this will include the firstName of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.
{{consultant}} - this is the first name & last name of the consultant who is sending the daily email.
{{projectName}} - this will be the name of the project.
{{priority}} - this is the priority of the vulnerability i.e. Critical, High, Medium, Low, Info.
{{title}} - this is the title of the vulnerability.
{{asset}} - this is the affected asset for the vulnerability.
{{likelihood_of_exploitation}} - this is the likelihood of exploitation for the vulnerability. It is a number between 1 to 10.
{{is_zeroday}} - this is either Yes or No depending on if the vulnerability is a Zero-Day (0-day) or not.
{{description}} - this is the description of the vulnerability.
{{attack_scenario}} - this is the attack scenario of the vulnerability.
{{remediation_recommendation}} - this is the remediation recommendation for the vulnerability.
{{proof_of_concept}} - this is the proof of concept / steps to reproduce the vulnerability. This is rendered in full HTML.
{{notes}} - this is the notes for the vulnerability.
{{tags}} - this is the tags for the vulnerability. It is presented as an unordered list.
Project Roles can be assigned to any user on the project. The roles include common stakeholders involved in pentest project lifecycle, including Red Teams, Blue Teams, Security Teams and Customers.
Project Roles are displayed in the Calendars & Project Tracking / Overview page, so that other team members can see who is on their project and also their role on the project - to help with collaboration and contacting the right person.
Project Roles are also included in the reports, alongside the project team member's name.
Project Roles do not provide the user with any additional access rights. Privileges on the project are controlled via the Access Roles.
AttackForge Enterprise now supports login redirects to help your users & customers access the data they need, quickly and efficiently.
You can append any of the following redirects to the login URL, which can be shared with customers:
?redirectTo=sso
This will automatically redirect the user to sign in with Single-Sign-On (if available)
?redirectTo=register
This will automatically redirect the user to registration page (if available)
?redirectTo=resetPassword
This will automatically redirect the user to password reset page (if available)
?redirectTo=/#!/app/…
This will automatically redirect the user to a page within AFE, after the user has logged in.
!IMPORTANT - this is only supported with Local Accounts (Non-SSO)
Examples are provided below for reference:
https://<AFE_TENANT>/#!/login?redirectTo=sso
Redirect to SSO login
https://<AFE_TENANT>/#!/login?redirectTo=register
Redirect to registration page
https://<AFE_TENANT>/#!/login?redirectTo=resetPassword
Redirect to password reset
https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects
Redirect to list of all projects after login
https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects/5bdd20d8128aa82e0040a75d/dashboard
Redirect to Project Dashboard for a specified project, after login
https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/projects/5bdd20d8128aa82e0040a75d/overview
Redirect to Project Overview for a specified project, after login
https://<AFE_TENANT>/#!/login?redirectTo=/#!/app/schedule
Redirect to Schedule / Calendar after login
You can now view quick project status/update by hovering over the project name, status or completed test cases in the Projects page.
This will provide an update on the project team and also the progress for each of the test suites/methodologies assigned to the project.
Every test suite & test case now allows you to add a ‘Code’ which can be used for sorting & ordering test cases when displayed in projects & reports.
Code will appear before the details of the test case. For example: WEB-APP-001 Test for X, Y & Z; WEB-APP-002 Test for A, B & C; etc.
Admins can now see the status for each of their project requests, including total requested; total pending; total approved; and total rejected.
Clicking on any of the dashboard boxes will drill-down to view the data.
Adding test case notes & evidence will no longer refresh the page. You can apply a custom filter or sort to the test cases, and then create notes or upload evidence, without losing your customer filter or sort.
You can now easily view users assigned to a group (group members) from the main Groups page, by using the Actions menu for a selected Group.
This will redirect you to the Group Membership page without having to drill-down into each group.
When viewing the group members page, it now includes their email’s and usernames – to help with search, particularly if using SSO/AD integration.
We have made changes to the error handling for file uploads so that it now provides you with the exact details why file was rejected in the alert box.
We have also removed the automated logout on failed upload, to help improve user experience.
You can now delete a user or project request from AFE. When a user is deleted, any data they have created in the application will remain for integrity & auditing purposes.
We have now included an optional text field for users when submitting a project request. The field is Reason Testing Is Required (Justification).
This field can be used to gather details why the user is submitting the request for testing, for example it’s a new application; annual pentest; compliance exercise; etc.
You can now include project scope in the daily start/stop testing email notifications. This is useful if you need to inform SOC teams with the details for assets which are being tested.
When searching for a vulnerability in the library when adding/updating vulnerability on a project, the keyword search field now includes searching the associated tags assigned to the vulnerabilities, in addition to the vulnerability titles.
This makes it easier to search for a group or type of vulnerability, without having to know keywords in its title.
When searching a user in the application, the search field will now display the First Name, Last Name & Email address for the users – making it easier to find the user(s) you need.
We have included additional tags which can now be used in your ReportGen templates:
{cvssv3_vector} - includes the CVSS v3.1 vector string e.g. /AV/...
{cvssv3_base_score} - includes the CVSS v3.1 base score e.g. 10.0
{cvssv3_temporal_score} - includes the CVSS v3.1 temporal score e.g. 10.0
{cvssv3_environmental_score} - includes the CVSS v3.1 environmental score e.g. 10.0
{remediation_status} - either Open or Closed. Only Closed if all affected assets are also Closed.
{#abuseCases} - list of all abuse cases on the project
{proof_of_concept_raw} - details for proof of concept / steps to reproduce in RAW HTML format (verbatim).
{testcase_code} - code assigned to the test case.
{testsuite_name} - name of the associated test suite.
{testsuite_code} - code of the associated test suite.
When downloading a report via ReportGen, the filename will now include the project’s name – making it easier to identify the report you need.
You can also now access the Offline ReportGen Diagnostic Tool to help with building your own custom ReportGen templates for AFE.
The tool can be accessed from the ReportGen page menu.
We have now removed the placeholder Start & End dates when accessing the filter in Analytics – making it easier to add your own dates.
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
GetProjectWorkspace
this new method allows authorized users to view project workspace notes & metadata for uploaded files.
CreateProjectWorkspaceNote
this new method allows authorized users to create new project workspace notes.
UpdateProjectWorkspaceNote
this new method allows authorized users to update an existing project workspace note.
GetProjectNotes
this new method allows authorized users to view project notes, including private notes (where applicable).
CreateProjectNote
this new method allows authorized users to create new project notes.
UpdateProjectNote
this new method allows authorized users to update an existing project note.
We have now included support for Acunetix when importing vulnerabilities on your projects.
Measuring & Tracking performance of your security & pentesting program is crucial in understanding how individual business units, or the entire organisation, is performing over time. This analysis can help to identify systemic issues across the organisation, or within function areas; and help to make informed decisions on remediation and placement of resources for security improvement.
In this release, we have introduced new SLAs, Mean-Time-To-Remediate (MTTR) & extended Assets with Open Vulnerabilities:
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 15 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 15 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 30 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 30 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 45 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 45 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 60 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 60 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 90 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 90 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 120 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 120 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 180 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 180 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Less than (<) 365 days
SLA – Critical/High/Medium/Low Vulnerabilities Open Greater than (>) 365 days
MTTR – Medium Vulnerabilities
MTTR – Low Vulnerabilities
Assets with Open Medium Vulnerabilities
Assets with Open Low Vulnerabilities
Abuse cases are project or assessment specific test cases. They are unique test cases which apply to the assets on the project or relate to the objective of the assessment. Abuse cases help to ensure complete coverage for any given project, beyond the standard test cases.
For example, consider a web application pentest for a reverse auction website. Typically the pentest may cover the standard OWASP ASVS test cases, however the customer also requires that business logic tests are performed against the bidding functionality to determine whether it can be cheated or not. Abuse cases can be created to specifically test this functionality which relating to the application. This provides a higher level of assurance beyond standard test cases.
Abuse Cases can be created directly from the Test Cases section on a project by Admins or Project Coordinators; and are stored & tracked per project in the Test Suite Builder module under the new Abuse Cases tab.
As your security & pentesting program grows and you collect valuable vulnerability data against your assets – the ability to drill-down on the exact information you need becomes essential.
To help with this, we have extended the Search capabilities in AFE to include following:
Search all vulnerabilities (you have access to) by a Vulnerability Title – for example “show me all vulnerabilities which are SQL Injection”.
Search all vulnerabilities (you have access to) by one or more Vulnerability Tags – for example “show me all vulnerabilities which have a CVSS Score of 8.0. Now include those which are also OWASP Top 10”.
You can also continue to search by an Asset Name or filter vulnerabilities by a Group.
In this release we have included the following updates to the Schedule:
Percentage completion for each project in calendar
Every project now has a percentage completion value next to the name in the calendar. This helps to identify at a glance how far the project has progressed.
Daily tracker now includes detailed progress breakdown for each individual test suite assigned to the project
This helps to identify progress on each phase of the pentest, for example:
Planning & Preparations (100%)
Web Application Pentesting (60%)
Abuse Cases (10%)
Retesting (0%)
…
Filter by User now shows list of all the users’ projects
This helps to identify which projects the user is assigned to, and information relating to each of those projects such as status, vulnerabilities, test window, etc.
As this information is in a data table, it can be filtered or even exported to CSV for offline schedule copy
When creating or updating a project, you can now set a custom email body for the daily start & stop testing notifications which are sent to the project team. You can also now send the emails to additional recipients which are not already on the project team, for example SOC teams.
This helps to create personalized notifications which relate to the specific project; and to also keep other stakeholders informed of testing where they are not explicitly invited to the project in AFE.
When creating a custom email body, ensure to include all HTML tags as the emails will be sent in HTML format. You can adjust the standard template which is already pre-loaded in the form for you.
The following meta tags will map to the following details when the email is sent:
{{firstName}} - this will include the first name of the project team member. For Additional email recipients who are not on the project team, this field will be skipped.
{{consultant}} - this is the first name & last name of the consultant who is sending the daily email
{{started_or_stopped_testing}} - this will be either 'Started Testing' or 'Stopped Testing' depending on the daily email action being performed.
{{projectName}} - this will be the name of the project.
We introduced Project Notes a few releases back. Since then it has been one of the most popular features, allowing pentesters on a project to create private notes, share team notes & also export reporting notes.
In this release we have included support for Rich Text Editor. This allows pentesters to create detailed notes with sections, headings, tables, etc. which can be used as example to capture observations during reconnaissance, and can be shared with the project team to help collaborate on a project; or stored privately for personal use.
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
createVulnerabilityWithLibrary
this new method allows authorized user to create a new vulnerability on a project with linkage to an existing issue in the library (as opposed to providing custom description, attack scenario, recommendation, etc.)
updateVulnerabilityWithLibrary
this new method allows authorized user to update an existing vulnerability on a project with linkage to an existing issue in the library (as opposed to providing custom description, attack scenario, recommendation, etc.)
As an Admin user, you can now re-assign a vulnerability to another project. Once a vulnerability is re-assigned, it will no longer be available on the current project. All remediation notes & evidence will also be relocated to the new project.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
Download ReportGen Base Template
Upload new templates to ReportGen
Modify existing templates uploaded to ReportGen
Project Coordinators can now perform following functions, in addition to standard user functions:
can create new projects
can update projects
gets access to all new projects (optional)
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
assign assets to test cases on a project
lock test cases on a project
unlock test cases on a project
download ReportGen Baseline template
upload new ReportGen templates
modify existing ReportGen templates
full access to the Vulnerability Library module
full access to the Test Suite Builder module
This release is actioned-packed with user experience & user interface improvements.
UX has been improved by:
Allowing users to assign assets & upload files directly to workspace notes, in addition to the general upload section in the workspace
Removing all internal CAPTCHAs to reduce user friction
Allowing previously escaped characters & and “ to be saved on any field
Removing double-escaping on save
Reordered fields on Project Request form & Project Create form – to capture essential data first
Removed timeouts on Viewing, Creating & Updating Attack Chains – to help with presentations & lengthy attack chains
Disabled Copy/Paste & Drag/Drop screenshots feature in Rich Text Editor on vulnerability proof-of-concept – as this was not a supported feature and had caused issues for some users
Select All in Test Cases & Project Vulnerabilities will now select all of the filtered data in the table, instead of all data in the table
UI has been improved by:
Providing additional new themes allowing you to further personalize your experience in AttackForge. New themes include The Matrix, Lightning, Halloween & Redback
AttackForge is a collaboration platform for Technology Teams, Security Teams & Engineering Teams. It helps to get the right people, in the right place with the right information.
To help achieve this, AttackForge now integrates with industry leading collaboration platform Microsoft Teams.
Microsoft Teams allows you to engage in collaborative and inclusive meetings from anywhere with Teams meetings and Teams-enabled devices.
AttackForge integrates into your organizations Microsoft Teams via your Enterprise Microsoft Azure Identity Provider.
For detailed information on how to set up & use AF MS Teams integration – please visit https://support.attackforge.com/attackforge-enterprise/getting-started/integrations/microsoft-teams
You can now perform multiple rounds of testing on a single project! This will help Enterprises to:
Keep track of all testing & vulnerabilities against your assets, in one place
Perform periodic assessments whilst maintaining all data in single project
View historical rounds of testing performed against assets, without switching projects
Make it easier for your auditors
To allocate a new round of testing on your project, click on Add More Test Suites button from the Test Cases page menu.
Select the test suites you would like to load on the project and click Add Test Suites to Project.
The test suites will then be loaded on to your project.
By default, the new test cases loaded on to the project will be set to Unlocked/Active status.
If it is a new round of testing, you can automatically lock the previous test cases by selecting Yes to option Assign Test Suites to New Round of Testing? This will ensure the previous test cases can’t be tampered with or changed accidentally.
It will also reset the project status to Waiting to Start and progress will be set to 0%.
You can now lock & unlock test cases on a project at any given time.
Locking test cases is useful if you need to allocate a new round of testing to your project, to ensure previous rounds of testing cannot be altered or tampered with.
When a test case is locked, it cannot be updated. You cannot add any new notes or evidence either. This provides greater assurance from an auditing perspective.
Locked test cases will not show up on or affect the project status and percentage completion.
Locked test cases will not show up in the reports as reporting is focused on the current round of testing. This helps to avoid lengthy reports on projects where multiple rounds of testing are performed.
To lock a Test Case individually - use the Actions menu on an unlocked test case and select Lock.
To unlock a Test Case individually - use the Actions menu on a locked test case and select Unlock.
You can also filter on Locked & Unlocked test cases.
To perform bulk updates - use the Page menu to select the test cases and your option.
You can also delete test cases on a project. This can help if you need to remove test cases which do not need to be actioned on the project.
To delete test cases on a project, click on Edit Multiple Test Cases button from the page menu.
Select the test cases you would like to delete, then click on Delete Selected Test Cases from the page menu.
You can now assign assets to test cases. This helps to delegate tasks to individual assets to increase testing coverage and traceability.
You can assign one or more assets to the test case by clicking on editable All value in the Assigned Asset(s) column, and then selecting the assets from the list of presented options.
You can multi-select in the field.
By default, all test cases assigned on the project will be allocated to all assets in the project scope.
You can now filter your search criteria to individual columns.
This helps to extract the exact information you need for your reporting, management or follow ups.
You can search in one or more columns, and combine the search criteria across columns to narrow down your results even further.
The global search bar at the top of the table is still enabled so you can perform a table-wide search when you need it.
You can also use the Export button to export the data into a CSV after you have narrowed the search to the information you need.
We have enabled a Quick Actions menu on the project dashboards, providing an improved user experience.
The Quick Actions menu helps pentesters access common functions on the project faster & without having to use the page menu.
The Quick Actions are visible for any person who has Edit permissions to the project.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
full access to the Test Suite Builder module
assign assets to test cases on a project
lock test cases on a project
unlock test cases on a project
Project Coordinators can now perform following functions, in addition to standard user functions:
can create new projects
can update projects
gets access to all new projects
can invite users to projects
can manage user access to projects
can access all pending & actioned project requests
can approve new project requests
can request more information on project requests
can reject new project requests
assign assets to test cases on a project
lock test cases on a project
unlock test cases on a project
full access to the Vulnerability Library module
full access to the Test Suite Builder module
We have added ability to toggle visibility of test suites on project requests.
This allows you to control which test suites are published to your Service Catalogue for your customers to select from, when requesting a new project.
This also allows you to create & maintain test suites that are only visible by authorised users.
When creating or updating a test suite, select Yes or No for the option Make Test suite Visible on Project Requests?
By default, all test suites are set to Yes/Visible unless you opt to hide the test suite.
We are now including timestamps & user details for all test cases in the reports.
In this release, we have included updates to the self-service API to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
The updates in this release include:
downloadVulnerabilityEvidence
this new method allows authorized user to download an evidence file which has been uploaded for a vulnerability on a project they have access to.
getVulnerabilityById
this method has been updated to include the Steps to Reproduce / Proof of Concept in HTML format, in addition to the plain-text format.
this method has been updated to include the details for all uploaded files, which can be downloaded in the new downloadVulnerabilityEvidence method.
getProjectVulnerabilitiesById
this method has been updated to include the Steps to Reproduce / Proof of Concept in HTML format, in addition to the plain-text format.
this method has been updated to include the details for all uploaded files, which can be downloaded in the new downloadVulnerabilityEvidence method.
Our friends over at Nucleus Security now natively support AttackForge JSON exports, allowing you to Post your AF Project JSON file directly to your Nucleus Security tenant – in one easy step.
This makes it hassle-free to export all of your pentesting vulnerabilities from AttackForge into your vulnerability management solution.
You can also set up an AttackForge Connector within Nucleus Security and upload your AF JSON files directly.
You can still use the API export for individual vulnerabilities.
We have supercharged the Reporting module to take advantage of ReportGen capabilities!
Reporting module is a place where you can easily and quickly access reports on-demand, in any available reporting template, to save time & effort on manually creating or adjusting reports.
Using the New Reporting module, you can:
download multiple individual reports at once for each of your projects, using your custom ReportGen templates
download consolidated group report which contains all your data for multiple projects in one single report, using your custom ReportGen templates
download individual reports for your projects in PDF, DOCX, HTML, CSV & JSON formats
download individual ZIP archives for each of your projects
AttackForge ReportGen helps you to create fully customized reports using your own DOCX templates. You can style and structure the reports however you need.
For Enterprise customers, you can access pre-existing report templates loaded by your Administrators.
Administrators can:
Upload New Templates - they will be made available to all users to download custom reports
Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console).
Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
View available custom reporting options.
Download reports for any accessible projects using any of the available reporting options.
Non-Administrators can:
View available custom reporting options.
Download reports for any accessible projects using any of the available reporting options.
Downloading Individual Reports
Step 1: Select the projects you wish to download an individual report
Step 2: Select the template you wish to use, and click on
Download Individual Reportsbutton
A report will be created for each selected project using the selected template.
Downloading Group/Combined Reports
Step 1: Select the projects you wish to combine into a single report
Step 2: Select the template you wish to use, and click on
Download Combined Reportbutton
A single report will be created which contains all the data for the selected projects. De-duplication is performed automatically to help reduce report size.
You can now directly import vulnerabilities from your projects without having to use the AttackForge Connector.
This provides a faster & hassle-free way to import vulnerabilities on your projects, improving the user experience and making importing of vulnerabilities a breeze!
How it Works
Select a tool you wish to import from, for example Nessus, BURP, Qualys, etc.
After you select a tool, you will be prompted to select the output file from the tool in order to parse the data.
Once the data has been parsed, you can then select the vulnerabilities you wish to import into your project.
Once you have made your selection, click
Import Vulnerabilitiesbutton and the vulnerabilities will be imported to your project. A summary of the import will be displayed in the notification boxes.
If you need to import data via the API, select API from the selection of import tools. The API is detailed and includes sample cURL request to help get you started.
If a vulnerability template does not exist in the library, it will be automatically created for you. The next time you try to add the vulnerability, it will map to the existing template in the library.
Similarly if the affected asset does not exist on the project, it will be automatically created for you. The next time you try to add a vulnerability on the same affected asset, it will map to the existing asset on the project.
AttackForge is a collaboration platform for Technology, Security & Engineering Teams. It helps to get the right people, in the right place with the right information.
To help achieve this, AttackForge now integrates with industry leading collaboration platform Discord.
Discord is a group-chatting platform originally built for gamers, but which has since become a general use platform for all sorts of communities – in particular the InfoSec community.
AttackForge lets you integrate your projects to your own Discord server to create a private channel.
To link your Discord server to your AttackForge project and create a private channel, click on Collaboration button from your project dashboard then select Discord.
Enter your details to connect to your Discord server & click Create Channel.
Once your channel is created, the following information will be displayed to all project team members.
This release is actioned-packed with performance improvements, UI enhancements and an overall better user experience for all your users.
Performance has been improved by:
Redesigning the PDF, DOCX & HTML reporting functionality to reduce time taken to generate a report up to 300%! This is after we also included additional reporting content packed into each report – how awesome is that! 😊
Redesigning the Data tables engine for Projects, Retesting, Reporting & Users modules – providing significant decrease in page load times of up to 600%! Now that’s fast 😊
UX has been improved by:
Providing better support for importing vulnerabilities from Burp, Nessus & Qualys - including linking CVSS scores to Likelihood of Exploitation and supporting additional tags
Updating the style of JIRA tickets & content which is exported & synced to JIRA, including better error handling and syncing
Displaying the Owner & Last Modified when selecting an issue from the library on a project – helping you make better decisions when selecting the right vulnerability from the library
Ability to score vulnerabilities in the library using CVSSv3.1, which are then referenced when adding a vulnerability on a project – saving time & effort when scoring vulnerabilities on every project; and improving standardization of scoring
UI has been improved by:
Providing additional new themes allowing you to further personalize your experience in AttackForge. New themes include Neptune, Lost Woods, Amethyst & Firestorm
You can now export any of your data tables to CSV. This allows you to quickly and easily export data from AttackForge to input into your own reports; to share information with others; or to perform your own analysis in Excel or other tools.
The export functionality will download a CSV containing all data visible in your data table.
It also works with Search filter allowing you to extract the exact data that you need.
Want to export more or all records? Easy – just use the Show XX Entries drop-down menu to show more records.
This functionality has been implemented across all data tables in AttackForge.
We have introduced a number of updates to Analytics module, to provide you with more information at your fingertips – and an enhanced user experience.
You can now see the Days Open for every vulnerability, when you drill-down on the analytics data. This helps with SLAs and getting on top of outstanding vulnerabilities.
We have also included extra information in every table, such as Exploitability and Project.
Now when you click on a link such as a vulnerability or project, it will open the data in a new tab – so you don’t lose your filtered analytics data.
Also when you filter your analytics & then drill-down on a data item, then click back button, you will be presented with your filtered data & options – so you don’t lose your filtered analytics data.
You can now export vulnerabilities directly from your project for all supported platforms, as alternative to using the Connector.
We now support the following exports directly from your projects:
Atlassian JIRA
ServiceNow
Azure DevOps
Kenna Security
Nucleus Security
We have also introduced support for Azure DevOps – now one of the leading platforms for orchestrating a DevOps toolchain.
Any authorised user on your projects can now easily self-export vulnerabilities as Work Items directly to your ADO Projects.
You can now assign test cases on a project to a team member. This makes it easier to delegate tasks on a project; and to enforce accountability as well as increase efficiency by reducing doubling-up on tasks.
You can assign individual test cases to a person; or you can perform bulk assignments using page menu.
You can also filter test cases by the Test Suite, and also filter by:
Test Cases Assigned to Me
Not Tested
Tested
Testing In Progress
Not Applicable
For more information on how it works, see https://support.attackforge.com/attackforge-enterprise/getting-started/test-cases#assigning-test-cases-to-a-user
We have made a number of improvements to ReportGen to improve quality of your on-demand reports & reduce reporting noise and increase actionability.
Duplicate Screenshots are now removed for every vulnerability, cutting report size down.
Duplicate Affected Assets are now noted, instead of reported, significantly reducing the size of the report where there is a vulnerability affecting dozens of assets.
ReportGen is now available in the Reporting module, along with all other on-demand report formats (PDF, DOCX, HTML, CSV, JSON & ZIP)
Actions menus have been updated to include the Reporting option for ReportGen, allowing you to get access to reports faster!
For all the latest ReportGen metatags, try downloading a Baseline Template and check the new tags available!
We have made improvements to the user experience when accessing various modules.
Now when you access either Projects module; Test Suite Builder; or Vulnerability Library – and view information from any of the tabs – clicking the back button will take you back to the tab you were viewing, avoiding unnecessary extra steps.
We have also rebuilt the rendering engine for data tables in the Dashboard; Analytics; Search; Vulnerability Library & Groups – providing significant decrease in page load times of up to 600%! Now that’s fast 😊
Feel confident showing thousands of records, and all the flexibility of the search to help you get the data you need – when you need it.
Also when you click on a vulnerability in your Vulnerability Library, it will now open in a new tab - so you don’t lose your filtered data.
We have also consolidated all Export & Collaboration integrations into single easy-to-access sections within your projects – allowing for multi-export & multi-collaboration on a single page.
Due to the increasing role the Project Coordinators are performing in AttackForge, they are now given the following extra powers to help reduce burden on Administrators and to increase efficiency.
Project Coordinators can now:
create new projects
update projects
get access to all new projects
invite users to projects
manage user access to projects
access all pending & actioned project requests
approve new project requests
request more information on project requests
reject new project requests
full access to the Vulnerability Library
AttackForge ReportGen is a tool to help you create fully custom reports based on your own DOCX report templates.
For Enterprise customers, you can now access pre-existing report templates - loaded by your Administrators - directly from your Project Dashboard by clicking ReportGen button.
You can download reports on-demand, in any available reporting template, to save time.
This also provides your customers with flexibility to generate reports in multi-formats to help create tailored automated reports for their needs.
Administrators can:
Upload New Templates - they will be made available to all users on all projects to download custom reports
Download ReportGen Client-Side Tool - this can be used to help build your custom DOCX template, with verbose logging enabled in the tool (browser console). This should be performed before uploading any new templates which will be available to customers, to ensure it is working as expected.
Download Base Template - this template contains all the meta tags that will map to your AttackForge project data. It should be the starting point when building any new templates.
Download Custom Template - this template is used to create custom reports. You can download it to make necessary changes, then re-upload it to make the latest version available to users.
Delete Custom Templates - using the actions menu, Administrators can delete any templates when required, for example uploading a new version for an existing template.
View available custom reporting options.
Download reports on their project using any of the available reporting options.
Administrators can:
View available custom reporting options.
Download reports on their project using any of the available reporting options.
To download a report in a custom template, click on the Download Report button.
Reports will automatically download in your browser - there is no need to use the ReportGen Client-Side Tool.
Project Notes allows to create & store notes on your project. You can consolidate all your notes in one place, to make it easy to track & record information as you go.
The notes can include:
Private notes - these are notes which are only visible to you.
Team notes - these notes are available to project team members with Edit access to the project (pentesters/consultants).
Report notes - these notes are included in the downloaded PDF, DOCX & HTML reports. They are also included in the JSON export & ReportGen.
Project Notes is only available to users with Edit permissions to the project.
You can access project notes from the project menu by clicking on Notes.
We have updated the AttackForge Connector to include support for additional tools - allowing you greater flexibility when importing and exporting data to and from AttackForge.
We now support sixteen (16) industry tools & formats, with new tools & platforms constantly added to our roadmap.
The following tools & formats have been included in this release:
Tenable.io
Tenable.sc (Tenable Security Center)
Netsparker
Rapid7 Nexpose / InsightVM
Rapid7 AppSpider / InsightAppSec
AttackForge JSON – this can be used to import data from any AttackForge project into another AttackForge project. Particularly useful if you are a multi-tenant customer.
CSV – this is a generic CSV importer that can work with any data. CSV template is available from within the Connector.
Nucleus
In this release, we have included 2 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
createVulnerabilityBulk
this method allows user to create multiple vulnerabilities on a project, in one single request.
getApplicationAuditLogs
this method allows user to download all exportable logs from the application. This can be integrated with tools such as Splunk, SolarWinds, ManageEngine, LogRythem, IBMQRadar & others
Administrators can request more information for a new project request, before they Approve or Reject the request.
When requesting more information, an email will be sent to the customer with the details for the request. The information is also visible by clicking on the request to view the details.
Once an Admin has requested more information, the status of the request will be set to Requested Information.
The customer can make necessary changes to the request in order to address the feedback, and once they save the updates - the status will be set back to Pending Approval and Administrators will be notified by email that the request has been updated and is ready for review.
We have made the following enhancements to AttackForge to ensure yours’ and your customers experience is the best that it can be!
Support for Scrolling Sidebar on Global Menu
Now include _likelihood_of_exploitation, _severity and _testcases for all vulnerabilities in the JSON export
Managing Access to Projects (via Users module) now removes existing projects the user has access to
Managing Access to Groups (via Users module) now removes existing groups the user has access to
Managing Access to Self-Service API (via Users module) now removes existing SSAPI methods the user has access to; including button to Add All & Remove All when performing updates
Unified Data tables – all data tables now have a unified experience. All data is loaded by default to assist with pagination. You can still filter number of records on screen using the Show XX Entries option. Search will now return results based on all records.
Simpler & Unified Flow for Re-Opening & Closing Vulnerabilities on a project.
You can now map attack chains to MITRE ATT&CK Framework.
This helps to create standardised attack chains & threat models, and will benefit any Red Team, Blue Team or Purple Team activities in your environment.
Blue teams will be able to leverage MITRE’s global knowledge base of adversary tactics to get enriched information on each action performed in the attack chain.
Red teams will be able to articulate their attack sequence with more clarity by leveraging wealth of information relating to their attack pattern provided in MITRE’s framework.
Mapping to MITRE ATT&CK Framework takes only minutes & is easy to do. Check out our tutorial video on how to start mapping your attack chains to MITRE ATT&CK Framework:
When a customer is requesting a new project, they must specify the service which they would like to purchase or proceed with. The test suites are now presented to the customer as a Service Catalogue, allowing them to pick and choose what they would like to be performed on their project. Test suites can be adjusted to align with the security services offering for a consultancy or internal security team/function.
Every service in the catalogue includes a brief description, tags & total number of test cases that will be assigned to the project – should the customer select it.
They are visible to the customer by hovering over any service in the drop-down list.
For example, if a customer requires a PCI DSS penetration test to meet their annual penetration testing requirements, they can select the service from the catalogue and list the details for the PCI assets in-scope for the assessment (see below). Or if the customer requires a Pre-Launch Assessment for a New Web Application – they can select the service & it will automatically load any test cases on the project related to this activity, once the project is approved.
The feature is also extended to Admins when manually creating a new project.
For more details please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/requesting-a-project
Previously we had introduced an alternative scoring system which allows you to score your vulnerabilities using CVSS v3.1 Baseline in-app calculator.
We have now extended this to also include CVSS v3.1 Temporal & Environmental Calculators.
After you score a vulnerability using CVSS, it will automatically include the CVSS Vector String + CVSS Score for you as tags.
If you are using Temporal or Environmental scoring, it will include the Base Score, Temporal Score & Environmental Score as separate tags.
When creating a new project, or at any time during a project (via Edit Project) - you can select a scoring system for the vulnerabilities.
AttackForge supports following scoring systems:
Manual
manually select Priority (Critical / High / Medium / Low / Info)
manually select Likelihood of Impact (0 to 10)
CVSS v3.1 Baseline
CVSS v3.1 Baseline + Temporal
CVSS v3.1 Baseline + Temporal + Environmental
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#selecting-a-scoring-system
You can now duplicate any vulnerabilities on your project, against selected assets.
The system will create a new vulnerability (for each of the selected) and assign it to the assets which you have also selected.
This makes it fast & easy to assign vulnerabilities to assets during a pentest where multiple affected assets have been discovered later on for a vulnerability which had already been reported.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/managing-vulnerabilities/updating-vulnerabilities#duplicate-vulnerabilities
You can now perform bulk action to Open or Close selected vulnerabilities on you project.
This makes it fast & easy to close or re-open vulnerabilities on projects where there is a large amount of vulnerabilities discovered.
This is particularly useful for issues relating to vulnerability scanners, where by many vulnerabilities may be observed fixed/remediated during retest.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/managing-vulnerabilities/updating-vulnerabilities#mark-vulnerability-as-closed-re-opened
You can now create new scope on a project using a line break, in addition to comma-separated values.
This helps to avoid unnecessary effort of converting assets to comma-separated values where they are already leveraging a line break format.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/project-scope#add-assets-scope
We have updated the colors used on the daily tracker page to help identify relevant sections easier.
For more information please visit: https://support.attackforge.com/attackforge-enterprise/getting-started/creating-and-managing-projects#place-project-on-hold-off-hold
We have released an update to ReportGen Tool & Template files:
ReportGen Tool:
AttackChains are now supported
Updates to auto-scale images to correct dimensions without exceeding page width
Tags & Help information is now available in browser console
ReportGen Template
Meta tags for AttackChains are now included
Updates to Testing Summary to include additional data/tags
We have released an update to the project JSON Export:
Now includes AttackChains, including icons in base64
Additional tags for Testing Summary section
We have released an update to AttackChains:
You can now select additional entities including Device, Server & Database.
For the new entities, you can select from either an existing asset on the project; or enter a new asset name. Any new assets are only included for purpose of the attack chain and are not added to project scope.
In this release, we have included 39 NEW API Methods to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
createScope - this method allows user to create new assets on a project that they have Edit access to.
updateScope - this method allows user to update assets on a project that they have Edit access to.
createRemediationNote - this method allows user to create a remediation note for a vulnerability on a project that they have access to.
sendDailyCommencementEmail - this method allows user to send daily commencement notification on a project they have Edit access to.
sendDailyCompletionEmail - this method allows user to send daily completion notification on a project they have Edit access to.
updateTestcase - this method allows user to update a testcase on a project they have Edit access to.
createTestcaseNote - this method allows user to create a note on a testcase for a project they have Edit access to.
requestRetest - this method allows user to request a retest on a project they have access to.
confirmRetestCompleted - this method allows user to confirm retest is completed on a project they have Edit access to.
updateExecSummaryNotes - this method allows user to update executive summary notes section of report on a project they have Edit access to.
getGroups - this method allows user to get details for groups the user is a member of.
getVulnerabilitiesByGroup - this method allows user to get details for all vulnerabilities for a group that they are a member of, with optional filter.
getProjectsByGroup - this method allows user to get details for all projects for a group that they are a member of.
getVulnerabilityLibraryIssues - this method allows user to get details for all vulnerabilities in the library.
updateVulnerabilityLibraryIssueById - this method allows user to update a vulnerability in the library.
getTestsuites - this method allows user to get details for all test suites.
getTestsuiteById - this method allows user to get details for a Testsuite, including list of test cases.
getUsers - this method allows user to get details for all users in the system, with option filter.
getUserById - this method allows user to get details for a user in the system.
getAssets - this method allows user to get details for all assets the user has access to.
getAssetsByGroup - this method allows user to get details for all assets for a specified group.
createGroup - this method allows user to create a new group.
updateGroup - this method allows user to update a group.
getGrou - this method allows user to get details for a group.
addUserToGroup - this method allows user to create a new member on a group.
updateUserAccessOnGroup - this method allows user to update a users’ membership for a group.
createTestsuite - this method allows user to create a new test suite.
updateTestsuite - this method allows user to update a test suite.
addTestcaseToTestsuite - this method allows user to add a new test case on a test suite.
updateTestcaseOnTestsuite - this method allows user to update a test case on a test suite.
updateUserAccessOnProject - this method allows user to update a users’ role/permissions for a given project.
createUser - this method allows user to create a new user in the system.
deactivateUser - this method allows user to deactivate a user in the system.
activateUser - this method allows user to activate a user in the system.
getUserAuditLogs - this method allows user to get audit logs for a user, with optional filter.
getUserLoginHistory - this method allows user to get login history for a user, with optional filter.
getUserProjects - this method allows user to get details for all projects a user has access to.
getUserGroups - this method allows user to get details for all groups a user has access to.
getProjectAuditLogs - this method allows user to get audit logs for a project, with optional filter.
We have released AttackForge ReportGen which is a tool to help you create fully customizable reports based on your own DOCX templates.
ReportGen provides you with the flexibility and autonomy to create reports which are specific to your organization, requirements, target audience or style guidelines.
We have included a baseline template that is aligned with the AFE PDF report and includes all necessary tags to help you get you started. You can download the template from AFE.
You can build upon this template or create new templates entirely, to reflect your reporting needs.
ReportGen is a self-contained HTML file and works in your browser. There is no need to install anything.
It works in an offline environment and requires no Internet or dependencies to run. All reports are generated locally in your browser.
ReportGen works as follows:
Download JSON export from your AFE project
Download ReportGen & AFE ReportGen Template
Open ReportGen in your browser. Select AFE JSON export file. Select DOCX template.
Your new report will automatically download.
Enjoy savings hours of reporting time! 😊
ReportGen is available to all users. There is a button on the Project Dashboard to access ReportGen, or you can access it directly via ReportGen module in navigation pane.
In this release, we have included the following updates to the SSAPI - to help provide you with more flexible and powerful ways of interacting with AFE.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
createVulnerability - this method allows user to create a vulnerability on a project that user has Edit access to. Any new assets will be automatically added to the project. Any new issue descriptions will be automatically added to the library.
updateVulnerabilityById - this method allows user to update a vulnerability on a project that user has Edit access to. You can update status of vulnerabilities using this method. Any new issue descriptions will be automatically added to the library.
createVulnerabilityLibraryIssue - this method allows user to create a new vulnerability in the library, which can be used by users when creating a new vulnerability on a project.
getprojectRequests - this method allows user to get project requests that the user has access to, with optional filter to narrow results.
createProjectRequest - this method allows user to create a new project request. This method can be used to integrate into your existing workflows and systems, to enable seamless project requests via 3rd party systems and scripts.
getProjectRequestById - this method allows user to get a project request by its Id, if user has access to it.
updateProjectRequestById - this method allows user to update a project request by its Id, if user has access to it.
approveProjectRequestById - this method allows user to approve a project request by its Id. Approved project requests are automatically created as new projects in the system, and users invited accordingly (including email notifications).
rejectProjectRequestById - this method allows user to reject a project request by its Id. Email notification is sent to the requestor notifying them project has been rejected and reason(s) why.
We have added support to enable project email notifications to project team or to admins on various events. This helps to keep people informed on progress and status changes for vulnerabilities on their projects.
Notifications can be enabled or disabled via project creation form, or via project update form.
The following events can be enabled on a per-project basis:
Email Project Team on:
New Critical Vulnerability
New High Vulnerability
New Medium Vulnerability
New Low Vulnerability
New Informational Vulnerability
Email Admins on:
Vulnerability Ready for Retesting
Vulnerability Re-Opened
Vulnerability Closed
We have added ability to download the project scope (assets assigned to a project) in CSV format. This helps testers extract scoping information from AFE more effectively so they can load it in various tools.
You can download the project assets CSV file via the Scope section on your project.
We have added support for uploaded files to vulnerabilities (as evidence) to be included in the project JSON export file. This includes all files, not just images.
This helps to export your evidence into various tools in a consolidated way that can be automated. All files are encoded in Base64, including raw Base64 value and Base64 Data URL.
We have included the following updates to UI/UX in this release:
Updates to Analytics Groups filter when selecting 2 or more groups, a checkbox will now show up with ‘Only Search Projects With Selected Groups Linked To The Project’. If you click the checkbox and run the search, it will filter results based on projects where all of the selected groups are linked. Otherwise, you can continue to use the default search for groups which operates on an Inclusive or basis.
Updates to Security Code form when logging in, to include OTP input box (instead of standard input box used previously). You can also use the keyboard Enter button to select Sign in with Mobile button (instead of having to click it with mouse).
Updates to Project Scope field when creating a project, to make it a text area. This allows you to enter in multiple assets via comma-separated values, which is easier and faster when dealing with large groups of assets.
We have released a Self-Service API for AFE. This API aims to provide you with more flexible and powerful ways of interacting with AFE.
It utilises static API keys which are assigned to individual users and can be used in scripts, batch jobs, cURL requests, or other ways - to help with:
Creating custom dashboards & analytics with the information you or your organisation needs, at any time
Creating custom queries for projects, vulnerabilities, testcases, etc.
Simplifying workflows for creating projects, requesting & approving projects, etc. initiated from your own tools/platforms
Providing hooks into upstream & downstream pentesting flows, and integrations into Enterprise eco-system
Creating service accounts with limited functionality to perform specific tasks only
In this release we have included thirteen (13) API methods – with more planned for future releases.
Access to each method for every user is managed and controlled by Administrators via Users module. By default, users have no access to the Self-Service API. This must be enabled by an Admin for a given user, including scope of methods allowed for the user.
Every method has detailed documentation page which includes information & examples for all parameters (optional & mandatory); URL for each method; example cURL requests & example server responses.
The Self-Service API can be accessed from the global navigation menu by clicking on Self-Service API module.
getVulnerabilities - this method allows user to get all vulnerabilities in the system, that user has access to. It includes detailed information for every vulnerability, and optional filters to narrow results.
getProjects - this method allows user to get all projects in the system, that the user has access to. It includes detailed information for every project, and optional filters to narrow results.
getProjectById - this method allows user to get detailed information for a given project that the user has access to.
getProjectVulnerabilitiesById - this method allows user to get detailed information for all vulnerabilities on a given project that the user has access to, and optional filters to narrow results.
getVulnerabilityById - this method allows user to get detailed information for a vulnerability that the user has access to.
getVulnerabilitiesByAssetName - this method allows user to get detailed information for all vulnerabilities which match specified asset name, that the user has access to, and optional filters to narrow results.
getProjectTestcasesById - this method allows user to get detailed information for all project testcases for a given project that the user has access to, and optional filters to narrow results.
getMostVulnerableAssets - this method allows user to get statistics on the Most Vulnerable Assets that the user has access to, and optional filters to narrow results.
getMostCommonVulnerabilities - this method allows user to get statistics on the Most Common Vulnerabilities that the user has access to, and optional filters to narrow results.
getMostFailedTestcases - this method allows user to get statistics on the Most Failed Testcases that the user has access to, and optional filters to narrow results.
createProject - this method allows user to create a new project in the system.
updateProjectById - this method allows user to update any project in the system.
inviteUserToProjectById - this method allows user to invite another user to a given project and specify their privileges/access on that project.
We have updated a number of core framework modules to the latest stable versions.
This will help to ensure stability, performance, reliability, security & robustness of the overall solution.
We have addressed a number of bugs in the reports which affected visual representation of certain sections or text.
We have also addressed a bug in the test cases where under certain circumstances, the counter on the project dashboard would not update accordingly to changes made to the test cases.
We had previously addressed an issue where customers had experienced data loss during session timeout on creating or updating a vulnerability on a project.
We have now extended this to include the Vulnerability Library.
Now when you are entering or updating an issue in the Vulnerability Library, your session will remain active until you either navigate away or log out.
Session’s will timeout as per normal on all other screens, with exception of Add/Edit project vulnerability (see previous release notes).
We have updated the AttackForge Enterprise Connector to be compatible with the following tools / platforms.
This makes it easier and faster to import data from your favourite tools into AttackForge; or to export data from your AttackForge projects into other tools / platforms.
Qualys
OpenVAS
OWASP Zed Attack Proxy
We have updated the PDF, DOCX and HTML reports to address a number of issues & bugs, namely:
Performance updates to increase speed of report generation
Increased robustness of reports to effectively handle large projects with many thousands of issues/findings
Improved translation from HTML to Plain-Text for the Steps to Reproduce / POC, providing more consistent results
Addressed a number of bugs with regards to visual representation of reports
We have added support to provide Admin users with the ability to securely delete all data related to a project from the database, uploads & logs.
This allows you to ensure that any sensitive projects can be sanitized and securely removed. Note the records will exist in any prior backups taken.
In order to perform a secure delete, you must first Archive a project. From the Archived Projects tab (in Projects module), you can use the item menu to select from the following options. You will be prompted to confirm and authorise the action.
Destroy Project Data (Keep Logs)
This option will delete all project data from the database & uploads, however will maintain the logs (which are available to Admins via Users module)
A new record will be created in the logs for the user, indicating the project ID & name that was deleted (for auditing & security)
Destroy Project Data (& Logs)
This option will delete all project data from the database, uploads & logs.
A new record will be created in the logs for the user, indicating the project ID & name that was deleted (for auditing & security)
IMPORTANT: This feature is disabled by default for security reasons. The buttons will appear however will not work. This can only be enabled by request to AttackForge team.
We have added support for CVSS 3.1 as an alternative scoring system for vulnerabilities on projects. This aligns with industry best practices and helps you to enforce a more consistent approach to determining issue Priority and Likelihood of Exploitation.
When using CVSS scoring system, you only need to click the buttons which apply to the issue you have discovered. The Priority and Likelihood of Exploitation will automatically update based on your selection.
Note the CVSS Vector will automatically be added to the Tags section and updated with each change in scoring.
To access this scoring system - when creating a new project, you will now see a drop-down menu allowing you to select the scoring system. By default, CVSS 3.1 is selected, however you can still access the previous scoring system by selecting Manual.
You can toggle between scoring systems for a project at any time by Editing the project and selecting the new scoring system.
We have updated the Analytics module to provide you with even better discovery & analysis of your vulnerabilities and pentesting data.
This will help to identify trends and problem areas and provide better tracking of progress on remediation activities.
Analytics can also be filtered across Dates & Groups, so you have greater control over the time periods and business functions which are relevant to you & your reporting.
You can also drill-down on any of the metrics, to identify root cause.
The newly added areas to Analytics include:
Total Projects
Total Assets
Assets with Open Critical Vulnerabilities
Assets with Open High Vulnerabilities
Critical & Open Vulnerabilities <30 Days, <60Days, <90 Days
High & Open Vulnerabilities <30 Days, <60Days, <90 Days
Mean-Time-To-Remediate (MTTR) for Critical Vulnerabilities
Mean-Time-To-Remediate (MTTR) for High Vulnerabilities
Top 10 Most Vulnerable Assets
We have added support to match existing issues from API & Connector imports to relevant issues in the Vulnerability Library.
This allows you to:
Import findings from various sources, via API or Connector
For any newly created issues in the library during the import process, you can now freely make relevant changes to the text for those issues in the library – and have this reflected back on subsequent imports
On the next import which has same issue details, they will be automatically linked to the updated versions in the library
This will save you time & effort from having to modify the descriptions, attack scenarios & recommendations every time you run an import.
For example, if you import a Nessus scan with the issue ‘SSL Certificate Expiry’ – on the first import, if it does not exist in the library - it will create the issue for you.
Then you can make changes to the issue in the library, for example change the title to ‘Expired SSL Certificate In Use’.
Next time you import a Nessus scan and it has SSL Certificate Expiry which is the same as before, it will be automatically linked to the updated issue in the library Expired SSL Certificate In Use.
You can now filter the Schedule / Calendar by users, in addition to by projects – allowing you to be more effective when planning resources on upcoming pentests.
You can see which projects that users/pentesters are assigned to for any given day/week/month and determine which users/pentesters are heavily utilized - or have capacity for projects.
You can compare multiple users at the same time, to get a clearer picture of the team’s overall capacity and availability.
We have added support for AF Connector for the majority of common browsers, including Chrome, Firefox, Safari and Edge. This ensures you can access import & export functionality in your native browser, without having to rely solely on Chrome.
We have also made minor UI updates for error handling, and also to display statistics on a successful import operation.
NOTE: BURP import is not supported in Firefox & Edge at the moment, due to Firefox and Edge not supporting native XML v1.1 parser (which is required by BURP XML exports).
We have added a new workflow which allows you to make changes to multiple vulnerabilities on a project, one-after-another, all from a single screen.
This makes it easier and faster to perform QA on vulnerabilities, and review & make changes without losing track.
This option lets you update each issue and move on to the next one, or you can traverse through the issues using the Previous and Next buttons until you find the one(s) you want to update.
You can access this workflow by selecting multiple vulnerabilities on the project and using the page menu to select ‘Update Selected Vulnerabilities (Individually)’.
We have kept the alternate workflow, Update Selected Vulnerabilities (All)’, which allows you to make bulk updates to vulnerabilities in one go.
This is useful when you need to update the details for all issues at the same time, for example update the POC for all selected issues.
We have added support to re-assign affected assets for existing vulnerabilities on a project. If you have created a vulnerability against an incorrect asset, you can now update the affected asset to the correct value.
This can be performed on an individual vulnerability, or you can also perform mass-updates to multiple vulnerabilities at the same time.
We have added support for the following meta tags in the Executive Summary Notes section of the reports. This will make it faster to reference the project’s details without having the look them up – or worry about making changes retrospectively if the project details are updated.
{{{projectName}}} – will display project’s name
{{{projectCode}}} – will display project code
{{{projectStart}}} – will display project start date
{{{projectEnd}}} – will display project end date
You can now import vulnerabilities from Nessus and BURP export formats (.nessus & .xml) to a given project via AttackForge Connector.
This makes it fast & easy to add multiple vulnerabilities from scanners, in a matter of minutes.
Importing vulnerabilities is easy – simply download the Enterprise Connector from the module in AttackForge, open the HTML file and follow the steps.
You can select all vulnerabilities to import or adjust your selection by ratings (Critical/High/Medium/Low/Info). You can also individually select the issues you want to import.
We are currently working on other integrations for AttackForge Connector with customer-requested tools and platforms – watch this space!
You can now directly import vulnerabilities for a given project via AttackForge API.
This allows you to directly feed vulnerability data into your project, from various sources - including tools, scripts, or adding historical data.
All details on how to access the API, including sample working cURL requests, can be found from your project menu by selecting Import Vulnerabilities.
Only users with Edit access to a project, or Administrators, can access this API.
To help save you time & effort – if you import a vulnerability which does not already exist in your library, or if the affected asset does not already exist on your project – it will automatically create these for you.
If the issue exists in the library, or if the asset exists on the project – it will automatically link these to your vulnerability that you are importing.
You can also use this API for bulk imports on projects.
Every project now has a daily tracker which shows you how many vulnerabilities were discovered each day on the project, and how many testcases were actioned.
You can click on the items to drill-down and see the corresponding details.
We have also included the history for all project On-Hold & Off-Hold notices, which are also included within the daily tracker.
Each notice includes the status (On-Hold or Off-Hold), the reason/explanation, and date/time stamp.
You can access the daily tracker from the Project Dashboard by clicking on Tracker button, or via the Schedule by clicking on the project name.
When you place a project On-Hold or Off-Hold, you are required to enter an explanation which is sent to all project team members by email – to inform all stakeholders why the project is On-Hold or Off-Hold.
If a project is On-Hold, an alert box is displayed at the top of the project dashboard to inform project team members of the issue and when it was raised.
In addition, the global dashboard now displays details for Projects On-Hold – to help inform you & stakeholders of issues affecting projects as soon as you log in to AttackForge.
We have addressed an issue where customers had experienced data loss during session timeout on Creating or Updating a vulnerability.
Now when you are on these screens, your session will remain active until you either navigate away or log out.
Session’s will timeout as per normal on all other screens.
Tags have been added to the Vulnerability Library to help you with searching the library more efficiently & effectively.
AttackForge Connector is our tool that allows you to export findings from AFE into other industry leading tools.
It works with AFE JSON files which can be exported from your projects.
It’s client-side & self-contained HTML file – so no install is required. It can be downloaded within AFE from ‘Connector’ module.
Currently AttackForge Connector supports the following tools, however we have many tools planned for integration in upcoming releases:
JIRA Cloud
ServiceNow
Kenna Security
AttackForge Connector aims to become our gateway product for bi-directional data integration between AttackForge and other tools & platforms.
AttackForge Connector works as follows:
Log in to AttackForge and download JSON report for the project/vulnerabilities you wish to export + AttackForge Connector file (from Connector module).
Open the AttackForge Connector HTML file and select the JSON file to upload.
Select the vulnerabilities you wish to export.
Select the tool which you would like to export selected vulnerabilities to.
Fill in export details for your tool.
Click submit. Vulnerabilities should be exported directly to the tool.
NOTE: Due to strict CORS security settings set by JIRA, ServiceNow & Kenna Security – direct exports from browser to the tools is not allowed (denied by browser) for security reasons.
Therefore, all export requests are routed via AttackForge proxy infrastructure to comply with CORS security settings set by the tools.
Please let us know if you would like us to help you configure AttackForge Connector to utilise your own proxy service.
You can now export project vulnerability reports in JSON format (in addition to PDF, DOCX, HTML & CSV).
JSON reports contain all the information which is currently provided in the standard reports. You can customise content of the JSON report based on your Report Settings.
JSON reports can be used to integrate AFE findings into your own existing reporting templates.
JSON reports can also be used to export AFE findings into other systems via AttackForge Connector, or via direct feeds into other tools.
We have now included 2 additional appendices within the vulnerability reports, to help provide a snapshot of affected systems and their remediation status.
Vulnerability-to-Asset Mappings: a list of all vulnerabilities and the assets/systems affected by that vulnerability (including remediation status)
Asset-to-Vulnerability Mappings: a list of all assets and the vulnerabilities affecting each asset (including remediation status)
We have addressed a number of bugs (particularly in the PDF reports) and well as made performance optimizations (for page load times and reporting speeds) - to help improve user experience.
You can now link users to Groups. This will make it easier to manage visibility, collaboration and access to projects as your security & penetration testing program grows. For example:
You can add management and executives to their related Groups so they can track performance and view analytics across their business units.
You can add technology and engineering teams to their related Groups so they always have visibility of issues/vulnerabilities arising on their systems.
You can add pentesters & security teams to their related Groups to ensure they always get the right access to new projects for delivery.
A few notes on how Group Membership works:
Users can belong to one or more groups.
When adding a user to a group, the user will automatically receive access to all projects that the group already has access to, and to any new projects which are created and also linked to the group.
You can set the default access level/permissions for projects when adding the user to the group, and you can update this at any time. Any updates will apply to all projects linked to the group.
When a user is removed from a group, their access to all projects which are linked to the group is also removed.
When a project is added to a group, all group members will receive access according to their group default settings.
When a project is removed from a group, access to all group members is also removed.
You can still update a user’s access to an individual project at any time – for example a user might have View access to a Group, however can have Upload/Edit access to a specific project on that group; or can be removed from a specific project.
You can still invite users to individual projects and manage their access as per normal.
You can access Group Membership from Groups --> Group --> Users; or from Users --> [Manage Access to Groups] or [Grant Access to Groups]