Here comes the biggest ever (so far) release for AttackForge!

This is by far our biggest release. Our engineering team is smashing it!

• New major module – AttackForge Portfolios – to make life of Enterprise customers much easier

• New category of Self-Service API – to make real-time integration possible, and to make it even easier - with sample integration code in NodeJS, Python, Java, .NET and Go.

• New workflow for Quality Assurance – to improve quality of pentest results

• Full blown Library of report templates (for AttackForge ReportGen) – so you can get whole set of customised reports in minutes! No coding required.

• A lot of other features, custom configuration options and UX improvements.

• And Five (5) new colour Themes! Even I got tempted to switch (however temporarily) from Matrix to Midnight Ocean!

So, let’s go one by one.

AttackForge Portfolios

Portfolios module is built to help people who run enterprise pentesting programs across business units, platforms, geographies, and years. Want to know how your internal systems compare to your external systems? Or wanting to track security posture for your PCI related environments and applications? Portfolios makes this easy!

Portfolios represent high-level grouping for segments within your pentesting programs.
Every portfolio is made up of Work Streams (Streams) - where each Stream is a collection of pentesting engagements (Projects) which focus on specific areas within your portfolio.

Portfolios and Streams are especially useful in tracking Business-as-Usual (BAU) pentesting and to help with better understand where to focus your time and resources more effectively.

Projects can be assigned to many streams and portfolios. This ensures you are tracking the right vulnerabilities, across your enterprise.

Check out the blog post dedicated to Portfolios for the extended version of my praise for this new module!

New category of Self-Service API

If not for Portfolios – I would write a special post for this new masterpiece! I might still write it!

AttackForge launches a completely new way of integrating AttackForge into overall organisational ecosystems – introducing Events API.

Events API enables real-time integration! Something happens in AttackForge – and your application would be notified about it immediately!

Just imagine – new critical vulnerability is discovered, and your Blue Team dashboard receives an immediate update!
Events API helps you to easily automate workflows. It’s perfect for customizations and integrations into your enterprise ecosystem.

For example, if you would want some vulnerabilities to be raised in both ServiceNow & JIRA immediately when they are discovered, and notifications to be sent to relevant teams so they can action it. This is now possible using the Events API!

Events API complements our existing RESTful API. You can combine both APIs to have seamless two-way integrations and workflows between AttackForge and your tools.

For example, Events API enables you to:

• Receive real-time notifications on new vulnerabilities – automatically export them into your vulnerability management and/or ticketing systems.

• Update your applications with live testing & vulnerability feeds.

• Be notified immediately when vulnerabilities are ready for retesting, closed or re-opened.

• Know exactly when changes are happening on your projects, for example when testing starts and stops.

• Feed AttackForge audit logs into your SIEM in real-time.

Every event contains the same level of details information you have seen in our Self-Service RESTful API.

And to make it even easier – our engineers have prepared and published on GitHub a set of clients/middleware in NodeJS, Python, Java, .NET and Go. So, you can start integrating fast:

• Step 1: Download the client/middleware from our GitHub repository

• Step 2: Install the dependencies (single command)

• Step 3: Run it & start receiving events

Workflow for Quality Assurance

People make mistakes – QA is a necessity. In this release we have launched a workflow to help make QA easy for your vulnerabilities. Introducing Review Notes!

Your team members involved in QA can now create and reply to Review Notes for each of your vulnerabilities, as they perform QA and respond to feedback. Email notifications could be used to ensure that people are made aware that they might need to … 😉 … improve what they wrote for a particular vulnerability.

If you are reviewer - AttackForge enables you to review vulnerabilities efficiently. You can select multiple vulnerabilities that need your attention and then add review notes to each vulnerability one-by-one. Best of all - you can do all of this from just one screen! No need to flick between pages. Once you have finished reviewing all designated vulnerabilities – that’s it - no emails to send! It’s done.

New ReportGen Template Library

One (of many) feature that distinguish AttackForge is how easy it is to create custom report templates. Start by downloading the supplied Microsoft Word template, change it, style it, and format it to your liking – and you are ready to go with AttackForge reporting. No HTML tweaking, no cumbersome new programming language to learn!

This release takes it to the next level – our engineers added a full-blown library of report templates – so you can get an entire set of customized AttackForge reports in minutes! No coding required.

The templates included in this release are:

• Asset Report

• Auditor / 3rd Party Report

• Critical & High Vulnerabilities Report

• Executive Report

• Internal & External Findings Report

• Pentest Report

• Retest Report

• Technical Report

• Testing Progress Report

• Web App & Infrastructure Report

Every template comes with an example end-result so you can see the finished product.

Templates are provided (predictably) in DOCX format. You can adjust each template to your desire/requirements, then upload back into AttackForge when ready to use on your projects.

Template library also includes sample project data files (JSON) to test your own templates with.

The idea is to empower you to build reports that would work for you and make it easy in the process.

Other Features, Custom Configuration Options and UX Improvements.

The list is long:

• Export/Sync screenshots and evidence files with JIRA

• Include files into Executive Summary section of AttackForge report

• Captions for screenshots in reports

• Delete multiple assets on project at once

• Assign users to multiple test suites at project creation

• New project statuses: Overrun & Retest, visible in project list and other modules

• Normalise vulnerabilities into unique vulnerabilities

• Administrators can now see all vulnerabilities for a given asset in the Assets module

• Retesting rounds now show vulnerabilities which were not tested

• Retest rounds can be assigned custom names

• Redesigned Reporting Module to make it easier to download custom reports

• New Configuration Options:

  • Add Placeholder Steps to Reproduce/Proof of Concept for all new vulnerabilities

  • Add Placeholder Notes for all new vulnerabilities

• Updates to ReportGen (as always):

  • New Filter – FilterBy

  • New Metatags.

    For more information, please visit https://support.attackforge.com/attackforge-enterprise/modules/reporting

• Updates to Self-Service RESTful API

And Five (5) new colour Themes! 14 colour scheme are currently supported!