January 2024 Release - Starting year with a BANG!

This release is focused on Enterprise capabilities!

• Asset Libraries - with access control and ability to import assets

• Portfolios Enhancements - Portfolio module and analytics are now available for all users – with proper access controls

• Current MITRE ATT&CK Testing Methodologies, MITRE CWE and CAPEC Vulnerability Libraries

• And many more - see inside!

Our product team has outdone themselves.

Again!

Condensed list of new features can barely fit in two pages!

And all of that – in one quarter!

Some ten-times bigger organisations😉would deliver less in a year than AttackForge engineers did in a single quarter!

This is how great our engineers are!

Our engineers have released this new feature: AttackForge ReportGen Command Line Interface tool and the equivalent Node.js library.
Who and why would you need a non-interactive method of pentest report generation?
In fact - large AttackForge customers requested this feature. There are several benefits of having the ability to generate reports without interactive access to a portal.

While everyone is going to Las Vegas Summer camp - AttackForge launches July 2023 Release.

Here are some of the big features included in this release:

• New and improved Workflows for Infrastructure Pentesting.

• Huge update to ReportGen – new free templates, custom styles, new filters, and ReportGen GitHub Community site

• Import of results from NMAP and Masscan

• User Experience improvements

• New functionality withing existing workflows
  - New Custom Field type – List
  - Ability to select vulnerabilities when exporting a projects’ JSON file
  - View Asset Module Data within Project Scope screen-

• As always – updates to Self-Service API

This is the first release since AttackForge V2 was launched in January. What is your expectation – do you think our engineers slowed down after the V2?
No! This is another huge release filled to the brim with features!
Here are some of them:

• Significant extension of Custom Fields capabilities

• Ability to restrict access to reporting templates – now administrator could set who can access to which reporting templates.

• Vulnerabilities could be linked between different projects.

• Reports can be created against a hand-picked subset of vulnerabilities.

• Updated ReportGen 2.6

• Update to Qualys parser – to support the new format.

  And many other features.

Tell Me you’re an Elite Pentester Without Telling Me You’re an Elite Pentester.

Finally – our brand new AttackForge Version 2 out!
We built upon great foundation of Version 1 – and bring whole new user experience to our customers! Check it out!

We have been very busy the last three months!
Hacker Summer Camp in Las Vegas, road trip visiting our clients across the USA…

Great time, great food and – the most important – great feedback. Thank you everyone for your hospitality and you feedback!
So - here it is - our October 2022 release:

• Delegations - making life easier for admins

• Smart Vulnerability Imports - mapping your tools vulns to your library

• Extended project cloning functionality

• Improved analytics

• Bulk adding of remediation notes

• UX Improvements, as always 😊

• Updates to Self-Service API - as usual

• ReportGen 2.4
  

Presenting AttackForge July 2022 Release!

We launched new product last week – AttackForge Core: Action Pack, but that will be in the next post.

This post is about this release - we have delivered a lot over past two months!

The focus has been on enhancing the features that made AttackForge so valuable for our customers.

• Advanced Email notification

• Enhancing Test Suite module with execution flows, notes, and associated evidence.

• New version of ReportGen

• And much more - check inside!

Another exciting release this month!

• Project Clone capabilities – how many times did we want to simplify running recurring rounds of pentesting?

• ReportGen v2.2 - with updated filtering capabilities, concept of Parent object, and styles for Executive Summary

• Executive Summary with Rich Text support, WYSIWYG in UI, and Review Notes for better QA!

• More control of user accounts

• UX Improvements

• New configuration options

• And – as always - updates to Self-Service API!

Another big release. A lot of great features for our customers!

• We introduced Vulnerability SLAs and Remediation Plans – to help security managers and platform owners to track vulnerabilities and remediation activities against their organisation’s policies

• Custom fields for Assets – to capture organisation specific information about assets, so it is easier to focus pentesting activities on the most critical assets

• Another update to our best-of-breed reporting engine ReportGen – introduction of sophisticated logic and diagnostics – to further empower our customers

• Improved Retest workflow

• New configuration options for Single Sign-On with multiple Identity Providers

• UX improvements across multiple modules

• And – as always - updates to Self-Service API

Pandemic or New Year – AttackForge Release Must Go On!

Happy New Year and Happy New Release! This one is definitely big and full of great stuff!

• Custom Vulnerability Libraries – to make sure that your vulnerability write-ups are easy to manage and control

• Second generation of AttackForge famous ReportGen tool,

• Introduction of endpoints to Assets – making tracking and remediation of vulnerabilities more granular and visible.
  

  And many more…

This release is all about User Experience and Customization!

• Introduction of three distinct centralized Vulnerability Libraries

• Custom forms, fields, and conditions

• Group project access control management

• Further improvements to global dashboard

• Updates to ReportGen

• Updates to Self-Service API

This purpose of this article is to identify the People component of the solution.

Let’s look at the list of roles necessary to implement the process and structure described in the second article

This article is going to focus on how, in my view, the technology component of the solution should look like.

And again - I want to highlight that NO technology alone would be sufficient.

We need to get all three components right – process, technology and people.

This article is going to focus on what I believe is the first component of the solution – addressing the pentesting process and governance structure for sizeable pentesting programs (more than twenty pentests per year).

Many jurisdictions have made pentesting mandatory. Some even go as far as to make remediation mandatory as well!

And for many years the infosec community has been saying and writing that pentesting is broken. Google finds hundreds of articles on that and similar topics.

This article is about that. The next articles will be about the ways on how to fix it when running sizeable pentesting programs.

This will be a series of four articles. The intent is analyse the common problems for running pentesting programs, and come with recommendations what to do with them.