2025

27 August 2025

Scheduled Flows - For Automated Daily Tasks, Polling-Based Integrations and Cron Jobs

We're super excited to release Scheduled Flows which means you can now schedule repetitive or one-time tasks within AttackForge! ⏰🦾

Need a Flow to run every morning? How about the end of the month? We've got you covered! 😌

Scheduled Flows can help you to:

  • Create polling-based integrations and data syncing with external APIs and tools

  • Create batch-jobs, like daily/weekly/monthly reports on progress of your security testing program

  • Schedule automated tests based on configurable policies such as criticality of assets

  • Clean-up old testing data based on configurable policies such as expiration dates

To make Scheduled Flows super flexible, we support cron.

Cron is the golden standard 🌟 when it comes to scheduling repetitive or one-time tasks.

We've built a crontab helper 🤖 which makes building your schedule even easier:

We've also added a next run indicator - for peace of mind that your schedule will run exactly when you need it:

You can also set which timezone to use 🌏

After your Flow is created, you can always check to see when the next run is scheduled:

And view the details of a specific Flow Run

Delay and Repeat Flow Actions

We've added options to delay and repeat Flow Actions!

This opens a world of possibilities in how you can use your Flow Actions 💪

Repeat Action

  • Create a 'for loop' Action over a list of data - for example create a new vulnerability for each record in a long list.

  • Interact with paginated endpoints to retrieve the full list of results.

  • Request failed; update the payload and try again.

When you repeat an action, you can also modify its context. This means you can pass in new data to the Action.

Action (Request)

Action (Response)

Example 1: Process list of data

Say you have 100 vulnerabilities in a list. The purpose of your Action is to create a new vulnerability.

On the first iteration of the Action, you create vulnerability 1 out of 100 - leaving 99 more to go.

You can then repeat the Action, updating the list to remove the vulnerability which was just created.

On the second iteration of the Action, you create vulnerability 2 out of 100 - leaving 98 more to go.

This process repeats until you have 0 vulnerabilities left in the list to process, then you call next to move on to the next Action in your Flow, or finish to gracefully end your Flow.

Example 2: Interact with paginated endpoints

Say you have 1000 vulnerabilities you need to access, however the page length of the API endpoint only returns 50 at a time. The purpose of your Action is to fetch a page of vulnerabilities.

On the first iteration of the Action, you fetch vulnerabilities 1 to 50 out of 1000 - leaving 950 more to go.

You can then repeat the Action, updating the page marker to fetch the next page.

On the second iteration of the Action, you fetch vulnerabilities 51 to 100 out of 1000 - leaving 900 more to go.

This process repeats until you have 0 pages left to fetch, then you call next to move to the next Action in your Flow, or finish to gracefully end your Flow.

When an Action repeats, the logs for each iteration will be visible to you in the Flow Run logs.

Delay Action

  • Safely interact with request-throttled endpoints - for example APIs with restricted number of requests per minute.

  • Reduce likelihood of issues interacting with asynchronous APIs where data is not ready on time.

  • External endpoint is down; retry the request with a delay until service comes back online.

Delaying an Action is easy to do, you just pass in a number (in milliseconds) to the Return Statement.

You can delay anywhere from 1 millisecond to 24-hours.

Example 1: Throttle requests to API endpoint

Say you are working with an API which accepts 100 requests per minute. However you have 200 requests you need to make.

You can add a 1-second delay between each repeated Action:

Example 2: Delay requests until system is back online

Say you are working with an API, however that API returns an error indicating it's currently not available.

You can add a 30-second delay between each repeated Action until (hopefully) the service is back up and running again:

Keep an eye out 👀 even more amazing new features coming to Flows soon!

HTML Tables in Rich-Text Fields and Reports

We've finally added support for HTML tables in rich-text fields! 🥳

You can now create or paste tables in your rich-text fields, and make them look beautiful in your reports 😍

You can even adjust column widths and row heights, or create lists and inline code in your tables!

You can also scroll and expand the tables when viewing the data, in case you have lots of columns or rows.

And best of all - the tables will show in your reports, including the custom column widths and row heights!

You can even add Custom Styling for your HTML tables in your reports 😎

Text Highlighting in Rich-Text Fields and Reports

We didn't just stop at HTML tables - we've also added text highlighting for rich-text fields! ✍️

You can pick from different colors to really make your text pop! 🟡🔵🔴

The text highlights will show when you view the data in the portal and within the reports.

Review Notes Improvements

In the persuit of making QA reviews faster and easier using AttackForge - we've made major user experience improvements to Review Notes:

  • Review Notes in the Reporting tab on the project have been extended to include all custom fields

  • Threads are now displayed as an overlay

  • A preview of a note being replied to is now shown above the input

  • Clicking on a reply note will scroll the note in to view and show a highlight

  • Note actions (reply and delete) only appear on hover

  • Notes which are a reply to another note will only show a one line preview of the reference note with a tooltip

Stay tuned for many more improvements coming to review features and workflows in AttackForge!

New OWASP Test Suites

AttackForge Test Suites play an important role in measuring the success, transparency and impact for any security audit.

If you're a pentester - you can measure and improve the performance of your testing methodology; demonstrate the depth of manual testing coverage; and collaborate efficiently with others to save you time and effort - whilst avoiding night terrors thinking you forgot to test something!

If you're a customer - knowing what, when, where, who, why and how your assets were tested is crucial to measuring visibility, impact, standardization and return of investment in your security program.

In this release, we have included even more security checklists and benchmarks from OWASP:

You can import these in to your existing or new test suites.

You can also create your own custom testing methodologies in the Test Suites module!

New JIRA and ServiceNow Flows

We've added new Flows to help you with bi-directional custom integrations and workflows in Atlassian JIRA and ServiceNow.

You can use our Flows Templates to get up and running fast!

JIRA Issue Retest -> Update Vuln to Ready for Retest

Close JIRA Issue

Re-Open JIRA Issue

ServiceNow Incident Retest -> Update Vuln to Ready for Retest

Close ServiceNow Incident

Re-Open ServiceNow Incident

Updates to Tenable Security Center and Invicti Netsparker Vulnerability Import Parsers

Importing vulnerabilities from Tenable and Invicti is now even better!

We've updated the Tenable Security Center vulnerability import parser to support even more fields from Tenable.

We've also updated the Invicti Netsparker vulnerability import parser to support Invicti Netsparker Enterprise.

Advanced Filtering Now Available In More Places!

Previously we introduced Advanced Filtering - a way to quickly and easily find the exact information that you need.

You can combine Advanced Filtering with Custom Views to save your search filters and effortlessly repeat your custom search time-and-time again.

In this release, we rolled out Advanced Filtering even wider:

  • Groups

  • Portfolios

  • Test Suites and Test Cases

  • Project Test Cases

  • Project Retesting

  • Project Scope

  • Import Vulnerabilities

  • Users

We've also added a copy button on the table row to make it easier to copy the system id for a record, without having to view it first.

Updates to ReportGen

We're always improving on our kick-ass reporting engine - ReportGen 🥋

Configure Image Downscaling in Reports

AttackForge utilizes image downscaling for dynamic reporting images to help improve performance and speed for report generation. Dynamic images are images that are uploaded to AttackForge, not statically input into your report template.

Images are downscaled by default to 975 pixels. This is an ideal balance for most images for reporting purposes.

However, you can increase or decrease this threshold.

Increasing the Max Image Width will improve image quality, however may increase report generation time.

Decreasing the Max Image Width may speed up report generation time, however image quality will also be decreased.

Images can be downscaled to any value between 100 pixels and 2000 pixels.

Table Styling Options

With this release now supporting HTML tables in rich-text fields, we've also added the ability to override the style of your tables, per-field, in your report templates.

This gives you full control over how your tables look and feel in your reports!

{@<RICH-TEXT-TAG>_styled(“table_alignment”:”center”,”table_columns_width”:”5000”,”table_rows_split_across_pages”:”true”,”table_borders_thickness”:”30”,”table_borders_color”:”ff5733”,”table_cells_margin_top”:”1”,”table_cells_margin_bottom”:”1”,”table_cells_margin_left”:”1”,”table_cells_margin_right”:”1”,”table_cells_borders_thickness”:”10”,”table_cells_borders_color”:”6c3483”,”table_rows_header_style”:”CustomTableHeader”,”table_rows_header_background_color”:”00B050”,”table_rows_header_height”:”600”,”table_rows_header_vertical_alignment”:”center”,”table_rows_body_style”:”CustomTableBody”,”table_rows_body_vertical_alignment”:”center”,”table_rows_body_background_color”:”c7fcc5”,”table_rows_body_height”:”1000”)}

  • table_alignment - left/center/right

  • table_columns_width - pixels e.g. 5000

  • table_rows_split_across_pages - true/false

  • table_borders_thickness - pixels e.g. 30

  • table_borders_color - hex color code e.g. 000000

  • table_cells_margin_top - pixels e.g. 1

  • table_cells_margin_bottom - pixels e.g. 1

  • table_cells_margin_left - pixels e.g. 1

  • table_cells_margin_right - pixels e.g. 1

  • table_cells_borders_thickness - pixels e.g. 10

  • table_cells_borders_color - hex color code e.g. 000000

  • table_rows_header_style - maps to a Word style (don't put whitespace in the style name)

  • table_rows_header_background_color - hex color code e.g. 000000

  • table_rows_header_height - pixels e.g. 600

  • table_rows_header_vertical_alignment - top/center/bottom

  • table_rows_body_style - maps to a Word style (don't put whitespace in the style name)

  • table_rows_body_vertical_alignment - top/center/bottom

  • table_rows_body_background_color - hex color code e.g. 000000

  • table_rows_body_height - pixels e.g. 1000

New Filter: Array_Chunk

If you've ever found yourself adding a list of data in your report, and thinking there's way too much whitespace. It would look so much better in a table with multiple columns... but how to make the columns adjust to the length of my data?

Well now you're in luck 🍀

We've added a new filter Array_Chunk which can be used to create an array of elements split into groups the length of size. If the array can't be split evenly, the final chunk will be the remaining elements. Each array is then accessible inside the parent loop via chunk[index].

array_chunk(['a', 'b', 'c', 'd'], 2);
// => [['a', 'b'], ['c', 'd']]
 
array_chunk(['a', 'b', 'c', 'd'], 3);
// => [['a', 'b', 'c'], ['d']]

{#tag | array_chunk:<size>}{chunk[0]}{chunk[1]}{chunk[...]}{/}

For example, say you wanted to distribute your project scope assets across three (3) columns to help save whitespace in the report - you could do the following:

The result will be the distribution of each asset across three columns:

Ignore Labels with 0 Value

We've added a new chart option which helps to remove labels from charts which have a 0 value.

For example - the following chart has 0 Critical, 0 High and 0 Medium findings:

By specifying "ignore_falsy_values": true, inside the "data": {...}" object of your chart settings (e.g. "data": {"ignore_falsy_values": true,...}") the chart will then ignore labels with a 0 value.

Enhancements to Self-Service APIs

We're always improving our Self-Service APIs to make automations and integrations even easier! 💪

  • New RESTful endpoints:

  • Updates to REST endpoints:

    • Get Test Suites - we've added support for the test suite code and sort order.

    • Get Test Suite - we've added support for the test suite code and sort order, as well as for every individual test case.

11 July 2025

Build Your Own Custom APIs!

We're super pumped to release HTTP Triggers for Flows which means you can now build your own custom APIs in AttackForge! 🤩💪

Why would you want to build your own custom APIs you might ask? 🤔

Well, for starters:

  • Your external systems can push data directly to AttackForge in real-time, whenever you need it!

  • You can run an automation in AttackForge on your own terms

  • You can create custom integrations which are triggered on-demand

  • You can create modularized Flows (trigger them from other Flows!)

Still not quite sure where to start with this superpower? 🦸 We've got you covered!

We created an example video demonstrating how a security researcher can submit a new vulnerability in HackerOne and it's in AttackForge instantly!

No delays = No unnecessary risk exposure!

You can create your own custom workflows, for example:

  • Fetch information about the affected asset from an external CMDB or from within the AttackForge Assets Library, and use this information for contextualized prioritization and risk scoring

  • Custom score the vulnerability using threat and vulnerability intelligence data from external databases like Flashpoint's VulnDB

  • Enrich the vulnerability with CWE data using the MITRE CWE API - descriptions, remediation advice, references, etc.

  • Create tickets in external tools like Atlassian JIRA, ServiceNow, Azure DevOps and others

  • Trigger conditional email notifications for automatic escalations

  • Post a message to Slack, Teams or other collaboration tools

This is just a taste for what powered-up Flows can now do!

Every HTTP Triggered Flow comes with the following:

We've also added a README section for each Flow, so now you can document how your Flow works - and make that documentation available to others!

We've also added new Flows access controls for even more granular access on how your users can use different types of Flows.

And we didn't stop there - we extended the Flow permissions so you have even more granular control for how each individual Flow can be used by every authorized user.

We also improved the user experience with Secrets to make them even easier to use, and more accessible where you need them!

And we are not done with Flows just yet 😉 stay tuned for even more exciting Flows updates coming in the next release!

Portfolios and Stream Analytics Now Available

Portfolios has been instrumental for many security teams and organizations - helping them to track and monitor security for their:

  • Business Units, Subsidiaries and Functional Teams

  • Applications, Systems and Technologies

  • Geographies

  • Compliance obligations

  • Security Programs

  • Mergers and Acquisitions

We've now added Analytics for every Portfolio and Stream - providing even better tracking, monitoring, reporting and coverage!

Answer the tough questions easily:

  • What are the most common vulnerabilities?

  • Which assets need the most attention?

  • What are the root causes for these vulnerabilities?

  • Are we getter better, or are we getting worse?

DRAFTS Now Available for Writeups, Project Requests, Assets and Test Cases

In the last release, we introduced DRAFTS - a game-changer for being more effective and efficient with how you create data, putting you in control of when to publish.

DRAFTS ensure you never lose your data with the real-time autosave feature - so you always have peace of mind knowing that we got you covered. Stash your data, come back to it when you need it (or dont!). Work on multiple concurrent DRAFTS.

In this release, we rolled out DRAFTS even wider:

  • Writeups

  • Assets

  • Test Cases

  • Project Requests

DRAFTS are coming to even more places soon, including a central location where you can find all of your DRAFTS for everything in one place!

Review Notes Improvements

We've improved Review Notes! They now support every system and custom field - you can even start a thread on multiple topics!

Stay tuned for other exciting updates coming soon for QA and Reviews!

Advanced Filtering Now Available for Writeups, Assets and Project Requests

In the last release, we introduced Advanced Filtering - a way to quickly and easily find the exact information that you need.

You can combine Advanced Filtering with Custom Views to save your search filters and effortlessly repeat your custom search time-and-time again.

In this release, we rolled out Advanced Filtering even wider:

  • Writeups

  • Assets

  • Projects

  • Project Requests

We also extended Advanced Filtering to even more field types!

User Session Improvements

We know this is long overdue, but it's finally here!

We've overhauled how we manage user interactivity - to give you the best possible user experience when it comes to your active session!

We now detect mouse clicks and keyboard strokes to help keep your session alive. This means you will no longer timeout when writing detailed vulnerability writeups, or interacting with any part of the application!

We've also included a configurable session inactivity timeout warning. By default, this message will show when you have 1 minute left on your session.

When your session times out, you will see a pop up message in the center of the screen.

If you click on the X - you will be able to copy any data already loaded or entered into your page.

You can configure when the timeout warning pops up, and also whether you want users to be automatically redirected to login after session timeout or not.

User Invitation Improvements

Now when you invite a new user to AttackForge, you can include their first name and last name to make the invitation more personal, and save them the hassle filling it in later!

AFScript Improvements

We've added support for HMAC signature verification in AFScript!

HMAC can provide authentication using a shared secret. This can be used to help verify both the data integrity and authenticity of a message.

This is ideal for use cases where you might want to verify a payload in Flows and cannot rely on using HTTP Trigger Authentication.

Enhancements to Self-Service APIs

We're always improving our Self-Service APIs to make automations and integrations even easier! 💪

28 May 2025

Advanced Filtering in Tables

You can now do Advanced Filtering in tables! 🤩

Advanced filtering can help you quickly and easily find the information you need.

You can combine Advanced Filtering with Custom Views to save your search filters and effortlessly repeat your custom search time-and-time again.

So what makes it advanced? 🧐 Let's take a look:

Advanced Filtering is available in the Filters section of your table, or when selecting an individual column filter.

You can now apply a filter which will return the exact data you need in your table! Advanced filters can be applied across multiple fields. You can also set multiple filters on the same field!

When you need the extra power or flexibility - Wildcards / Globbing and Regular Expressions come to the rescue!

The Wildcard filter is used to perform Glob matching or globbing using wildcards (like * and ?) to match values based on patterns.

The following globs are supported:

  • Wildcards (**, *.js)

  • Negation ('!a/*.js', '*!(b).js')

  • extglobs (+(x|y), !(a|b))

  • POSIX character classes ([[:alpha:][:digit:]])

  • brace expansion (foo/{1..5}.md, bar/{a,b,c}.js)

  • regex character classes (foo-[1-5].js)

  • regex logical "or" (foo/(abc|xyz).js)

Examples using Wildcards:

1. Filtering for xss OR cross site scripting anywhere in the Vulnerability title

*xss*|*cross site scripting*

2. Filtering for NOT 'HTTP' AND NOT 'MIME' anywhere in the Vulnerability title

!(*HTTP*|*MIME*)

When a Wildcard just isn't enough, Regular Expressions (RegEx) unlock a new level of possibilities!

Regular Expressions are widely used due to their ability to perform powerful text manipulation and pattern matching. When using Regular Expressions, you're only limited by your creativity!

If you're unfamiliar with RegEx, there's hundreds of online tools to help you build and test your regular expressions to ensure they work exactly how you expect them to.

Advanced Filters can be saved in your Custom Views.

Advanced Filtering is now supported on Vulnerabilities and is coming to more tables very soon!

Vulnerability Drafts

Sick and tired of working long and hard on writing vulnerabilities, only to lose them because your session timed out?

What about when you need to stash a vulnerability and come back to it later?

Or you're simply not ready to share it for others to see?

Vulnerability drafts solve these painful problems - plus more!

When working on a new vulnerability, every change you make is autosaved. Any field you enter in data or change, any file you upload - is now saved against your draft.

You can see all of your drafts by clicking on Draft Vulnerabilities when filtering your vulnerability views.

You can click on any of your drafts to resume from exactly where you left off.

Drafts are currently only on Vulnerabilities, however will be supported wider very soon!

Groups Now Support Custom Fields

We've added Custom Fields to Groups! 🥳

This means you can now capture information about your clients, teams, business units, platforms, technologies and more - store that information in a centralized location with field-level access controls, and use that information in:

You can also create custom sections and re-order your form to exactly how you want it!

Writeups Now Support Form Configuration

We've powered-up the Writeups form! 🔋

  • Re-order the entire form - have full control over where the fields are shown

  • Create custom sections - group your fields in to relevant sections

  • Rename the default sections, or remove them entirely

  • Apply Hide Expressions against sections to hide entire sets of fields when they are not relevant, or show them when they are!

Custom Views Now Supported Across Application

Previously we brought you Custom Views - a way to make it easy to save your favourite and frequently used table views.

Custom Views help to easily configure and switch between different views of your data, providing flexibility in how you want to see and use your data.

We've extended Custom Views across the application, so you can benefit from them in even more places!

  • Vulnerability tables

  • Project tables

  • Scheduling calendar and tables

  • Project Request tables

  • Project Test Cases table

  • Project Scope tables

  • Assets tables

  • Portfolio and Stream tables

  • Groups table

  • Writeups tables

  • Test Suites tables

  • Test Cases tables

  • Users table

New Red Team Reporting Template

We've released a new Red Team Reporting Template to help you bootstrap a red-team report, fast! 🏃‍♂️‍➡️

Red Team reports != Pentest reports. They're structured differently. They tell a different story. This is why they need to be built to handle the unique needs of red teams.

To get started - download the AttackForge Red Team Report Example, Template and Test Data.

You can build the report and experiment with the template in ReportGen.

You can download ReportGen locally from Report Templates > ReportGen > Offline Browser Tool

New Powerpoint-Style Template

We've also released a new Powerpoint-styled Executive Summary Presentation Template to help you create a slick presentation to wow your clients! 😎

To get started - download the AttackForge Exec Summary Slide Deck Example, Template and Test Data.

You can build the presentation and experiment with the template in ReportGen.

You can download ReportGen locally from Report Templates > ReportGen > Offline Browser Tool

MITRE ATLAS Framework Now Available

If you're testing AI Systems, you can now import the MITRE ATLAS framework into your AttackForge as either Test Suites or Writeups!

This gives you an out-of-the-box testing methodology and vulnerability language for assessing AI Systems.

Download the MITRE ATLAS framework from our GitHub and conveniently import what you need via the UI

New Flows Videos

Flows has been a game changer 🚀🌝 since its release in February.

Flows opened up a world of automation and integration possibilities!

Some examples we have seen implemented so far:

  • Exporting vulnerabilities into enterprise ticketing systems such as ServiceNow, JIRA, Azure DevOps

  • Real-time AttackForge data feeds into visualization tools like PowerBi

  • Custom prioritization of vulnerabilities

  • Leverage threat and vulnerability intelligence feeds to augment vulnerability data

  • Integrations to schedule and kick-off automated scanning activities Tenable and Qualys

  • Posting chat messages in Slack and Teams

  • Email notifications on custom QA reviews and workflows

  • Allow selected clients to self risk-accept their vulnerabilities

  • Email notifications on custom criteria for vulnerabilities

  • Create custom webhooks

We've added tutorial videos for some of the most common Flows to help you get started fast!

Flows - User Secrets Now Available

If you're building Flows and thinking ...geez it would be awesome to have a centralized secret, that way I can update it in one place and all my flows will be updated, or you might be thinking ...geez it would be awesome if I had a way to prevent other people from seeing my secrets even if they have access to my flow - then you're in luck 😉

We just added User Secrets - a place where you can create secrets which belong to you and not your individual Flow. That way you can share your secret across multiple Flows, and you can protect it from other users seeing your secrets' value.

You can also choose to share your secret with other users if you would need to.

Flows - Transfer of Ownership Now Available

If you've just went through all of the effort for building a Flow, and now you need to hand it over to someone else so it runs under their context (not yours) - you can now Transfer Flows.

Transferring is easy. Open the Flow settings page and click on Transfer. Enter in the user to recieve your Flow then approve. That's it!

The user will receive ownership of your Flow immediately, however it will be disabled until they have reviewed the Flow (to make sure it's not dodgy 😉) and decide to enable it themselves.

Project Request Scope Now Supports Asset Selection

When a user requests a new project, previously the only option was to allow them to enter in any arbitrary scope they can think of. This makes it hard for security teams to link that information to real assets in your Assets module.

You can now switch the Scope field on the Project Request to an Asset selector.

This can be toggled from Administration > Project Requests > Form > Scope > Field Type (Text/Asset)

The user will only see assets which they already have access to via the Assets module.

This means that any Asset Libraries and access controls on those libraries will be enforced.

Users can only select from their assets, or create a new asset (if permitted to do so).

We've also improved the user experience when approving the project request, so that it's easier to reconcile requested project scope against similarly named assets in different libraries. We also now highlight any differences and have an easy option to create new assets when needed.

Custom Email Distribution Lists

The Custom Time-Based Email Notification Engine is a god-send for use cases where you might need AttackForge to:

  • Remind people about vulnerabilities about to breach their Remediation SLA and/or Remediation Plan

  • Escalate to people about vulnerabilities which have breached their Remediation SLA and/or Remediation Plan

  • Remind people about overrunning projects

  • Remind people about unactioned project requests

  • Remind people their account will lock out if they don't log in soon

  • Get a digest of all vulnerabilities or writeups that need to be reviewed

  • Plus many more use cases you can think of!

We've now extended these emails to also support custom distribution lists! 🤩

This means you can now use any user(s) or group(s) Custom Fields as distribution lists for these emails.

For example, if you have Vulnerability Owner or Teams Responsible custom fields configured on your vulnerabilities, you can now include those recipients within these emails.

You can leverage any User Select, User Multi-Select, Group Select or Group Multi-Select custom fields

Skip Access Control in Custom Time-Based Emails

We've also added the option to Skip Access Control Checks in Custom Time-Based Emails. This means that if the user doesn't have access to the data record, for example the project or the vulnerability, then it will still include that record in the email.

This is ideal for scenarios where you have generic mailboxes which need to have all information in one place; or you need users to be made aware of authorized information in AttackForge for which they would not normally have access to within the application.

Pending Vulns Now Supported in Custom Time-Based Emails

The Custom Time-Based Emails also now support Pending vulnerabilities.

You can now create emails which contain a list of pending vulnerabilities which need to be reviewed or subjected to quality assurance reviews - making it way easier to know when you need to do QA!

Create Projects Without Scope or Test Suites

We've made it possible to now create projects without any scope or test suites selected.

This makes it easier to set up new projects and complete the information later on once it's known.

Retest Rounds Now Support All Vulns

When Requesting a Retest Round, you can now select any of the vulnerabilities on the project to be considered in-scope for the retest, not just the vulnerabilities which are marked as Ready for Retest.

This makes it far easier for your teams to request retests, and saves on the extra steps needed to first mark those vulnerabilities as Ready for Retest.

Linked Project Keys Now Supports All Project Fields

When building your custom project request and intake form, you can now easily map all of your desired Project Request fields to Project fields.

We've extended the Linked Project Key feature to now show all fields which you can map to. This includes System and Custom fields.

Updates to ReportGen

Charts now support modifying the base chart color, for example you can make the lines and labels white if you have a dark background in your reporting template.

Enhancements to Self-Service APIs

We're always improving our Self-Service APIs to make automations and integrations even easier! 💪

28 February 2025

Introducing Flows - Automation Module for AttackForge

We're super excited 🤩 to finally reveal Flows - AttackForge's comprehensive, end-to-end automation engine - powered by AFScript.

Flows can help you to automate AttackForge with nearly unlimited systems. You can streamline processes across your organization to save time and focus on what's most important.

Some examples you can do with Flows:

Flows can interact with any HTTP interface, including your own tools as well as the AttackForge Self-Service APIs

Flows is included in all AttackForge Enterprise plans and in the AttackForge Core SME plan. For all others plans, Flows can be added-on from the Administration -> Subscriptions page.

We've made some Flows available on our GitHub which you can import into your AttackForge to get started fast! Examples include:

Some of the great features of Flows include:

  • Share your Flows with multiple team members to help collaborate on your Flows together

  • Import and Export Flows to get started fast! You can also to share your Flows with other people using AttackForge

  • Various Triggers to handle a variety of use cases and bespoke needs

  • Support for Secrets to protect your passwords, API tokens and keys

  • Powerful Actions. Create your own custom logic and decision paths using AFScript

  • Run History for robust testing. Tracking and monitoring for peace of mind. Access detailed logs to know exactly what your Flows are doing at any time.

  • Unlimited Flows and Flow Actions! Build as many automations and integrations as you need, start with simple Flows and level up to complex sequences and chains.

We will be releasing even more capabilities and examples for Flows in the coming months so stay tuned!

Custom Domains for AttackForge Core

We have released fully custom domain names for AttackForge Core!

You can now have your own personal domain for hosting and accessing your AttackForge tenant.

Currently only available on AttackForge Core SME plans

Updates to AFScript

We've extended AFScript yet again!

You can now suggest values across all of your custom fields, everywhere, using AFScript.

We've also added String.replace() and String.replaceAll() functions.

Updates to Groups

We've updated Groups to now support Custom Fields and Forms.

This makes to possible to have a custom set of fields and forms for different Groups such as customers, security teams, technology and engineering teams, risk teams, subsidiaries and divisions, platforms and other ways in which you use groups.

You can configure Group custom fields and forms from Administration -> Groups.

In addition, we added support for mapping AttackForge Groups to SSO Identity Provider Groups to include support for assigning no access to the groups projects, as well as support for assigning access to Project Requests.

Updates to Custom Time-Based Notifications

We've added support for ability to use the dateFormat filter to adjust the way the date and time is displayed in your custom time-based emails.

For example, you can now do this:

{project.start_date | dateFormat:["fullDate"]}

Updates to ReportGen

We added new Filters including isArray, isBoolean, isInteger, and isString.

We also updated the styling and layout for the out-of-the-box Pentest Report Template to showcase even more possibilities for custom reports in ReportGen!

We also added a Retry button in the Offline Browser Tool from Chrome users which makes building reports even faster! 🥳 You no longer need to re-select the template file or JSON data.

Updates to Writeups Libraries and Test Suites

We've added MITRE ATT&CK Framework for Writeups! Including Enterprise v16.1, ICS v16.1, Mobile v16.1. You can now leverage MITRE ATT&CK directly in your Writeups.

We've also updated to MITRE CWE v4.16 and MITRE CAPEC v3.9 including new tags to cross-reference between CWE and CAPEC.

We've also updated MITRE ATT&CK Framework for Test Suites to the latest versions - Enterprise v16.1, ICS v16.1, Mobile v16.1.

UX Improvements

Now when creating a new Writeup in the Project Library from the Vulnerability form, the current project will be auto-selected.

Also after completing an Abuse Case, there is now a button to Create Another.

Enhancements to Self-Service APIs

We're always improving our Self-Service APIs to make automations and integrations even easier!

PreviousRelease NotesNext2024

Last updated