Skip to content
NOW AVAILABLE Feature Release! Learn About Our Enhanced Capabilities for Prioritizing Remediation CTEM Prioritization >>

VIDEO

PlexTrac for Pentest Reporting: See the Platform in Action

Join Dan DeCloss, Founder & CTO of PlexTrac and seasoned penetration tester, as he demos how PlexTrac streamlines the entire pentesting lifecycle—from scheduling engagements to reporting and client collaboration. See how to save time on reporting, collaborate in real time, automate workflows, and keep your focus on hacking and finding critical exploits.

Series: PlexTrac Demos

Category: Pentesting

   BACK TO VIDEOS

Transcript

[Music] Hey everyone, my name is Dan DeCloss. I am the founder and CTO of PlexTrac and many of you may have have seen me in the past promoting PlexTrac throughout the the the past several years. But I’m also a pentester and I’m a pentester by trade and in my time in pentesting I’ve always wanted to make sure we were focused on the right things and getting the right work done. And that’s why I’ve been passionate about Flex Track and and building the the platform to really help pentesting teams and pen testers and anybody doing kind of security assessments to stay focused on the fun stuff, the most important things. And that’s hacking, that’s finding complicated exploits, that’s being able to collaborate effectively, not only with your team members, but with your customers on the findings that you’re identifying and and the risks that are involved in that. Um, today I wanted to highlight, you know, the awesomeness around PlexTrac and being able to create reports effectively, conduct an entire engagement, and just show off some of the some of the exciting things that we have in the platform to help you do your job more effectively. Um, so as a pentester, you know, I want to be able to kind of, view and schedule my engagements. So, we have our our scheduling capability here in PlexTrac. You can see I’ve already got some some scans and some assessments scheduled. Um, I’m going to go ahead and create a new one just to kind of show you how that works. So, we’re going to say like, hey, this is our annual pentest for 2025. I’m going to select the client as CEK astronomy. And I’m going to say like no holds barred pentest. And I could give it the scope. Um I could just say CEX organization. And we’ll go ahead and continue here. If Oh, I got I got to test select a test window here. So that’s not applicable. We’ll let we’ll let people test whenever they want. And then I can upload I could upload files here. I could upload network diagrams, scoping diagrams, anything related to that. I’ll I’ll go ahead and pass on that for now. But this is where you can upload anything related to the engagement. I can also now now create a report. So I’ll go ahead and say annual pentest for 2025.

Um I’ll keep this I’ll keep the report status and draft status. The other nice thing about PlexTrac is that you can template out the types of reports. So I’ll show you how to how to do this, but I’m going to go ahead and select our pentest template. This is going to pre-build the narrative sections of the report. it’s going to associate the export template to that to that report, and then that that’ll just save time when I want to go in to start editing the report. And then if I want when I want to export it out, it it’s already in the template that I’ve selected for that template. Here I could have a findings layout where we could specify different fields as as well. Um, I can select reviewers on the report. I’ll go ahead and just put Jane Doe as she’ll be a reviewer. And I’ll just say like annual um I can create a tag here for annual pentest, right? If I wanted to track that. Now go ahead and continue. Um now I want to select the dates of when we’re going to be doing this. Let’s go ahead and and say who’s going to be doing it. So it’s going to be just me. I have options of some other folks here as well. Um and then I’ll go ahead and select the dates as today through the next two weeks. And we’ll go ahead and save that. And so now what will happen is that will that will create the report. It creates the engagement as scheduled and once I move that that that report into a new status, it’ll show that it’s in progress. It will automatically pick it up tonight. Since I started it today, it’ll pick it up tonight as in progress and change it into this into this blue category as well. Um, so let’s go into that report that got created and just kind of see what happened. As you can see, I selected that template and so now it’s populated the entire report narrative um that I pre-built. We we support short codes here. So when I’m done with the report, I can just search I can do a quick search and replace for all the short codes. I can just replace short codes. It’ll populate all of that in. Um, but you can see here that that it’s created this narrative um from a pre-built template. So now all I have to do is go in and edit this as I’m doing the engagement. Here’s the additional details of that report that we populated as well. Here’s where you can actually edit the narratives. Um so if I want now as I conduct the engagement, I can come in here and I can edit these narratives as I go. And what’s also really cool is I can create the findings as I go too. Um so let’s go ahead and just um let’s just get some findings in quickly. So I’m going to go ahead and add some from actually let me let me take a step back. What we have is this this capability for for test plans and test procedures. So procedures being these are things that we have a methodology. We always want to be executing on these on these test procedures throughout an engagement. What’s nice about these procedures is that I can create a test plan that all my testers can follow and then but we can also add procedures as we go. So I’m going to go ahead and show you how to do that. I’m going to add from the repository and it’s going to I have lots of different options from all the different procedures that are possible. You can have methodologies like you know we love miter and miter attacks. So um we’ve created a penetration test plan of procedures based on that. So I’m just going to go ahead and select I’m actually going to make sure all of these will show up at once and then I’ll select these. So now I’ve got 24 procedures selected as part of our our standard pen test. So this this just serves as a guide, right? And now I can come in and I can actually come into these procedures and see what I need to execute. I can actually execute the procedures and fill out the the details. I can add the assets that are associated with this. And let’s just say I did I was successful in in executing on this one. You can have the red team and blue team come in and fill this out. Um, but but it you don’t have to have the blue team portion filled out. You can just execute the steps and then like I’m gonna just go ahead and say like, hey, we we executed this and it worked. I’m going to go ahead and add that to findings. Go ahead and save and close this. So now we have this this here. So we can we can funnel through all of these procedures as we go to kind of get perspective on what’s been executed and what what hasn’t within the test. But again, it it it can be just used as a guide. I can still populate more findings along the way and I don’t even have to fill in the procedures. From this procedures tab though, you do see that we have different coverage of the different tactics and techniques within the within the MITER attack life cycle. Um, and when we go over to findings, you’ll see that I have this finding here um that I promoted from the procedures. I’m going to come in and edit this as well. I’m going to say, hey, this is actually going to be a high. I could give it a CVSS score if I wanted to. I could add additional screenshots. I could add recommendations. I could use our AI module to help write for these things. And I’ll show you a couple other examples of that here in a second. And then I could also add affect the affected assets. So let’s let’s go ahead and add some existing assets. Um let’s say we’ve got um 192

and we will now now we have these assets associated with with this and you’ll also notice that these findings are in draft status but they’ve also been applied now a risk score. So that risk score is actually calculated right here automatically based on an algorithm that we’ve set up. I created this regulated industries and and and put this criteria against it. So um the whatever source of the information may be reporting it differently than what it actually is from the algorithm that gets created. And this helps with that prioritization conversation as well. Um so that’s one way to get findings in. I’m going to go ahead and add a bunch more in. So we have our writeups database where this is just this is just super handy, right? I can add in like let’s say we did find some SQL injection and I want to get bring this in from the default repository. I can go ahead and add some of these in and these are pre-built text. So now I can this is pre-built. So I now I can come in and and edit this as well. Um and then also we can bring in in findings from file imports and and other integrations. So I’m going to go ahead and um select a Nessus file here. Um going to add that in. Going to go ahead and upload this. And so this will queue up and this will start parsing things. I could also I could also tag findings and assets which is really nice. So like let’s say I want to just say like hey these are part of a PCI scan as well or they’re part of the PCI CDE. I can bring that in. So now it’s going to ceue up those finding. It’s going to it’s going to parse that out. Okay. So I I uploaded that Ness’s file and it parsed through all that data and brought those findings in. So you now have seen like I could create a finding on my own. I brought in some findings from our write-ups database and I’ve also imported some findings in from a from a a scanning tool like this one was Nessus, but we support a lot of different scanning tools. So um so what’s nice is like now I can actually start getting to the to the nitty-gritty of of adding adding information to the report. I can add screenshots. Um, I can adjust all these things and remember that that this is geared towards being a client portal in addition to being able to export into my custom documentation templates. So all these findings are in a draft status. Um, and I can move them in and out of draft status. I can also provide notifications through through our our platform. And I can also do workflow automations as well, which is really handy. So, I’ve got some workflow automation set up and I’ll show you those in a second. But, um, let’s just say that I’m in the middle of an engagement and I’m really excited, um, to be finding some critical issues, but because I found some critical issues, I want to notify my customer that, they should probably come in and and take a look at these. Um, this scan file obviously brought in quite a few critical vulnerabilities, but for the sake of brevity, I’ll just kind of show you like, okay, I want to notify them of these two right away. So, I’m going to go ahead and um I’m going to go ahead and update the status. I’m going to say, hey, I’m I’m notifying these folks. And then I’m also going to and and you’ll actually be able you can actually see that sub status here if we go ahead and add this column, which um if you if you’re not familiar with our column customizer, it’s really handy. So, I kind of like to bring this right here by the status. Um, and so you’ll see that these are two now are open and notified. But, let’s go ahead and actually publish those findings so that they actually will get the notification. And what I have in my workflow automation is that it will any publish anytime a finding gets published or edited via being published it will then it will then go ahead and update the status of the finding to in process. So you’ll see here if I now that I I come in this finding is now updated to in process and you’ll see that it’s updated by that regulated industry findings to in process workflow. So, how did that do that? Let’s go ahead and check it out because it’s really cool. And you can and then I can enable one to actually show that it can get assigned to a Jira ticket and stuff like that. But I can still do that manually. I can link to Jira. I can link to service now. So if my customer has has those set up, I can link straight to it and create a ticket and it’s birectional. So um what this is all this can all be done while I’m doing the report. I’m still in the engagement and I can interact directly with them on some critical findings. Um, but let’s jump over to our workflow automation engine just to kind of show that off for a second. You’ll see here that I got a few I have a few workflows created and and enabled. Um, one where it’s like, hey, if all the information if a finding comes in from Nessus and it’s formational, I just don’t even want to worry about it. So, like once that gets published, I just want to close out the finding. I don’t you could also maybe you know have it be deleted but let’s just say I don’t want to delete the data. I want it to still be there as formational but I don’t want to I don’t want to have it be as like an open finding. I just want to close it. Um so that’s what this workflow will do. If we come into the the one around the change of the status when it’s in that regulated industries’s client group. See, we can we can specify what client groups may have specific workflows assigned to them as well. So, because it’s in this specific client group um and the the finding met that criteria, I’m going to go ahead and change it to in process. But, um what’s really going to be cool is now I’m going to actually enable this one around escalating critical findings. I can go back to that report. Just go into my work. I could come back into this report. I can say I can select these two right and I can say like hey let’s move these from let’s move these from in process um to triaged right now by doing that that will trigger the workflow and now what it will do is it will create a it’ll basically escalate these to create a Jira ticket and send an email. So, if we come back in here, you’ll see that this has now been, changed back to open and notified and, linked to a Jura ticket. I’ve now gone back into some of these and said, “Hey, now I’m moving these back into in process and triage so that now I can actually, communicate and collaborate with the customer on fixing these.” So, like, this is all during the reporting process. Like, I haven’t even finished the engagement yet. But you can see how the workflow automation engine is very powerful to be able to conduct during engagement operations and being able to edit findings on the fly and notify my customers right away. Um, so one a couple of the things I want to talk chat about like that are really handy when like doing the report writing piece and I’ll show you one really cool thing using our AI, I can add findings on the fly. So I’m going to say like hey we found privilege escalation with Mimi Cats, right? U most of you are going to be familiar with Mimiats. I’ll go ahead and set this as critical. It’s going to create this. It’s going to keep it in draft status for now. I could go ahead and let’s let’s just use our cool calculator for CVSS4 to calculate the score. So, I’m going to say like, hey, you can get there here. You don’t need privileges or low privileges first. You do need some user interaction. It’s a low complexity. I’m just kind of making this up, right? Just to kind of show you how we have all the all the calculations, you know, available. I want to make sure this is going to make the right kind of assessment here. So, I’ve got this data 9.3. That’s that sounds about right. So, I can go through and make all these other status updates and things, but um but I’d like to like to create a description and I’m you know sometimes maybe I get challenged with like writer’s block like I don’t know necessarily what how I want to write this. This is where AI functionality really comes handy. So, I can say, “Hey, um, generate me a description for privilege escalation with Mimiats.” What this is doing is it’s it’s probing our AI engine and and actually coming back with the information to help populate my description. And so, this is going to be really handy. It gave me kind of an initial initial place to start, right? So, I can insert and replace this. Now, I can I can edit this as I go. Well, let’s let’s have it use this for the recommendations as well. So this is nice and you know now it’s going to create recommendations based on its knowledge of the industry and how to how to what it has related to Mimi Cats. And if I didn’t like it, I could click regenerate. You have a whole history here of of things. And so but I like that like that’s a good starting point. So um so from here I could say like hey maybe I’m working collaboratively with with a with one of my other teammates. And so I’m like, “Hey, John, um, can you add your screenshots here?” Right? And so now John can come in, you know, I have this full QA workflow and editing capabilities as well. One thing that I forgot to to mention is that, you know, you can you can enable track changes on the report itself or on specific sections of the report. So it would be like um instead of maybe saying um powerful I want to say you know effective right I can have those track changes so now you have a full QA workflow you also can have a full real-time collaborative experience within this this which is really cool so from a team perspective multiple people can be in here at once just making the report as you go you can have these track changes and that flows through um to where you can have that that that full QA life cycle within a report. I’m going to go ahead and add a couple assets here just to kind of keep consistent with what’s going on.

But we’ll go ahead and get some of these in here.

Great. And then we will hit save. And I’ve got some assets that were impacted by mimi cats. And so you’ll notice that that you know as as you’ve probably seen um go ahead and find that one real fast that these are getting a risk score associated with them as well. Right? So I I mentioned earlier you’ve got this this risk score. you can you can create whatever risk scores that you want and assign the criteria and the crit and how how that criticality starts to come into play. So this is the algorithm that I created for this regulated industries. Um but you can do that on a per client basis. You can do it for your entire customer base. And you can have a default one for your entire customer base or add them for the in addition to having them be for specific customers as well. Um, so this really makes it handy from a contextual scoring perspective and then from the customer side, they can start to have a prioritized remediation plan based on their contextual risk scoring. So, so that’s very handy. Um, and let’s let’s just go ahead and say that you know, I want to now publish all of the report, right? There’s a couple ways I can do that. Um, one, I could publish all the findings. So, if I just closed out of this and maybe I wanted to sort more by risk score than the published findings, um, I could publish them individually. Um, or I can go into the report and I can actually say like, hey, I’m ready to publish this report. And what this will do is that it will provide access to the customer for all the findings as well as as well as the narrative sections. So, let’s just go ahead and do this. Now this is going to publish all those findings. So if I come back into here, all those findings will get published. That will also kick off the workflow for triaging those critical findings or any findings that have a score of nine or higher. So that’s what it’s doing. It’s it’s now going to run through those workflows and start to and start to publish these report publish these findings and start to assign those those criticalities and and triage them accordingly. So, if we come in here, um, I could also go ahead and manually link the jur ticket. So in the background, it’s going to be it’s going to be doing all the triage and the notifications and and things like that as we go.

So, as I come back into this report, you can see now now that all these critical findings have been have been identified as open and notified and these these tickets have been linked into into our Jira project. Um I didn’t show you exactly how you could do the Jira ticket linking manually. So what I’ll do is I will go into you know halfway through the report cuz that that automation was just working for the critical findings. So let’s let’s pick a high finding here. So if I come into that high finding here I can go ahead and say like let’s create a jira ticket and link. I’ll show you how how this is all set up here in a second as well. But I can I can create that. I can now link that to a jira ticket. And as we close this out, we’ll see that that it now has this jur ticket of 1494. Um so again, really handy in terms of being able to operate you know through the reporting life cycle, being able to QA all those things and publish them right away. Um if we come back into the narrative section, I can continue to edit this and we have this handy readout section. So, like when I’m doing a readout with a customer, I can just I can just navigate the entire report straight from here. You can navigate to each individual finding and kind of, you know, discuss it as you go and and and navigate the report really well. And let’s say I wanted to actually export this into my custom template. Um, because I wanted to kind of show you how we do that in terms of being able to add screenshots and things like that directly into the report with very little little post editing. So, I’ve hit export. Um, it’s selected the the the export template that I need and want, and it’s going to report this out. Again, really handy from the perspective of saving time getting the report written and formatted correctly and into my template and being able to allow me more time on focusing, on the results. That, was a big report. It processed a lot of findings. And so, you I’ll see like this is completely templated out. It it inserted all of this into the Word document with the report start and end dates, who it was prepared for. I can go, excuse me, I can go ahead and update the table of contents. And so now this is parsing through the entire document, all those findings, adding them into the adding them into the table of contents. And so now I I’ve got my entire report right here, ready to go. Again, there were quite a few findings. So, we’ll scroll through this. And so now you can see I got to that executive summary and now it inserted that screenshot. It had all that information ready to go. I can just I can just save this off as a PDF and deliver it straight to my customer. So, the templating experience is very handy and so I spend way less time doing anything related to formatting things because we’ve got that template all set up and and squared away. Um the other the other thing I forgot to show I’ll kind of show now is I can do this search and replace where I can replace short codes and I can go ahead and say okay I’m going to do that. So all of those all those areas where you saw the percent the percent will be replaced. There you go. So now that replaced all those short codes and so it again everything we do in PlexTrac try we try to make it as stream streamline as possible as automated as possible to keep you focused on executing the engagements. Um one final thing that I also want to see is like once I’ve published a report I can work with the customer on like let’s say we have programmatic areas of risk that’s what we would call like a priority. So I can assign findings straight to more programmatic oops more programmatic areas of risk of the three that I’ve selected. I’m going to say like hey let’s link these to a priority. And I could say like hey let’s let’s just let’s just assume they were part of of the advanced thread actor. So it’s going to link those. I can select the assets associated with them as well. So now I’ve selected all those and I’m going to link that to a priority. So now I have that priorities module that I can come into and I can say like hey I’ve got an advanced thread actors. It has its own risk scoring equation assigned to it. I’ve got 11 linked bindings and 21 assets. This starts to give me a perspective of like of the priorities I’ve established in my quote unquote risk register. What are the most important ones I should be focused on first? Right? So we’ve got that advanced threat actors but we’ve also got externally facing assets and exposures there right so um more findings you know more critical assets associated with it because asset criticality it makes up 40% of that right so it helps me assign and and get a bird’s eye view of what how I want to close and work on these findings so priorities module is really cool from being able to just highlight with your customers how do I fix the most important things first Um, so excited to just be able to share PlexTrac with you and and some of the cool new bells and whistles that we’ve got in the platform all around helping you as a pen tester cuz I’m I’m in the same boat. I hate writing reports. I want to make that as easy and streamlined as possible. So with PlexTrac, we can do all this in a in a quick and easy manner as quickly as possible. I hope you get to check it out.

[Music]