Asset Libraries

You can now use Asset Libraries to manage your assets better!
Asset libraries will help you to:
  • Group and manage assets across different teams, technologies, products, customers, business units, networks or compliance;
  • Control who can see assets, and which assets they can see;
  • Manage who can create and modify assets;
  • Assign assets to many groups for better tracking and de-duplication;
You can view your asset libraries directly from the Assets module:
Take advantage of libraries when adding scope to a project:
Control which libraries get used when importing vulnerabilities:
Assign libraries when importing assets:
Asset libraries can be configured from the Administration module.
Assets can belong to one or more libraries, allowing to share access or ownership of assets and reducing asset duplication.
Assets are unique to each library.
Asset libraries can have access controls to manage who can view or edit the assets.
Access controls can be applied to:
  • Application Roles
  • Groups
  • Users
Access to libraries can be assigned with either View or Edit privileges.
Users with View access to an asset library will be able to see the asset and any vulnerabilities for which that user has access to via their projects.
Users with Edit access to an asset library will be able to create assets in that library; and make changes to any asset in that library, including ability to archive the asset or link additional asset libraries.
Bulk actions can be used to bulk (re)assign assets to libraries.
You can now also import assets from CSV and JSON formats – making it even easier to bring existing assets into AttackForge!

Portfolios Enhancements

You can now provide access to Portfolios and Streams for:
  • Your customers;
  • Your engineering teams and product owners;
  • Your security, risk and compliance teams;
  • Your business management and senior leadership;
  • Your external auditors and 3rd parties;
This makes it possible to have custom dashboards which are relevant and tailored to your stakeholders, which they can now access.
Access can be granted to the entire Portfolio, or individuals Streams. This enforces need-to-know.
Users will only see project, vulnerability and asset related data which is relevant to their existing projects.
Users will not be able to see project, vulnerability and asset data for which they do not already have access.
We have also enriched the data available for projects, vulnerabilities and assets.
Users can also configure their own table preferences to consume the data the way they prefer.

ReportGen v2.9

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes three (3) new functions; one (1) new style; and access to user profile data in reports!
You can use this new function to construct hyperlinks in your reports.
Hyperlinks can be built using data from your project (scope), manual creation or based on values from other variables.
For more information on how to use this function, visit this link.
This release introduces support for hyperlinks for rich-text fields. We have also released a new style which allows you to independently set the style for hyperlinks contained within the styled tags. You can apply this style to any of the {@..._styled} fields.
For more information on how to use this style, visit this link.

New Function: $comment

You can use this new function to include comments in your template which do not get shown in the report.
This can be useful to help with adding explanations and also debugging.
For more information on how to use this function, visit this link.

New Function: $multiply

You can use this new function to multiply a variable which has a numeric value.
For more information on how to use this function, visit this link.

User Profiles Now Available

You can now include user profile information in your reports for each team member on the project.
For examples how to include this information in your reports, visit this link.

Updated Testing Methodologies and Vulnerability Libraries

We have updated to the latest version of MITRE ATT&CK framework, which you can now easily import into your Test Suites.
  • MITRE ATT&CK Enterprise Version 14.1
  • MITRE ATT&CK Mobile Version 14.1
  • MITRE ATT&CK ICS Version 14.1
To get started, head over to
Download the relevant methodologies and follow the guide to import them into your Test Suites.
We have also updated to the latest version of MITRE CWE and MITRE CAPEC, which you can now easily import into your Writeups.
  • MITRE CWE Version 4.13
  • MITRE CAPEC Version 3.9
To get started, head over to
Download the relevant vulnerability libraries and follow the guide to import them into your Writeups.

Report Locking

You can now control when reports are available for download on any given project.
This is particularly useful if you want to restrict your customers from generating reports until a point in time on the project, for example when testing is completed or when QA has finished.
When creating or updating a project, you can now configure the minimum Access Level required on the project in order to generate reports.

Custom Project Roles

You can now configure custom project roles which can be assigned to any project team member.
This is particularly useful if you want to create roles which align with your internal operating processes.
These roles can be reflected in emails, reports and in automations and integrations.
These roles are not used for access control.
You can manage the project roles from Administration -> Projects -> Fields -> Team Members.

Custom System Email Notifications

You can now configure and personalize every system email!
You can independently for each system email notification:
  • Enable or Disable the email notification;
  • Configure a custom Subject with HTML and {metatags} support
  • Configure a custom Body with HTML and {metatags} support
You can manage the email notifications from Administration -> Notifications.
For a full list of {metatags} supported – please visit this link.

Custom Report Names

You can now configure the custom report name for all of your downloaded reports.
This configuration option also supports (metatags}.
You can update your report name from Administration -> Reporting -> Report Name.

Manage User Roles via SSO Groups

For SSO users – you can now opt into managing application user roles via SSO groups.
This ensures that every time an SSO user logs in, their application user role will be automatically updated to match their expected role via the mappings.
This makes it easier for AttackForge Administrators managing tenants with hundreds or thousands of users.
It also helps to comply with internal policies for privileged access management.
You can opt into this setting from Administration -> Users -> Manage Application User Roles via SSO Groups.

UX Enhancements

Inline vulnerability view on tables

When viewing vulnerabilities in a table, you can now preview the vulnerability without having to navigate away.
To do so, click on the eye icon next to the vulnerability name.

Retest rounds now should on schedules

Retest rounds now have an optional end date and will now also show on your global and project schedules.
Rich-text fields now support option to include hyperlinks. These hyperlinks will also automatically show in reports for any ‘_styled’ fields.

Warnings to help prevent data loss

We have added warnings when you have data entered into a form and try navigating away, or when you try to close a popup window with data.
This UX improvement will help to prevent any accidental data loss on common user actions.

Wider, taller and draggable form fields

We have reviewed all forms within AttackForge and where needed we have made fields wider and taller.
We have also enabled ability for rich-text fields to have draggable adjustable height.

Set custom error message for blocked accounts

You can now configure a custom error message for blocked accounts.
This is useful if you have company-specific instructions on account reactivation process that you want to show blocked users.

Bulk add tags on grouped assets

You can now bulk add tags to grouped assets when working on vulnerabilities.

Bulk overwrite on vulnerabilities now supports mixed asset selections

You can now perform bulk overwrite actions on vulnerability selections with mixed asset types i.e. individual or grouped assets.

Hovering on project name shows full name

We made adjustments to show more information when hovering on data, including on the project name.

Linking Vulnerabilities to Test Cases

You can now link vulnerabilities to test cases directly from the test cases.
This makes is easier to fail test cases in bulk, and to show direct correlation between testing and findings.

Importing Vulnerabilities

We added support for Nuclei Scanner and Acunetix 360 when importing vulnerabilities on a project.

Updates to Self-Service API

We made updates to the Invite User To Project and Invite Users To Project Team RESTful API endpoints to include additional fields.
We also added support for Asset Libraries for all of the relevant RESTful APIs.

Video Tutorials

Introduction to AttackForge and On-Demand Trial Environments

We recently released a new trial service for AttackForge – – which allows people to deploy a dedicated, on-demand private tenant of AttackForge with just their email address. The entire process takes less than two minutes from signup to deployment!
We created a short video to demonstrate this process for deploying new trial environments, as well as a brief introduction to AttackForge.
This video might be useful to you if:
  • You need access to on-demand non-production AttackForge tenants for testing configuration, integrations or scripts;
  • You want to access the newest features in an environment that is already configured with optimal settings for the latest features;
  • You want your customers or users to get a preview for what the AttackForge application is about and key workflows, prior to interacting with your own AttackForge.
The video is available on YouTube:

Pentest Report Automation with AttackForge

We created a short video to demonstrate how to set up an automation for PDF report generation and delivery to customers.
This video might be useful to you if:
  • You need to send encrypted PDF reports to your customers via email and programmatically;
  • You are interested in exploring automations in AttackForge;
  • You are interested in how custom fields can be used to enforce custom workflows.
The video is available on YouTube:

Red Teaming with AttackForge

We created a short video to demonstrate how to do Red Teaming in AttackForge.
This video might be useful to you if:
  • You are considering starting to perform Red Team assessments in AttackForge;
  • You are already performing Red Teaming in AttackForge.
The video is available on YouTube:
Last modified 1mo ago