We are evolving how the penetration testing industry reports vulnerabilities. Traditional PDF reports just don't work anymore, we need a way to easily query vulnerability data, track, export/import, and integrate into existing business processes. Beyond the obvious data usability issues, most consulting firms fail to accurately explain how vulnerabilities relate in context of an application or network. Getting a list of canned vulnerabilities from a penetration test fails to paint the full picture of the risk. The reality is that a couple low risks may seem insignificant, but taken together may lead to a full compromise. One reporting tool, CVSS, is great for tracking and categorizing risks, but fails to connect the dots between vulnerabilities to accurately model how attacks work. How do you explain an attack sequence linking multiple vulnerabilities in an easy to understand, repeatable, reliable manner to all levels of the organization?
We just released another update to PenTest Manager last night, the reporting tool used by SpiderLabs to manage, track, and report results of penetration tests. This update includes major enhancements to the PenTest Manager backend to support much more advanced reporting capabilities planned for July - Stay tuned!