LEVERAGING GENAI FOR PENTEST REPORTING WITH CYVER CORE

Pentest reporting is still one of the most time-consuming aspects of pentesting. For many pentesters, that means spending 20–60% of the total time to pentest on writing a report. Often, that means having a skilled technical employee engage in routine and relatively unskilled labor. While reporting often requires pentester insight to write unique recommendations and tips, much of what you share in recommendations is public knowledge, providing you know where to find it.

For many pentest firms, that means your most valued employees are spending 2–14 hours of every pentest on doing work that doesn’t require their expertise. And, for the most part, they’re frustrated and bored.

STREAMLINING PENTEST REPORTING WITH PENTEST MANAGEMENT TOOLING

Pentest management platforms like Cyver Core have delivered a means of streamlining that report generation for years now. You can automatically import findings, use pre-written descriptions, automatically map findings to your vulnerability libraries to import descriptions and labels, and otherwise speed up the process by automating copy-paste and other repetitive tasks.

According to our data, that step alone reduces time spent from about 2–3 days to an average of 4–6 hours. (of course, time to report still heavily depends on what kind of pentest you’re running and how complex it is). However, it’s not perfect. Pentesters are still spending hours on writing unique content, such as customized recommendations to fix, report summaries, etc.

In fact, Cyver Core’s customers report spending 20–70% of time reporting on writing unique content for the report. Pre-Cyver Core, that was about 60–70% of time spent on copy-paste and filling in generic data, so that’s already an improvement. Still, there’s further room for improvement.

That’s why Cyver Core is now leveraging the power of generative AI to help our users quickly generate unique content for their pentest reports.

USING GENERATIVE AI FOR PENTEST REPORTING

Your GenAI instance is completely integrated into the platform, meaning that it generates content based on what you have.

Cyver’s GenAI functions at a project and a finding level.

Project Level: Generate content at a project level with client data, recommendations, summaries, risk summaries, etc., taken into account.

Finding Level: Generate specific finding-level data with the client information, project scope, and risk levels taken into account

That means you can use it for:

• Summaries and executive summaries. Just click a button to generate a summary, re-do it as many times as you’d like, edit it, and you’re good to go. GenAI incorporates everything from the report and client data, so everything is in place.
• Recommendations. Write custom recommendations for finding remediation, with specific data for the technology stack the client is using. E.g., don’t just paste a generic remediation tip for a cross-site scripting vulnerability, tell the client exactly what to do in their framework so they can immediately get started.
• Add custom data like how vulnerabilities impact the client’s compliance frameworks, how many times the vulnerability has been found, or how long the vulnerability has been open — without having to look up and add that data.

Essentially, you’ll be able to quickly create highly custom content, edit it, add your own human insight, and send a highly informative report to the client in a fraction of the time you’d normally spend.

GENAI SUPPORTS HUMAN INSIGHT

Leveraging GenAI to do the heavy lifting of generating (most) pentest report content means pentesters are freed up to check data, add custom insights from human expertise, and tweak the final details.

If most of what you’re putting in a report is general knowledge fixes and information, that information should be automatically added. Then, your pentesters aren’t spending hours putting together data. Instead, they’re focusing time refining the report, adding human insight, and delivering real value.

That’s even true with complex pentesting like red teaming and crown jewel scenarios. Your GenAI can create content, summaries, methodology descriptions, and more around your narrative, so all you have to do is go in, add the finishing touches, and your own unique insight.

And, of course, you can continue to use your pre-prepared content and libraries instead or in addition to GenAI. It’s completely your choice if you use GenAI on a per project, per report, and per account basis.

STREAMLINING PENTEST REPORTING WITH GENAI

The average pentest report takes 2–14 hours. With 20–70% of that time spent on writing unique content like descriptions, summaries, and recommendations, GenAI can save you hours per pentest.

Eventually, that means hours you can dedicate to consultancy, to pentesting, and to refining the report rather than writing it.

If you’d like to learn more, schedule a demo to see it in action or visit our GenAI Pentest Reporting page to learn more.