2024

15 November 2024

Powered-up Project Forms!

Suggested Values

We've extended AFScript to Project Form Fields!

This means you can now suggest values (and soon automatically set values) using AFScript.

For example, you can:

Suggest a project or vulnerability code based on your own algorithm
Suggest a project budget based on the testing types
Apply logic to your custom fields

To get started, head over to Administration -> Projects and click on Configure for the Suggested Value on the field:

Then add your code based on how you want your field to suggest its value.

TIP: You can modify the test context and run your code to make sure it's working as expected 😊

Configure Sections, Re-order Your Form!

You can now configure sections and re-order all fields on the project form.

This provides the ultimate flexibility 🧙 with how you want and need your forms to look.

TIP: Use Hide Expressions to make your fields and sections conditionally display or hide based on your needs

Vulnerability Code Limits Removed

We have removed the character limitations on the vulnerability code field, providing you with freedom to create however long or short vulnerability codes you need!

Exciting UX Improvements

At AttackForge, we're on a mission to make your daily tasks as easy as they can get.

Creating and editing Writeups on Vulnerabilities should be effortless. And we've made it so!

Now when interacting with a Writeup on a Vulnerability, you will get a new modal experience. This makes it easier to make your changes and go straight back to finishing your vulnerability.

We've also made it possible to duplicate a Writeup and select the destination library in one action - saving time and effort!

Inline Code Snippets

We've added support for inline code snippets in the rich-text fields.

The inline code will automatically show in your reports, however you can set a custom style if preferred.

COMING SOON! More options to style your data in rich-text fields

Sessions No Longer Timeout When Actively Entering Data

As the title says ☝️😉

Better Management of Select Field Options

We've re-designed the way options are created and managed in Select and Multi-Select custom fields.

We've also removed the limitation in the user interface for how many options can be set and configured.

Asset ID Now In Tables and CSV Export

You can now copy and filter Asset Ids in the table, and also export Asset Ids in the CSV.

Assets Module - Uncatalogued Assets

If you're using the Assets Module then you're going to enjoy this.

Previously you could set custom access controls for your Catalogued Assets - Assets which belong to libraries.

We've now extended the ability to set access controls for Uncatalogued Assets too!

You have full control over who can, and cannot, view, create and edit uncatalogued assets.

Improvements to AFScript

Not only did we extend the use of AFScript, but we also added support for even more built-in libraries and functions! 💪

This creates even more possibilities for how you might want to create your own logic in AttackForge!

Enhancements to Self-Service APIs

We're always improving our Self-Service APIs to make automations and integrations even easier!

New Events:
- Project Retest Requested
- Project Retest Completed
- Project Retest Cancelled
New RESTful endpoints:
- Create Portfolio
- Update Portfolio
- Archive Portfolio
- Download Vulnerability Library (Writeup) File
Updates to REST endpoints:
- All Get Vulnerability Related Endpoints - now return vulnerability_library_files
- All Writeup Related Endpoints - now return files

Have you tried our Events API yet? It's perfect for real-time integrations with your scanners, ticketing tools, analytics and data lakes.

Improvements to ReportGen

We've improved pie charts in reports to better handle labels.

Labels will now automatically resize to make sure they are always visible and legible.

We've also added new support for custom inline code styles.

24 September 2024

Introducing AFScript - Your Custom-Code Powerhouse!

We're excited to announce AFScript - an interpreted programming language built by the engineering wizards 🧙 at AttackForge, to help you customize and personalize YOUR AttackForge even more! 💪

AFScript can help you in many different ways:

Changing application logic to better align with your preferred workflows.
Driving new behaviour in forms and their respective sections and fields.
Creating in-app automations for your projects, vulnerabilities, assets and more.
Applying pre-and-post data transformations when saving, updating or exporting data.
Building bespoke dashboards and analytics that matter to you.

AFScript is the next generation in empowerment for AttackForge customers. It comes off the back of the successes we’ve had with Hide Expressions (custom fields and sections, vulnerability SLAs, custom vulnerability parsing) and Filter Expressions (custom emails, APIs) which have provided customers with ways to make AttackForge their own.

We built AFScript to provide a safe and secure path to apply your own code to your AttackForge application, in a performant manner and without creating any security holes.

Importantly, the language itself is not executable - for peace of mind.

The language was built to look-and-feel like JavaScript to make it familiar and easy to use for security teams, pentesters and software engineers.

It comes with a modern and optimized code editor similar to VS Code, making it familiar and effortless to write powerful scripts.

In this release, you can use AFScript to change the logic for how project status is calculated.

Some examples you can consider:

For more information on AFScript, how it works and how to use it - please visit our Support Centre

Custom Views for Tables

We've added support for our tables to allow you to save your favourite and frequently used table views!

You can now easily configure and switch between different views providing flexibility in how you want to see your data.

Each view is saved against your own personal user settings, so you can tailor each view to exactly how you want it.

And best of all - you can create as many views as you need!

Each view is unique. You can save the following information and table state for each view:

Table filters
Column visibility
Column filters
Column ordering
Column sorting
Column locking
Column features
Table scroll

Every view gets its own name. You can also duplicate views to create similar ways of seeing your data.

We also support re-ordering your views, making it easy to switch between frequently accessed data.

Custom views has already made its way to Projects, and will be rolling out across the app to other tables in the coming weeks.

UX Improvements

We've added support for indented lists! Yes, we should have had it a long time ago. We know. Be glad it's here now and supported in your reports too! 😊

Infinite scroll was causing you pain? Yeah we didn't really like it much easier. We've now changed it so you have a better experience scrolling those longggg lists 😎

We also combined the selection of the Writeups library and Writeup itself into a single form field, making it easier to search and select your Writeups in one place!

We've added a new email tag to help admins know who invited a user to AttackForge. For more info visit Notifications.

We've also added support for custom informational message to show on Visibility field when creating or updating vulnerabilities. This helps to provide your own guidance to your testers on when to set vulnerabilities as visible or as pending.

You can now also set a default value for the project code field on project requests.

ReportGen Improvements

ReportGen v2.10.7 is out! 🚀

Along with this update, you now get:

Support for indented ordered and unordered lists.
Support for Dynamic Variable Names when using the $declare, $push and $value functions.
We've added Assigned Assets and Assigned User as additional data points you can now access on all Test Cases.
We fixed an annoying bug that may have caused your report to show a 'Broken XML' error message in Word when opened under certain conditions.

Improved Logging

Let's face it. Logs are important. So we improved our logging to give you even more information!

Now you can extract the following information for every API request!

HTTP method
URL
Request path
Request query parameters
Request body
API endpoint name
HTTP status code
User Id
Project Id
Source IP address
Event details
Timestamp

Logs are available in-app and via the Self-Service APIs.

21 August 2024

Enhanced Image Support and File Management

We've introduced better file management and image support! You can now:

Copy and Paste images and files directly from your clipboard into rich-text fields
Drag and Drop images and files directly into rich-text fields or within drop-zones
Upload files at any time - even before saving the form
Preview images and add captions directly within rich-text fields
Expand rich-text fields to full-screen for maximum efficiency
File manager accessible within rich-text fields

Adding images and files from your clipboard or via drag & drop is now a piece of 🍰

You can also upload files now at any time! You no longer need to wait until you have saved the form.

Adding captions is even easier now that you can add them in-line whilst you work.

Need more space to work? You can now expand your rich-text fields to full-width, giving you more space to create or review information.

You now have access to the file manager directly within your rich-text fields. This makes it easy to manage files and images, and insert the ones you need with one-click.

New Pentest Report Template is Out!

We've been working hard behind the scenes improving on the most powerful 💪 reporting engine - ReportGen.

We've just released Pentest Report Template v3.4 (example | template) to help share examples on how you can improve your own reports!

This template takes advantage of many of the new features and capabilities introduced into AttackForge and ReportGen over the past several months.

Pentest Report Template v3.4 includes the following:

New Section: Document Control
New Section: Version Control
Updated: Project Team
Re-designed: Executive Summary
New Section: Background
New Section: Approach
New Section: Methodology
New Section: Out-of-Scope
New Section: Customer Goals
New Section: Testing Team Goals
New Section: Assumptions and Constraints
New Section: Summary of Recommendations
New Section: Positive Security Observations
Re-designed: Retesting History
Updated: Summary of Findings
Re-designed: Vulnerabilities
New Section: Unique Vulnerability Details

Cloud Testing Methodologies Now Available

We have just added five (5) new Cloud Configuration Testing Methodologies.

You can now import any of these methodologies into your Test Suites

You can download these methodologies from the AttackForge GitHub.

New Custom Time-Based Emails: Writeups

You can now configure Writeups in your custom time-based emails.

This means you can now:

Get an email update daily/weekly on newly created or modified Writeups
Notify maintainers on changed Writeups in a custom library
Get updates on Writeups that meet your specific criteria, even custom fields!

Invite User by Email Address

You can now invite users to AttackForge directly by email address within the Users module. Invited users will receive an email with an activation link which takes them to a page to finish setting up their profile.

Column Freeze on Table Scroll

You can now lock columns as you scroll your tables. This makes it easier to keep the important information always within view. You can also lock multiple columns giving you more control over your tables and data.

Improved Table Custom Fields

We have made significant improvements to table custom fields. You can now:

Click on a table row to view or edit the full data in a modal window
Filter and sort on individual columns
Expand table into a modal window, for advanced filtering and search
Bulk actions when editing table rows
Support for pagination

Exploitability and Custom Tags now Optional

We have made Exploitability and Custom Tags optional fields. You can now switch off these vulnerability fields within Administration -> Vulnerabilities.

View Visible, Pending and All Vulnerabilities

You can now view visible, pending and all vulnerabilities on your project. This makes it easier to view and action all vulnerabilities in a single table.

Access Detailed Asset Information from Vulnerabilities

You can now open the Asset page to access detailed information on assets, directly from your vulnerabilities.

Self-Service API Improvements

We made a bunch of improvements to our Self-Service APIs namely:

Major updates to REST endpoints:
- Create Project & Update Project - we updated these APIs to support configuration for Features and Pages on projects.
- Create Writeup & Update Writeup - we added support for creating and editing Writeups in the Project Library.
- All Get Vulnerability APIs - we added support for querying on Pending vulnerabilities.

Have you tried our Events API yet? It's perfect for real-time integrations with your scanners, ticketing tools, analytics and data lakes.

5 July 2024

New Feature: Project Pages

We've introduced a new feature on projects - Pages - which can be used to create, group and manage custom content on your projects.

Pages are a dynamic way to interact with your project teams. Their content can also be used in reports and in the Self-Service APIs.

Here's some examples for how you can use Pages:

Create dedicated places for project teams to enter and track information
Provide additional options for teams to collaborate
Group content into topics

Each page comes with its own access controls to manage who can View, Upload or Edit content on the page.

For this first release, we have made a Summary page available. You can control which sections and fields can be created on this page. Some examples might include:

Customer Goals for the testing team, and Testing Team goals for the customer
Assumptions, Constraints and Limitations
Scope-related notes such as Out-of-Scope

We will be adding more pages in the future to provide even more flexibility on how you can use your projects.

Reporting Enhancements

We have extended the capabilities of the Reporting section on your project.

You can now create custom sections and custom fields to personalize your Reporting data to the project.

Some ideas for sections and fields you can now create:

Project Summary - including Executive Summary, Summary of Recommendations and Positive Security Observations
Testing Overview - including Background, Approach and Methodology
Document Control - including Author(s), Reviewer, Approver and Version History

Dont forgot to try Hide Expressions on Custom Fields to make your Reporting tailored to your project.

Check out GitHub AttackForge ReportGen site for details on how to add these fields to your reports

Project Features

You can now personalize your project experience even further with Project Features.

Project Features are a new way to help you:

Control when Test Cases are viewable on a project, and by whom.
Determine if Retesting is needed, and who can have access.
Determine if Attack Chains are relevant, and who can have access.
Determine if Reporting is needed, and when Reporting section and downloadable reports are made available.

Every feature comes with access controls for better management of information and workflows

Self-Service API Improvements

We made a bunch of improvements to our Self-Service APIs namely:

New REST endpoint: Create Project Test Case
- This endpoint can be used to create dynamic test cases on the project, for example you could import all of the checks that your scanner performed to provide better and programmatic testing coverage
Major updates to REST endpoints:
- Update Test Case - we updated this API to provide the full suite of options when it comes to managing your project test cases. You can even insert custom fields on your test cases via the API!
- Get Project Test Cases - we updated this API to provide more comprehensive information about the test cases, such as linked vulnerabilities, assignment to project scope, and assignment to tester.
Minor updates to REST endpoints:
- Get Project, Get Projects, Get Projects and Vulnerabilities & Get Projects by Group - now supports project_scope_details
- Create Vulnerability, Create Vulnerability Bulk, Create Vulnerability With Library - now supports linked_testcases
- Update Vulnerability & Update Vulnerability With Library - now supports project_id and linked_testcases
- Get Vulnerability, Get Vulnerabilities, Get Vulnerabilities by Group, Get Vulnerabilities by Asset, Get Project Vulnerabilities & Get Projects and Vulnerabilities - now supports vulnerability_testcases

Have you tried our Events API yet? It's perfect for real-time integrations with your scanners, ticketing tools, analytics and data lakes.

UX Improvements

We've added new email notification settings which can be configured to determine who gets notified when Project Requests are either created or updated. You can configure this from Administration -> Notifications -> Project Requests.

We've improved the experience after creating a Vulnerability or a Writeup. You now have options to create another, create and view or go straight to evidence upload.

We also improved the Administration module navigation experience to make it easier to find the configuration settings you need.

18 June 2024

Customize Vulnerability and Project Colors

You can now customize your vulnerability and project colors!

Personalize your AttackForge and make it your own. Tailor your color scheme to match your identity and messaging.

You can now change the following color options in the Administration module:

Vulnerability priorities
Vulnerability statuses
Project statuses
Project Request statuses

We've also lightened the status colors to blend in better with the rest of the application, and to keep the eyes focused on the most important messages on the page.

Assign Users and Groups to Manage Project Teams

You can now assign users and groups to be responsible for managing access to individual projects.

This can help you to:

Empower customers and engineering teams to provide access to the project and vulnerabilities on a needs basis.
Delegate project team management to persons better suited for the role.
Save time and effort on project team management.

When assigning a user or a group to manage access to the project, you can configure the following:

Access Level Limit: Set the highest level of access the user or group is allowed to assign to project team members.
Add User Method: Configure how project team members can be added - either by selecting an existing user from a drop-down list, or by entering in an email address.
Allow User Invite: Allow user to invite new persons to your AttackForge tenant.

Delegate User Management of Groups

You can now delegate management of your groups to other users and groups.

This can help you to:

Empower customers and engineering teams to manage stakeholder access to relevant projects and project requests.
Delegate security teams to manage groups on a needs basis.
Reduce the burden on application administrators.

When assigning a user or a group to manage access to the group, you can configure the following:

Project Access Level Limit: Set the highest level of access the user or group is allowed to assign for access to the groups' projects.
Project Request Access Level Limit: Set the highest level of access the user or group is allowed to assign for access to the groups' project requests.
Add User Method: Configure how group members can be added - either by selecting an existing user from a drop-down list, or by entering in an email address.
Allow User Invite: Allow user to invite new persons to your AttackForge tenant.

You can now also set None for group members access to Projects and Project Requests.

Invite Users to Projects, Groups and AttackForge

You can now allow specific users or groups to invite other users to your AttackForge.

This makes it convenient to get access to the right people, quickly and without the need to involve application administrators.

This can help you to:

Empower customers to invite their engineering teams directly to the relevant projects or groups.
Delegate account managers to better manage their customer accounts.
Share vulnerability information faster, to help remediate vulnerabilities sooner.

When combined with the new project team and group membership administration options (above) - this feature provides full autonomy for user management!

SSO Improvements

We have now enabled support for two (2) independant identity providers (IdPs) which each can be supported with their own unique configurations, including SSO User Role Mappings.

We have also now added the option to disable Just-In-Time SSO user creation, helping to restrict access to AttackForge via SSO to users whom have been invited only.

ReportGen Enhancements

We have added support for additional project team member data in reports, namely About Me. See example below:

{#data.testing_summary.project_team_details}
{first_name} {last_name} ({role}) – {about_me}
{/}

We also added an extra option for Charts which can be configured to increase the y-axis on vertical bar charts. This can help to add some padding above the bars to improve the aesthetic of the chart.

21 May 2024

Secure Code Learning with SecDim

We're excited to be the first Pentest Management Platform to release a Secure Code Learning collaboration with SecDim - Dev-Native Attack & Defence Wargames.

With the power 💪 of SecDim and AttackForge, you can:

Explore a real vulnerability in a cloud native app. Debug and verify if your security patch can remediate the vulnerability
Train developers on how to fix vulnerabilities identified in their applications, during a pentest
Collaborate between engineers and security teams on how to best remediate vulnerabilities
Improve retesting pass rates for discovered vulnerabilities
Test your knowledge on how to fix common vulnerabilities and measure your effectiveness

Every Sandbox comes with a security test suite to simulate the exploitation of the vulnerability.

Sandboxes are integrated with git so you can save your progress and pick it up again where you left off.

SecDim's catalogue is extensive, covering everything from AI, GraphQL, React, Kubernetes, to Web3. You can test your skills against modern security vulnerabilities inspired by real-world issues.

Each sandbox is deployed in a secure isolated Cloud Development Environment directly in your browser. You can debug, patch and test your code as if you were building an app.

Start by learning more about this integration, and when ready - switch the integration on.

Search SecDim's catalogue of vulnerable sandboxes which you can link to your Writeups.

When you create a vulnerability on a project, users will be able to see the linked SecDim sandboxes and launch a sandbox to get started.

Auto-Add Groups to Project Requests

You can now automatically assign Groups to Project Requests when they get created by group members.

This means any custom access controls you have created on the group will take effect immediately.

This makes it easy to have dedicated teams of people who can work together to view, edit and approve project requests - without the involvement of Administrators or Project Coordinators.

UX Improvements

Now when you open and close the Info panels on Vulnerabilities, Project Test Cases and Reporting - this action will be remembered for the duration of your session. This means you can easily switch between pages and see the information you want to see more easily and with less clicks.

We added new Core Fields for Hide Expressions to provide more flexibility when it comes to controlling your forms.

We also improved the behaviour of how CVSSv3.1 scoring is used on vulnerabilities, including better support for Nessus.

SSAPI Enhancements

We have made the following enhancements to the Self-Service APIs:

Get Assets In Library now supports the Advanced Query filter
Create Vulnerability and Create Vulnerability With Library now supports passing in Asset Library Ids.
Update Vulnerability and Update Vulnerability With Library now supports updating the Affected Asset(s).
Get Project Report Data endpoint was created to allow programmatic creation of reports for selected vulnerabilities only.

ReportGen Improvements

We have improved ReportGen to make your reports even better!

$declare, $push and $assign Functions now support 'this' and 'this[number]'
$includes now supports Dictionaries

3 May 2024

New Project Request Access Controls

You can now configure custom access controls on Project Requests.

This means you can now:

Create multi-stage review and approval workflows for Project Requests, particularly when combined with custom field access controls.
Delegate additional persons or group members to View, Edit or Action selective Project Requests.
Improve efficiency when it comes to project scoping workflows.

To get started, as an Administrator or Project Coordinator - access the Settings on the Project Request:

You can assign access to application user Roles, Groups or individual Users.

Each access control can be assigned with View, Edit or Action:

View means the user will be able to view the Project Request, but not make any changes.
Edit means the user will be able to view and edit the Project Request, and upload any supporting files.
Action means the user will be able to view and edit the Project Request, upload any files, request more information, and reject and approve the Project Request. Approving the Project Request will result in creation of a new Project.

When assigning Group access to the Project Request, the group members can be assigned with View, Edit and Action. This will apply to the Project Requests linked to the Group.

Project Coordinators and Administrators will continue to have access to all Project Requests, along with any additional Roles or Users who have been delegated global privileges to Action all Project Requests.

Vulnerability Imports Now Support Multiple Files

You can now import multiple scan files in one import. This means you can now take advantage of Grouped Assets on vulnerabilities across multiple scans - making it easier to identify and track unique vulnerabilities on the project, and associate affected assets more easily.

Simply select multiple scan files when prompted to select a file.

We also made improvements to user feedback during parsing of vulnerabilities.

Bulk Action Retest Vulnerabilities

We have now made it easier to see all vulnerabilities associated with a retest, and perform bulk actions.

Create Reports on Pending Vulnerabilities

You can now create reports on pending vulnerabilities. This makes it easier to review vulnerabilities in your custom reports, before releasing them to customers.

Filterable Project Team Details

You can now view the entire project team and filter on team members more easily:

Email Updates

Vulnerability-related events on projects, for example New Vulnerability Discovered email, now support {vulnerability.<tag>} Custom Email Meta Tags

Daily Start/Stop Testing Notifications on projects now support {project.<tag>} Custom Email Meta Tags

All emails which support the {link} tag now also support {link.url} which returns only the URL. This means you can use {link.url} inside custom buttons and achors in your emails.

Updates to ReportGen

We have added a new function $percentage that can be used to calculate the percentage of two values.

We also updated $keys to support $keys[this] which can be used to iterate on any object and return each key/value pair in the object as an array.

15 April 2024

Project Test Case custom fields

Project test cases now support custom fields.

This opens up many possibilities, for example:

Capturing Red-Team and Blue-Team information on Purple-Team assessments
Filtering on additional test case sub-status
Persisting additional testing details

You can also now re-order your project test case view to personalize how you want your test cases to appear on different projects.

Soon you will be able to use the Self-Service APIs to import custom project test cases for dynamic and reactive testing, for example importing scanner policies for scans performed.

Defining a Purple-Team project

Start by adding a custom field to your project which will be referenced by your test cases and vulnerabilities.

This will show purple-team fields on test cases and vulnerabilities for only purple-team projects, without creating additional overheads for other assessments.

Defining your Red-Team custom fields on Test Cases

Define your red-team project test case custom fields in Administration → Projects → Test Cases → Form

Create a Section for your red-team fields, this makes it easier to group your fields.
Add a Hide Expression to ensure your red-team section and its related fields only show on project test cases for purple-team projects.
Add Custom Field Access Controls to ensure that:
- Red Teamers can View and Edit red-team fields;
- Blue Teamers can only View red-team fields;
- All others have no access to these fields.

Defining your Blue-Team custom fields on Test Cases

Define your blue-team project test case custom fields in Administration → Projects → Test Cases → Form

Create a Section for your blue-team fields, this makes it easier to group your fields.
Add a Hide Expression to ensure your blue-team section and its related fields only show on project test cases for purple-team projects.
Add Custom Field Access Controls to ensure that:
- Blue Teamers can View and Edit blue-team fields;
- Red Teamers can only View blue-team fields;
- All others have no access to these fields.

Defining your Red-Team custom fields on Vulnerabilities

Define your red-team vulnerability custom fields in Administration → Projects → Vulnerabilities → Form

Create a Section for your red-team fields, this makes it easier to group your fields.

Add a Hide Expression to ensure your red-team section and its related fields only show on vulnerabilities for purple-team projects.

Set your project as a Purple-Team project

When creating or editing a project, select Purple Team from the Testing Types custom field.

Complete Purple-Team project test case fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the project test cases.

Complete Purple-Team vulnerability fields on purple-team projects

When working on a purple team assessment, you can now complete the purple-team fields on the vulnerabilities.

Configuring sub-status on project test cases

Defining a sub-status on project test cases

Start by adding a custom field to your project test cases which will be used to capture the sub-status of a test case.

Track and manage sub-status on project test cases

When working on a project, you can now complete the relevant sub-status on project test cases.

You can also filter and sort your project test cases on sub-status.

Capturing additional information on project test cases

Defining additional information on project test cases

Start by adding custom fields to your project test cases which will be used to capture additional information relevant for your test cases.

Entering additional information on project test cases

When working on a project, you can now complete the relevant fields when working on project test cases.

New time-based custom email options

You can now configure custom time-based emails for Projects, Project Requests and Users - in addition to previously supported Vulnerabilities.

Some examples of custom time-based emails could include:

Notify vulnerability owners when vulnerabilities are 7-days from breaching SLAs
Notify remediation teams when vulnerabilities are 10-days from reaching Target Remediation Date
Notify security teams when vulnerabilities exceed SLAs
Notify project teams when projects have overrun
Notify project coordinators when project requests have not been actioned for some time
Notify users when their account will be locked out due to inactivity

Check Custom Time-Based Emails for more details.

Import vulnerabilities via JSON file

You can now import vulnerabilities directly from a JSON file.

This makes it easy to import vulnerabilities from any source, where the data can be formatted into JSON format.

A template is provided to help make this process easy, as well as details for required fields.

Rich-text custom fields now support images

The following rich-text custom fields now support display of images in-app and in-reports:

Project Requests
Vulnerabilities
Writeups
Project Test Cases
Test Suite Test Cases

Config change detection

Changes to configuration will now trigger all users to reload their app to retrieve the new configuration, at a time suitable for the user.

Custom field dates now support time picker

You can now enable capturing and display of time for your Datepicker custom fields.

This can be useful if you need to capture time, for example Execution Start Time and Execution End Time for Red-Team activities or for captured logs.

This option can be configured using the Display Time option configured on the the Datepicker custom field.

Project Request information now available in reports

You can now add information from your linked Project Request into your reports.

First, start by enabling this option in Administration → Projects → Export Project as JSON → Project Request

Now in your reports, you can access the Project Request information using {projectRequest} for example:

{projectRequest.name} - {projectRequest.created}

Vulnerability imports now support Qualys Guard

You can now import vulnerabilities from Qualys Guard.

Reports now support email addresses for project team

You can now include email addresses for your project team members in your reports.

Start by enabling this option in Administration → Projects → Export Project as JSON → Team Member Email

You can print the emails of the team members in your report as follows:

{#data.testing_summary.project_team_details}
{first_name} {last_name} - {email}
{/}{/}

ReportGen - $help now supports [scope] and [var]

You can now use {$help[scope]} and {$help[var]} in your report templates to show debugging and help information in your ReportGen browser console.

31 January 2024

Asset Libraries

You can now use Asset Libraries to manage your assets better!

Asset libraries will help you to:

Group and manage assets across different teams, technologies, products, customers, business units, networks or compliance;
Control who can see assets, and which assets they can see;
Manage who can create and modify assets;
Assign assets to many groups for better tracking and de-duplication;

You can view your asset libraries directly from the Assets module:

Take advantage of libraries when adding scope to a project:

Control which libraries get used when importing vulnerabilities:

Assign libraries when importing assets:

Asset libraries can be configured from the Administration module.

Assets can belong to one or more libraries, allowing to share access or ownership of assets and reducing asset duplication.

Assets are unique to each library.

Asset libraries can have access controls to manage who can view or edit the assets.

Access controls can be applied to:

Application Roles
Groups
Users

Access to libraries can be assigned with either View or Edit privileges.

Users with View access to an asset library will be able to see the asset and any vulnerabilities for which that user has access to via their projects.

Users with Edit access to an asset library will be able to create assets in that library; and make changes to any asset in that library, including ability to archive the asset or link additional asset libraries.

Bulk actions can be used to bulk (re)assign assets to libraries.

You can now also import assets from CSV and JSON formats – making it even easier to bring existing assets into AttackForge!

For more details, please visit https://support.attackforge.com/attackforge-enterprise/modules/assets

Portfolios Enhancements

You can now provide access to Portfolios and Streams for:

Your customers;
Your engineering teams and product owners;
Your security, risk and compliance teams;
Your business management and senior leadership;
Your external auditors and 3rd parties;

This makes it possible to have custom dashboards which are relevant and tailored to your stakeholders, which they can now access.

Access can be granted to the entire Portfolio, or individuals Streams. This enforces need-to-know.

Users will only see project, vulnerability and asset related data which is relevant to their existing projects.

Users will not be able to see project, vulnerability and asset data for which they do not already have access.

We have also enriched the data available for projects, vulnerabilities and assets.

Users can also configure their own table preferences to consume the data the way they prefer.

ReportGen v2.9

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!

This release includes three (3) new functions; one (1) new style; and access to user profile data in reports!

New Function: $hyperlink

You can use this new function to construct hyperlinks in your reports.

Hyperlinks can be built using data from your project (scope), manual creation or based on values from other variables.

For more information on how to use this function, visit this link.

New Style: hyperlink_style

This release introduces support for hyperlinks for rich-text fields. We have also released a new style which allows you to independently set the style for hyperlinks contained within the styled tags. You can apply this style to any of the {@..._styled} fields.

For more information on how to use this style, visit this link.

New Function: $comment

You can use this new function to include comments in your template which do not get shown in the report.

This can be useful to help with adding explanations and also debugging.

For more information on how to use this function, visit this link.

New Function: $multiply

You can use this new function to multiply a variable which has a numeric value.

For more information on how to use this function, visit this link.

User Profiles Now Available

You can now include user profile information in your reports for each team member on the project.

For examples how to include this information in your reports, visit this link.

Updated Testing Methodologies and Vulnerability Libraries

We have updated to the latest version of MITRE ATT&CK framework, which you can now easily import into your Test Suites.

MITRE ATT&CK Enterprise Version 14.1
MITRE ATT&CK Mobile Version 14.1
MITRE ATT&CK ICS Version 14.1

To get started, head over to https://github.com/AttackForge/TestSuites

Download the relevant methodologies and follow the guide to import them into your Test Suites.

We have also updated to the latest version of MITRE CWE and MITRE CAPEC, which you can now easily import into your Writeups.

MITRE CWE Version 4.13
MITRE CAPEC Version 3.9

To get started, head over to https://github.com/AttackForge/Writeups

Download the relevant vulnerability libraries and follow the guide to import them into your Writeups.

Report Locking

You can now control when reports are available for download on any given project.

This is particularly useful if you want to restrict your customers from generating reports until a point in time on the project, for example when testing is completed or when QA has finished.

When creating or updating a project, you can now configure the minimum Access Level required on the project in order to generate reports.

Custom Project Roles

You can now configure custom project roles which can be assigned to any project team member.

This is particularly useful if you want to create roles which align with your internal operating processes.

These roles can be reflected in emails, reports and in automations and integrations.

These roles are not used for access control.

You can manage the project roles from Administration -> Projects -> Fields -> Team Members.

Custom System Email Notifications

You can now configure and personalize every system email!

You can independently for each system email notification:

Enable or Disable the email notification;
Configure a custom Subject with HTML and {metatags} support
Configure a custom Body with HTML and {metatags} support

You can manage the email notifications from Administration -> Notifications.

For a full list of {metatags} supported – please visit this link.

Custom Report Names

You can now configure the custom report name for all of your downloaded reports.

This configuration option also supports (metatags}.

You can update your report name from Administration -> Reporting -> Report Name.

Manage User Roles via SSO Groups

For SSO users – you can now opt into managing application user roles via SSO groups.

This ensures that every time an SSO user logs in, their application user role will be automatically updated to match their expected role via the mappings.

This makes it easier for AttackForge Administrators managing tenants with hundreds or thousands of users.

It also helps to comply with internal policies for privileged access management.

You can opt into this setting from Administration -> Users -> Manage Application User Roles via SSO Groups.

UX Enhancements

Inline vulnerability view on tables

When viewing vulnerabilities in a table, you can now preview the vulnerability without having to navigate away.

To do so, click on the eye icon next to the vulnerability name.

Retest rounds now should on schedules

Retest rounds now have an optional end date and will now also show on your global and project schedules.

Rich-text fields now support hyperlinks

Rich-text fields now support option to include hyperlinks. These hyperlinks will also automatically show in reports for any ‘_styled’ fields.

Warnings to help prevent data loss

We have added warnings when you have data entered into a form and try navigating away, or when you try to close a popup window with data.

This UX improvement will help to prevent any accidental data loss on common user actions.

Wider, taller and draggable form fields

We have reviewed all forms within AttackForge and where needed we have made fields wider and taller.

We have also enabled ability for rich-text fields to have draggable adjustable height.

Set custom error message for blocked accounts

You can now configure a custom error message for blocked accounts.

This is useful if you have company-specific instructions on account reactivation process that you want to show blocked users.

Bulk add tags on grouped assets

You can now bulk add tags to grouped assets when working on vulnerabilities.

Bulk overwrite on vulnerabilities now supports mixed asset selections

You can now perform bulk overwrite actions on vulnerability selections with mixed asset types i.e. individual or grouped assets.

Hovering on project name shows full name

We made adjustments to show more information when hovering on data, including on the project name.

Linking Vulnerabilities to Test Cases

You can now link vulnerabilities to test cases directly from the test cases.

This makes is easier to fail test cases in bulk, and to show direct correlation between testing and findings.

Importing Vulnerabilities

We added support for Nuclei Scanner and Acunetix 360 when importing vulnerabilities on a project.

Updates to Self-Service API

We made updates to the Invite User To Project and Invite Users To Project Team RESTful API endpoints to include additional fields.

We also added support for Asset Libraries for all of the relevant RESTful APIs.

Video Tutorials

Introduction to AttackForge and On-Demand Trial Environments

We recently released a new trial service for AttackForge – https://try.attackforge.io – which allows people to deploy a dedicated, on-demand private tenant of AttackForge with just their email address. The entire process takes less than two minutes from signup to deployment!

We created a short video to demonstrate this process for deploying new trial environments, as well as a brief introduction to AttackForge.

This video might be useful to you if:

You need access to on-demand non-production AttackForge tenants for testing configuration, integrations or scripts;
You want to access the newest features in an environment that is already configured with optimal settings for the latest features;
You want your customers or users to get a preview for what the AttackForge application is about and key workflows, prior to interacting with your own AttackForge.

The video is available on YouTube:

Pentest Report Automation with AttackForge

We created a short video to demonstrate how to set up an automation for PDF report generation and delivery to customers.

This video might be useful to you if:

You need to send encrypted PDF reports to your customers via email and programmatically;
You are interested in exploring automations in AttackForge;
You are interested in how custom fields can be used to enforce custom workflows.

The video is available on YouTube: