Pentest report automation tools – do you need one and what are the options

This article explores the benefits and shortcomings of report automation tools and the general routes for deploying this type of software in practice.

Do you need a report automation tool?

To cut to the chase, if you want to include the results from vulnerability scans (e.g. Nessus, Qualys) in the final report then you need a report automation tool which supports the scanners you use.


The reasons for this are many, but the top three are:

  1. It will drastically speed up the aggregation of scanner results while eliminating the risk of human error from the process. You will also make your pentesters happy by saving them a painfully boring task.
  2. A good tool will allow you to customise the vulnerability texts provided by the scanner, store the changes and apply them on the fly in the future, which provides further time saving. It enables you to define 'gold standard' texts for use by everyone in the team.
  3. Scanners tend to provide repetitive results which can and should be aggregated to avoid bloating the report and make it easier to read and understand. With HaxHQ this is a very simple process.

Depending on the type of customers you work with, you may never include vulnerability scan results in the final report. Some more security conscious customers do run their own vulnerability scans on a regular basis and do not like to see the same results in a pentest report.

In such a scenario you may not need a report automation software as writing a report manually is not inconceivable. It would still be a repetitive process, and most pentesters I know will look to automate it in one way or another. A reporting tool would reduce the scope for cut and paste errors and can provide a library of common findings for easier reuse. From a management point of view, such a tool can also retain anonymised data across engagements and use it to produce reports, where this is useful to inform strategic decisions.

What are the options available?

Your main options are to pick up an open source tool which seems to fit the requirements best and then adapt and maintain it. The alternative is to purchase a SaaS solution which offers sufficient guarantees to meet your compliance requirements. HaxHQ offers a third option, allowing you to outsource the customisation and maintenance without having to trust a third party with your customers’ highly sensitive vulnerability data – at half the price of some SaaS services.

Open source tools

A few projects exist on GitHub which many pentesters will be perfectly capable to build, run and even customise and maintain themselves. You will have to do some research, installation and configuration so you can test them and see if they fit your requirements. If you have the time and capability this is certainly a good option – it is free and if you make any improvements you may be able to contribute back to the community.

SaaS solutions

Many offerings exist, some priced competitively and others less so. In all cases, you will need to upload scanner output and/or manually discovered vulnerabilities into the cloud, with little control over what happens with that data after that. As far as I know, all commercially available cloud solutions are closed source, though free versions may exist for which the source code might be available.
You should pick a trustworthy provider and ensure that their offering and terms of service are compatible with your company’s requirements, contractual obligations and certification standards.
This is the least resource intensive option and may be very cost effective as well, especially for smaller teams. HaxHQ does offer a SaaS service as well, please contact us for a quote.

HaxHQ

You can have the best of both worlds if you decide to host HaxHQ on your own infrastructure. With full visibility into the source code and the content of updates, and full control of the hardware it runs on, you have to trust nobody and are in full control. At the same time installation, customisation and maintenance are taken care of so pentesters can concentrate on what they do best.