AttackForge ReportGen CLI tool is out!

This post is about a new and, I am afraid, underrated feature – AttackForge ReportGen Command Line Interface (CLI) tool, and the equivalent Node.js library – both which we made available as open source on NPM: https://www.npmjs.com/search?q=attackforge

Yes. Our engineers have released this new feature.

You may ask – why would anyone need a method to generate a report from the command line or within their own code? I may ask – why are we still using static reports as the main deliverable of a penetration test? But we are where we are – and I will leave the answer to my question for future posts.

So, who and why would you need a non-interactive method of pentest report generation?

In fact, many large AttackForge customers, both enterprises and consultancies, requested this feature. But why?

There are several benefits of having the ability to generate reports without interactive access to a portal. I would like to point out four such use cases that our customers wanted to achieve with this new AttackForge capabilities:

1.    Integration

One of the problems that our customers wanted us to solve was improving how pentest reports are delivered to other enterprise platforms. For example, their internal change management process might require a copy of the pentest report to be attached to a change record as evidence. Normally, someone would need to generate that report interactively within AttackForge and then attach it to the relevant change record.

AttackForge ReportGen CLI and Node.js library solves this challenge and allows to automate the process. Completion of a pentest can trigger a script (using the AttackForge Events API), which in turn generates the report using the AttackForge ReportGen CLI or Node.js library – and attaches it to the change record using the Change Management portal API (whatever it is).

That would save time and provide flexibility on how pentest reporting artefacts are integrated into wider Enterprise processes and platforms.

2.    Email PDF Reports or automatically Attach to Slack/Teams Chats

Another challenge presented by our customers was to have automated PDF reports delivered to customers on their preferred communications channel, when the report(s) are ready – I say report(s) because AttackForge allows you to create many different types of reports from a single pentesting project.

AttackForge ReportGen CLI and Node.js library solves this problem, in connection with AttackForge robust custom fields and extensive Events and REST APIs. For example:

• Events API is used to capture the moment report(s) are ready to be delivered to customers and trigger the script.

• Script is used to retrieve the reporting data from AttackForge, choose the right report template, and generate the report using the AttackForge ReportGen CLI and Node.js library.

• Convert the DOCX reports to PDF using your preferred DOCX-to-PDF conversion method.

• Encrypt the report(s) using standard encryption libraries and then send the report(s) to the desired customers by email or post them on Slack/Teams. All data you need is available from the Events and REST APIs.

This would allow for faster communication of reporting data, freeing pentesters and their managers from the manual process.

3.    Pentest-as-a-Service (PTaaS)

Similar to the use case above, there is another challenge for our consulting customers which also use AttackForge to provide Pentesting-as-a-Service. Their customers need to have functional backups of their pentesting results.

AttackForge already includes the ability to export the results of a pentest into a reliable JSON format – and AttackForge ReportGen CLI and Node.js library supports the ability to generate reports offline and with their own templates, if desired.

This would allow customers to have independent access to reporting data, and ability to create numerous reports, on-demand, using that data when required.

4.    Bulk reporting

Another big challenge is the expressed need of our customers to generate reports in bulk as a batch process. Doing it interactively would put a heavy load on the customers’ AttackForge server, and require manual efforts. This can be time-consuming especially if this process needs to be done on a daily or weekly basis.

Using the AttackForge ReportGen CLI or Node.js library, we can move this process to any server, giving our customers complete flexibility when reports get run, without the need to upload templates to their AttackForge server or manual overhead to process it each time.

Sorry, a reminder – AttackForge ReportGen is a free tool. And it can be used without the AttackForge application, using your own JSON files. Just another way the AttackForge team gives back to the community!