An INSIDE LOOK at Penetration Testing Collaborative Platform (John Hammond)

I’ve seen it all. That sounds like a lot of hubris. I’ve seen a lot of things. I got tired of the meat grinder of consulting, so I moved into leadership. I was the Practice director at Optive on the Attack and Pen Team for a little bit a couple of years. That was interesting and fun. I tried my hand at Red Teaming, so I went over to a Fortune 200 Red Team.

That was a lot of fun. And so I’ve been friends with Dan for a while and I started using PlexTrac consultatively on the Red Team. And I was like, yeah, I like this a lot. And we were just shooting the breeze on time. He had me on a webinar and he was like, come over and just see what it’s like on a software start up. So I came over as a hacker in residence to kind of give that hackers perspective and some of its showcasing the platform. A lot of it is trying to just be like, make sure everybody’s hacker focused as far as the buyer persona, right.

The people that are buying this product, the Red Teamers, they’re hackers, they’re Blue Teams, they’re tech focused on the offensive side sometimes purple Team and all that jazz. So that’s kind of my role over here. And so, yeah, I do spend a lot of time also hacking a platform, like trying to hack it as well. Sweet. Have you gotten a chance to see the platform at all? Should I give you the high and low rundown or how do you want to roll with this? I don’t want to monopolize. So, hey, if you’re totally comfortable with it, I’d love to take some of our conversation. As much as you’re willing to share, put it out for the video and essentially make look, hey, this is the elevator pitch to however many thousands of people that have never heard of PlexTrac before.

And you can include me in that just as well. And I’ve seen only your visuals from I’ve seen just clicking around on the PlexTrac YouTube videos. I can swipe overlays there. But hey, I love to let you take the floor and show the sweet stuff. Yeah, man, no doubt. I would do the background so you don’t see my messy office and whatnot. Luckily I’m wearing different versions of purple, so I’m not going to blend in.

So I just spun up a local instance, but that’s dangerous. Like demo gods. So I’m going to go to we had an instance we spun up for Black Hat. Nice. So I’m going to just kind of like demoing it at Black Cat and Defcon and fun stuff. I’ll just showcase using that one. I’m going to share my screen right about meow.

Do you see the hot sauce? I can. Looking good. Sweet. So the idea with Flex Tract is once you log in, this is the one stop shop for all the output from security assessment and testing. So your vulnerability scanning, pen testing, manual, app set, API, red teams, Purple teams. There’s so many use cases in the US. It’s not supposed to be this opinionated platform that’s just meant to GM you into some methodology.

The idea is you probably have a testing methodology, you have a report strategy, and we’re supposed to be an overlay to that. It really is supposed to drive efficiency. I mean, when I was a practice director, on average, sometimes reports could take two, three, four days. Utilizing a platform like this can get it down to half a day a day and really drive efficiency. So when we talk about like, making a client, I’ll just make a client and we’ll just be like the duterte. We just made this client here a client is really going to be that bucket of data. It’s how you authorize users in the platform and it’s also how you can report on different data.

Maybe a client is a company, maybe it’s an API endpoint, maybe it’s an application, maybe it’s a subnet, really. However you want to be able to slice it up and authorize users and reporting. Because what’s pretty dope about this platform is that not only is it a place for practitioners to collaborate and work through the testing and the reporting, this can become a client facing utility. So can you generate a report packaged up and ship it? Sure. But can this also be a place where you can collaborate on findings and the consumers of your service actually ends up working with the data and consuming the report data from this platform? You can. So as an example, we go down here, we can authorize users, we could add users and authorize them to the platform and that would limit them to that client. So if you want to authorize different practitioners, maybe you’re on your team.

You got interns, you got students, you got folks working. You don’t want them to have access to everything, authorize it or you give the consumer of your service that client, that business unit, perhaps, because PlexTrac is useful, not just consultatively, but enterprises, internal security teams, service providers, all of them. So that idea of being able to come in and authorize users and then role based access control is huge throughout. So you can assign a lot of different features and roles, which is pretty cool. So we’re going to start a gig. I’m going to start a report. So we can call it like Pen test one.

And for your workflow, you might have multiple phases. It starts off in draft, maybe you put it in peer review, in review phase and publish it out. We kind of got that workflow. Now here is where we start to really derive the value. Because I don’t know about you, John, but in my experience, starting from a template copy pasta, going through that nightmare of living in Word and Excel, it makes your skin crawls kind of gross. So that’s the driver from this. We have the idea of a report template.

So the report template is three things packaged altogether. You’ve got the narrative section, so like your summary, your introduction, executive summary, scope, blah, blah, blah, blah. All of the guts before you get into the findings and whatnot. So it’s the guts of the report. It’s also the document template. So we have an export template that can look the way that you need it to look. When you click that button, your reports generate it looks the way you want it to look.

And then custom fields. So you can make multiple report templates. You can make as many as you want. Maybe internal, test, external, combined, gig, app, SEC, API, social engineering, whatever the case may be. If you notice down here, I don’t have any custom fields. When I select the template, I have a custom field in there for demo purposes. I’ll be like demo one, two, three.

To show you some sauce there. So you can select your report template. Choose maybe some operators if you want. You have the gig start and end date. These are all optional fields. You don’t have to if you want to add like metadata for who’s reviewing it, maybe you have a reviewing field. And then you can tag stuff.

This is pretty rad because the idea of tagging, just like in cloud infrastructure, you can tag reports, clients, findings, assets, custom findings, all sorts of fun stuff. Tagging those allows you to report on them. It allows you to slice them up and select them differently. Just like you’d need tags. Your tagging paradigm can really help you kind of customize it even more. So you saw we start out right here. We’ve got like this.

We’ve got the sauce started of our sweet pen test soup. And so it’s just a narrative section. This is just the sections in our WYSIWYG editor. I like to click over here and be like so you can drag and drop if you want. But the idea is you selected the base of your report and I wanted to show you this concept of short codes we have. So we have a key value pair. So those custom fields, you remember I said I want to show you a demo totally.

Based on your custom fields you put in here, you can associate the data and replace it with short code. So like I put the client short name. You can add as many as you want, as many custom ones. And we have this content library, your custom findings, your vulnerabilities you save later for reuse and your gigs. You can use these shortcodes, like app name, app owner. So in the platform, right when you click replace, you could find text and replace it. That’s cool.

But you can also just replace the short code. So from that key value pair, you can all of a sudden have this bespoke data. Nice. And what’s cool about this is it’s not just in the narrative section, it’s findings too. If you put short codes all over the place, it’s just rapid, rapid, rapid. So this is where I can get slugged down. So I’m going to try and just there’s so many cool things.

I could stand here for probably 45 minutes and just stay at this. We are going to burn through just rapidly adding and finding. So first and foremost, we know that good pen tests many times are going to have that manual component. So can you add findings manually? Absolutely, we’re going to talk about that. But I want to talk about rapid ingesting first and foremost, as you’d expect output from a lot of common tools. So we’ve got the Burp Nessus checkmarks it’s on our website. The tools that you can just suck in rapidly.

So that’s one way to get findings in. And I’ll do no judgment here, but I’ve got a nested skin on my home network and it’s pretty trashy, but it is what it is. So I can show you what that looks like. So I’m going to throw that in real quick. Just drag over a Nessus file, right? What’s cool is, on ingest, you can tag findings and assets. Maybe you say this is an internal. So these findings are tagged as internal.

Maybe they’re for PCI, maybe it’s Gig one. Maybe the assets. You want to say they’re zone one assets. The cool idea is you can tag findings and assets on ingest so that maybe later clients like, here’s another. Or the business unit says, here’s another scan, but we want to be separated out in the report, or something like that. And it’s like, oh, before it’s like, well, now I got to go. Coffee, pasta and nonsense here.

You can tag it based on the tags, send them different places. So it’s kind of nice. While it’s ingesting, I’ll make a note. We have an open API. We consume our API for the UI. So everything you can click and clock do in the platform, you can do programmatically with the API. It’s super dope.

I spend a lot of time. So here we’ve got I’m going to make this window a little bit bigger. We just ingested the findings from nests. So that’s pretty cool. We’ve got the things you’d expect to have, all of the metadata and finding information. We’ve got the affected assets, all the data here and the evidence and such. So what’s pretty neat about this is this is, again, where you start to have a paradigm shift back in consulting times when it’s just ship your steaming pile of report.

Good luck, thumbs up, hope you enjoy. Now we have this collaborative environment where as practitioners or as consumers of service, we can come in and deal with the findings. So maybe I can go in the status and say things like, I can link to Jira service now, send these off the developers, get it fixed, they fix it, close it in Jira or ServiceNow update status here. But we can add statuses and say, all right, it’s in process. I’m going to sign this as these substatuses are custom, so you make as many as you want. Say, if this is in process, assign to Larry, get to Larry, say, do it now. We’ve got this status going.

As practitioners, it’s cool because you can mark statuses. You can do like, bulk actions, set match statuses, delete all of them, add tags after the fact. But this status tracker is really novel because imagine having the users or the consumers of your services come in here with a read only view. They can’t add or delete stuff, but they can come in and be like, ready for retest. Or we think this is a false positive. And then you can argue in the comments here instead of getting on phone calls. And then when you close it out, maybe it’s been retested, you say it’s validated, sign it back to the client or assign it to yourself.

This status tracking really neat and novel and I like it.

We leverage that quite a bit in the world of consulting and being able to get sticky with folks. Because at the end of the day, slinging hacks and cracks is cool. But the reality is we’re supposed to be raising the security posture of those organizations under our pervue, right? So this is enabling that. Instead of being in our archaic whacka mole phase, we can kind of start driving real change. All right, so I’m going to slice it off now because I got so much more to say, but I got to move on so we can have life, liberty and the pursuit of happiness. So we talked about manually adding findings so you can start from scratch. That kind of stinks, but it is what it is.

You can start and fill in all of this stuff from scratch if you do that. And we do have a CVSS calculator too, which is cool. So if you end up may be importing a finding that has CVS or you want to adjust, you can just straight up set the finding status here. Or you can go in and calculate in the platform and change the temporal score, change the CVSS calculation based on compensating controls or whatever you got going on. So you can add that finding. But when you do something and you’re going to repeat it, you’re probably going to need to use it again. So might as well add that to what we call the write ups database.

So you could take findings that you’ve manually added to the report or maybe a finding from a tool like Burp. You like it, but you want to make it reusable, something that you can constantly reuse. You can roll over here, copy this to write up database, hop into one of these repositories and now you’ve saved it for later. So what is right up the basis, you may ask yourself? Well, it’s this repository structure where you can come in and have role based access controls associated with these repositories. And it’s your custom findings repo. So we don’t maintain and update it. Like we seed it with a couple of generic cookie cutter findings.

But the idea is if you have your own, we can help you import them. But the idea is you build up this report library and so there’s two ways that that’s used. One is that used in if you need to add a finding, hopefully you’ve added it before you can add it from right up database. So you can tag them. You can still filter by repository or just free hand text like go in and find the finding you want and add it for later. Right? So you can rapidly add these findings. You’re not going back to the last when did I have that finding in that report.

Let me go find the old doc, copy paste it, change the names. Hopefully you change the client name before you ship it. So there I’ve added in a finding. We’ll take a look in here. This is where you can do a lot of neat stuff. Let’s you and I will live in perpetuity this finding. I’m going to delete it after this.

But this WYSIWYG editor is really fun. So I need to add my evidence. I can just copy paste right in there. Boom.

Add in the footer text and you can start that evidence or even an attack narrative in the sections. Wherever you have this wisdwig editor, you got the copy pasta come in, add your text from your custom script, make it a code block. It’s just really clean, easy. You’re not sitting there uploading files and dealing with all sorts of markdown syntax and weird stuff. It’s all about efficiency. Also on that note and I’m coming down the home stretch now. I’m proud of myself.

I haven’t gotten to it anymore. I’m thinking the history of things, your review. When I was a practice director, that was a significant part of my job was making sure that client ready stuff got out. Because if they’re paying a sack of coins for a gig, that result needs to be tight. And so in this platform, before you even generate a document, you can come in and get that kind of collaborative commenting and be like, are you sure about this? Add in comments. People can come in, reply to your comments, you get the track changes functionality so that you’ve got the ability to come in and see and tighten it up in Platform before you even generate a Word document, which I really like this feature as well. It’s pretty dope that’s for every single block, isn’t that right? All these WYSIWYG editors, wherever you can put in the text, it’s nice.

That is super cool. I love it. And I’m sure the technical project managers or PMS or tech writers who have to deal with reports also appreciate that. Get them out of Word for a few minutes. So a word on assets, because this is the finding I added from right up Stevie. We can add assets. I’m not going to go through it.

There’s a couple of different ways you can import assets, add from the existing or create new. That’s neat. You get it. You can also add screenshots and gifts and videos, which is pretty sweet. Like if you throw a gift or a video over here in Platform, that’s your evidence now. So you have this nice chain of attack you can associate to an asset or whatnot. Because you can add a code sample as well.

At the end of the day, this is kind of the view. This is basically the view that you’re starting to build. So on a readout, you’re reading out the client. You can come in here or reading out the consumer of your service. You’re reading out the findings. You’ve got the report here. You can read through all the interesting data.

That’s neat. We’ve got our cool roll up graphs. If you don’t have graphs, what are you doing? But then they can dig into each finding. You could be presenting this, walk you through the findings. And here’s the finding that has our video associated to it. And we’ve got all of our evidence added in. All right, let me stop that video.

And then imagine if you’ve given the consumer of your service the user level access. When they log in, they’re limited to this client. They log into the report. They’re able to consume before you even go over here and export to Word and package up to ship it. They could be consuming the findings right here in the platform and at the same time changing the status, feeling like we think this is ready for retesting, retesting, and that kind of thing. So that’s why as practitioners, you can drive a ton of value in here getting report snappy. And then as a client, you can consume it in this really clean, nice, novel way.

The last two things I’ll talk through on the core functionality, because there’s so much more and I’ve glossed over a significant amount. But assets, you get assets, right? This came in from a nested scan. So we’ve got a significant amount of protocol services. All of the information, the findings for the hosts, I’m going to hand wave over that. Assets, we have them. Artifacts is a dropbox. So you could sit up there and put up files between you and your team, could associate files here or between you and the consumer of your service, popping them in and out.

And the last thing and then I’m going to stop, actually, the last thing. And then I’ll spend 20 seconds on analytics just to say that we have it, do our due diligence, and then I’ll be done rapping about this. Dope platform is the attack path. So it’s cool is a lot of folks end up creating like an attack narrative or attack proof of concept in sections of the report. Like, they’ll be in the narrative section and be like, we did a thing screenshot. We did a thing screenshot. We did a thing screenshot.

So you can also similarly create that here in platform. You can take things you’ve added as findings, drag them over here, and we’ve got some dope way to chain it together so when they come into the platform, they can click a tack path and be like, all right, what are you talking about over here? Okay, so they did the voter that they do need to meet you. Neat, neat, linked over to here. Neat, neat, neat. Again, keeping that kind of finding structure. All right, that was PlexTrac in like 15 minutes or less, that’s core functionality. And then the last thing I’ll just hand wave over is we have analytics.

So as you’ve collected, you’ve racked and stacked all this Dope data. Now you have analytics. You can start querying it by tags, by client, by engagement, by gig, start drilling into the data. See, comparing, pulling up information based on the filtering that you have on the right hand side, by severity, by tags, and the conglomeration of those things, you can start to drill into that data. And that’s all she wrote. All right, so my biggest question, if I may, can I see one of the exported words on PDF? No doubt. Absolutely.

That’s a good point. So good question. And a note on that too, if you guys ever this is open on the Internet. If you go to Templating Flexstrike.com, we talk about the Ginger that we use. We even give you you can download Jim Je templates. And as users, you can import them in your own mess around. Because we have this kind of a multi model.

You have self service model so that you can create your own templates. You have like, assisted model where professional services developers, you say, I want it to look like this. They come and help you. And then you have a bespoke where it’s just like, I have this report template. I want to hand it to you, and by tomorrow I want it to look the exact same way. And then you own that template so you absolutely can see on the platform. And then you also can read about how we tell you kind of how to use the Ginger, because we expect you, some folks are going to be like, these templates are good enough.

Some folks are like, no, I need the bespoke experience. So let me just generate a report real quick so you can see. But keep in mind, this is kind of a generic report, right, stock template that is exemplary of what you can do in the platform. So I’ll generate that mama JAMA.

Cool. Stoke. That’s the most exciting thing for me. And I think what a lot of people come to is like, cool, this is sweet. I love seeing the platform, but I need to know, what is this stack of paper that I’m going to slam on the table actually look like? And then the next question is, hey, PlexTrac is super cool. I love Plextrack, but I need my logo over in the corner. Good question.

Fantastic. So the entire platform can be white labeled. Your logo, your URL completely. Your platform, 100% can be white labeled. I appreciate you bringing that out. That’s a good point. So this is the platform, excuse me, it’s coming out of the platform.

This is an example Word document that we exported out. So again, use your imagination, your logo, your sauce. And so here we have an example of the sections coming out. We’ve got some examples of table. The idea is, as you use tags, you want to send them different ways. You want to roll up half subcategories and do different things. Tagging is how you get there.

And our Customer success team can help you get the report to look the way you need it to. Again, like I said, if you don’t want to mess around and get it dorkin around, you can hand it over, and in a couple of weeks or a couple of days or minutes or in the past, at some point, you’ll get a report looking the way that you want it to look. So this is fine. We have a table summit. We’ve got severity and title. We’ve got a roll up of status by severity, and then we have the details. Again, everything you see before you completely customizable.

You want this over there. You want more data. You want the evidence. So here we are as the evidence. This Ginger code includes a link. So since there was a gift or a video associated, there is a link to the platform that you can include to click to go to the platform. But, yeah, a lot of folks end up using it just as that delivery model of I just want to rapidly work in this and shoot out a dock, and then some folks use it as that collaborative platform to work with the clients and everything in between.

Super cool. Yeah, dude, it is the dope songs. All right, well, goodness. I appreciate you just barely through that. I think that’s awesome. We get a little bit of a speed run demo of the platform, but, man, kudos and thank you. And thank you.

Thank you for showcasing all the sweet stuff that Plex Trek does. Yeah, it’s awesome, man. Anyone that’s listening in, I do have the sweet generosity of PlexTrac offering a little bit of a free demo, I think. Like, hey, you can get access to the platform for about a month, and there’s a cheesy link in the description of the video, whatever YouTubers say all the time. But thank you, Nick. This is awesome and excited to learn more. Thanks again.

Awesome. Thanks for having me, John.