COLLABORATING ON PENTEST REPORTING WITH YOUR INTERNAL CYBERSECURITY TEAM

SUPPORTING INTERNAL CYBERSECURITY TEAMS WITH PENTEST REPORTING & RETESTING

If you’re doing pentesting as part of an internal cybersecurity or pentest team, your focus is not on reporting. Instead, internal teams typically focus on finding vulnerabilities, building remediation plans, and helping relevant teams remediate found vulnerabilities. Still, you have to report and you have to do so as part of a team. That normally means a significant amount of collaboration, both on finding vulnerabilities and on doing writeups to deliver those vulnerabilities to relevant team members.

For most internal teams, that means working hard to present vulnerabilities to the teams and stakeholders that need them. You still have to put a significant amount of time and energy into reporting.

Cyver Core delivers a platform to help you manage that reporting, including taking shifts to switch the focus away from the pentest report and towards delivering vulnerability findings as individual tickets — complete with the advice and remediation advice your stakeholders need to fix vulnerabilities — and the long-term tracking to help you trace remediation and finding reoccurrence.

WHAT INTERNAL TEAMS NEED FROM PENTEST REPORTING

Internal pentesting is much less focused on delivering a report and much more focused on delivering vulnerability findings, complete with prioritization, evidence, and remediation recommendations and then tracking and retesting that remediation to ensure that fixes work.

With so little focus on the report, the attention should shift to individual findings, with delivery worked into the platform.

That includes:

• Notifying relevant teams when pentesting starts. E.g., with Cyver Core, you can onboard your stakeholders and automatically alert them when a security assessment starts
• Updating pentest progress as the test progresses and as methodology or scope change. Cyver incorporates a workflow, complete with methodology and the option to easily add new sections to the report, perfect for red team and crown jewel scenarios where you don’t know what you’re testing at the start of the assignment.
• Capturing findings and evidence and delivering it with findings. Cyver’s platform allows you to add screenshots, writeups, and pre-canned content directly to the individual finding ticket, so everything is in one place.
• Define risk scores for pentest findings. Cyver Core automatically adds CVSS and other methodology data. However, its collaborative function means you can request a review from other pentesters and security experts in your organization to decide on ratings together before pushing the finding to stakeholders. Stakeholders can then track and see vulnerability findings ranked by severity in the dashboard for easier prioritization.
• Tracking remediation and time-to-fix across the organization and ensuring fixes actually happen. Cyver Core automatically tracks remediation and vulnerability status, so your team won’t have to chase teams for updates on fixes or the status of the vulnerability. E.g., you can easily see when vulnerabilities are open for longer than in remediation plans and SLAs and stakeholders will automatically get alerts.
• Retesting is worked into the platform, so stakeholders simply let you know when they’re ready for a retest and you run the retest.
• Risk-accepted findings are tracked and worked into the process, so you can see their status and if they become more critical.
• Stakeholders can add their own assets and request pentests when introducing new technologies, updates, or potential attack vectors. Those assets then stay in the platform and can have recurring pentests and scans scheduled in the platform.
• Delivering pentest reports to management, complete with overviews, reports on how data fits into compliance frameworks, and methodology. In addition, creating a pentest report is a click of a button and then you can edit content as you see fit, which means it’s easy to generate reports for different reasons, such as for finance, for an external auditor with detailed findings removed, or for senior management, who don’t need technical data.
• Work with and manage external pentesters and pentest results for compliance and validation. Here, Cyver Core offers access management and the option to onboard external pentesters to your dashboard, so they can upload findings in your portal.

All of this means that you typically prioritize a pentest management platform first and reporting capabilities second. With Cyver, you get both.

CYVER CORE AND COLLABORATING ON YOUR REPORT

With reduced emphasis on the report and more emphasis on structuring remediation plans, internal teams need collaboration tools that focus on delivering vulnerability findings and not just a report.

Cyver Core offers multiple features that perfectly meet the needs of internal cybersecurity and pentesting teams:

• Team management, so you can align multiple teams such as pentesting, red teaming, ICT, and teams that focus on items like customer-facing systems or compliance and collaborate on reports, so you don’t submit multiple versions of the same vulnerability.
• Unified dashboards with access control, so you can add users who only see what’s relevant to them, or people who see a full overview of the cybersecurity environment
• Formal workflows and processes so everyone is aligned and you always have oversight on whether the report or findings are ready.
• Options to onboard engineering, product, and business teams, so they have oversight of the pentest process and real-time alerts when vulnerabilities are found
• A focus on understanding the cybersecurity (WORD) with ongoing metrics, recurring findings tracing, and remediation tracking
• Review and sign-off workflows so teams can collaborate on tests and nothing is forwarded for remediation until it’s been checked.

HOW COLLABORATIVE PENTEST REPORTING WORKS

Cyver Core offers multiple features designed around team collaboration:

Merge Findings — With multiple people or teams testing the same assets with different tools, you will have duplicate findings. Cyver Core automatically merges them (based on title) so you only alert developers to unique findings. You’ll see different instances of the vulnerability across assets and the number of reoccurrences — but you’ll have one ticket for one vulnerability.

Workflows — Set up workflows with review processes built-in, so you always know when someone has checked your work and you’re ready to submit.

Generate the Report — Generate a pentest report with the click of a button based on content you already have in the platform.

Edit Together — Edit and review the report and the findings as a team, leave comments, assign edits, and work on final edits together. Then, when it’s ready, publish the report directly to your stakeholders.

Access Control — Onboard your team members with the roles that make sense for them — whether that’s pentester with full access to assets, managers with access to clients, or editors, who only see the draft report.

External Pentesters — Add teams with different access levels for external pentesters, so your third-party pentesters can contribute to the same reports and platform.

If you’d like to learn more, or see Cyver Core’s pentest reporting functionality in action, contact us for a demo.