Retain Top Cybersecurity Talent with Better Pentest Reporting

Conquering the Talent Shortage

In the three part series “Conquering the Talent Shortage,” we’ve covered tips for hiring new talent, including providing the flexibility cybersecurity employees want to

• Work when they want
• Work where they want
• Work on what they want

We’ve also discussed how to best maximize your existing talent by

• Providing them with educational opportunities
• Connecting them with mentors
• Giving them a safety net to fail
• Encouraging information sharing and collaboration

And finally, in this article we’ll cover how best to retain those top professionals you already have on the team. How do you keep them engaged and challenged and help them avoid burnout? In my research, the most common request made by these talented team members was to eliminate busywork and streamline reporting.

Learn how PlexTrac can help make all cybersecurity team members and workflows more efficient, effective, and proactive.

The Pain of Pentest Reporting

We can’t eliminate reporting entirely — it’s the reason customers hire us. Dropping ninja-like into their data centers after social engineering our way into a utility closet to jack in with phished credentials to exploit a zero-day in their laser-guided proximity alert system is cool, but you still have to write about it. And, more importantly, explain how to prevent what you did.

Some of us are great writers, some of us aren’t. Here at PlexTrac, I’m part of a team with about a dozen tech writers and copy editors who take my words and gently, barely tweak them into the poetic English you read here. (That’s actually not true. There are just two of them, but my docs come back looking as if I had submitted them originally in crayon.) In one of my previous practices I had the great fortune of having a QA person, but not all of us are so lucky.

Where many of us struggle most is with the findings. A lot of reports I’ve seen over the years have contained vulnerability finding descriptions that were closely worded copies of Nessus descriptions. I wouldn’t go so far as to accuse anyone of plagiarism, but some of the descriptions were suspiciously close. Let’s face it, it can be difficult to come up with fresh descriptions for vulnerabilities that have been around since 1998. Collecting and curating these vulnerability descriptions is hard work, and starting from scratch is no easy exercise either. If we look to the community, there are several sources of finding descriptions that we can turn to and use freely without breaking any copyright rules. Accessing this shared knowledge is great, but we still must deal with the issue of storing and referencing those finding writeups quickly.

The majority of us work with some form of template. Either we’re using Microsoft Word or markdown language templates that are reused with every new report. These templates can be cumbersome to keep current as even small changes like the copyright date can be a chore to update.

The Requirements for Better Pentest Reporting

I’ve worked in several practices where attempts have been made to automate the process of collecting common findings and creating more functional templates by creating a web-based interface for reporting. All of these attempts have been met with a mixed amount of success. Migrating to these homegrown platforms isn’t easy to begin with as they represent change, and change can be hard for people to accept. So while this new platform may have everything people want, gaining buy-in can still be a problem. Then there are the simple mechanics of developing reports: getting each section aligned, having tables placed where they’re supposed to be, adding evidence and graphs. It isn’t as easy as it would appear to be. The technical challenges of building a reporting platform — not to mention maintaining it — is what holds up most new attempts and ultimately causes them to fail.

So knowing that, I’ve often asked if we really need to reinvent the wheel. Instead could we use one of the many existing products? There are a couple dozen different reporting and collaboration platforms, ranging from the polished, professional, well-supported platforms to open source passion projects made by two guys and a dog in a farmhouse in Maine.

I have the benefit of over 15 years of experience in producing reports for a variety of clients from small startups to international enterprises, so I have a good idea of the features and functionality that I need in a reporting system to make it valuable for my pentest operators. Today what I look for is a well-defined list of features:

1. Permissions and authentication. Some people need to see the reports during the report generation process, some people don’t. I’ll need a well-designed client portal to allow clients to participate in the readout, have access to the report during the retest, and update us when the report is ready for final remediation reporting.
2. Integrated ticketing. The ability for us to take findings and automatically add them to Jira or ServiceNow or a similar ticketing system is huge as it cuts out one whole manual process.
3. Reusable findings and narratives. Just like my findings, I’m going to want the narrative sections written well and written once. Much of what I’m putting down in a narrative I’ve said before to another customer, so if I can reuse elements of my narrative, I’ll save a huge amount of time.
4. Flexible hosting. Another thing I look for is flexibility on where I can host the data and report. I may have a customer who is insistent that their data is the only data in their instance; therefore, I need to keep it separate or we need to host it on-prem on their site.
5. Quality assurance and editing features. In an ideal world, I want fully functional WYSIWYG editors and global find and replace tagging.
6. Tool integrations. Finally, I want to import data from as many tools as I can. I also want to parse the output from those tools in different ways that make the results of my report more actionable.

The Solution for Better Pentest Reporting

As I go through the options in the marketplace for reporting and collaboration platforms, my functionality demands quickly shrink the list. But functionality isn’t the only consideration. I also want to know if the company producing the product will be around for the long haul and that they have the support in place to make the platform sing for my team. I’m trying to make the lives of my pentesters easier after all, not just bog them down with a flash-in-the-pan solution.

Understandably, all of these collaboration and reporting tools will have some front loading of setup effort before they will be fully functional. But, if in return, I can save myself and my team members exponential time and trust that we have a direct line of support for new needs — like templates for new clients — the investment will be well worth the long-term payoff in improved efficiency and morale.

Now, clearly I’m a little biased; I am PlexTrac’s product evangelist. But I know the needs of report writers first hand and the other products on the market — there is a reason I joined this team. I’ve had the pleasure of meeting our customer success team, our engineering team, our product management team, and I know what our product roadmap looks like. I also know that we’re very agile, which allows us to accommodate enterprise customers. What we learn from those engagements trickles down to the rest of our customer base making the product even stronger for everyone. PlexTrac provides the functionality, the stability, and the support team to back it up for the long term.

The Reward of Better Pentest Reporting

If you’ve read to this point, you must agree that reporting is THE major pain point for the top people on your team. You also likely agree that streamlining the reporting process for your team isn’t as easy as it may sound.

However, the reward for solving this persistent problem goes far beyond increasing team morale and keeping your top people from burning out. You’ll also reap exponential rewards in time savings and client satisfaction.

Take the pain out of penetration test reporting with PlexTrac and retain that top talent on your team. Book a demo of the platform today!