Are there any solutions currently in the market for Customization and Total Automation for Penetration Testing Reports?
Sort By:
Oldest
Chief Security Officer in Software3 years ago
Its not exactly automation of reports but we are looking at AttackIQ to automate parts of the pentesting process including reporting. Happy to chat further if interested.CISO in Energy and Utilities3 years ago
CompTIA PenTest+ (PT0-002) includes best practices for automation techniques and it has been released in late October 2021. The exam assesses how to perform automated vulnerability scanning and penetration testing using appropriate tools and techniques, and then how to analyze the results as shown below. Domain 2.0 Information Gathering and Vulnerability Scanning
2.4 Given a scenario, perform vulnerability scanning. Includes vulnerability testing tools that facilitate automation.
Domain 5.0 Tools and Code Analysis
5.2 Given a scenario, analyze a script or code sample for use in a penetration test. Includes automating the penetration testing process and next steps based on results of a scan.
5.3 Explain use cases of the following tools during the phases of a penetration test. Includes automation tools for scanning and web application testing.
Most modern penetration testing tools include automation capabilities. For example, you can find automation testing features in Metasploit, Nettacker, Jok3r, Legion, Sn1per, Open Security Content Automation Protocol (SCAP), OWASP ZAP and Burp Suite – to name a few.
VP of Information Security in Services (non-Government)3 years ago
There is an emerging security technology domain, breach and attack simulation (BAS), that has the capability to automate penetration testing reporting in a 24x7 basis.I would be more than happy to provide more information how BAS works, pros and cons, cost model etc.
Principal Security Specialist in Finance (non-banking)6 months ago
You should probably elaborate on what you mean by these terms.Penetration testing reports could be:
1. The output of a pentest engagement, where X testers worked on a specific scope to identify issues (generally word/pdf/html format)
2. Ad-hoc or regularly generated reports on penetration testing issues identified across your portfolio, filtered and formatted in a specified manner but generally in a tabular structure such as excel, csv)
Similarly, "Customization and Total Automation for Penetration Testing Reports" would be different for each of the above 2. Or you could mean:
3. Fully automated and customized penetration testing process, which apart from executing the test cases of a pentest, it will produce pentest reports
CISO/CPO & Adjunct Law Professor in Finance (non-banking)6 months ago
Total automation of Pen test reports is a risk from at least two directions. One is if the pen test tool runs amok, it can cause damage internally and to other companies inadvertently - creating liability for the person commissioning the pen test. Another risk is that the automated tool won't be robust, there are numerous scanning tools available which lack the depth to simulate a determined, genuine hacker. The third risk that comes to mind is the data from your scan. Who will own the output form your test which lays out your firms weaknesses with specificity?