PlexTrac for Pentest Reporting: See the Platform in Action

[Music] Hey everyone, my name is Dan DeCloss. I am the founder and CTO of PlexTrac and many of you may have have seen me in the past promoting PlexTrac throughout the the the past several years. But I’m also a pentester and I’m a pentester by trade and in my time in pentesting I’ve always wanted to make sure we were focused on the right things and getting the right work done. And that’s why I’ve been passionate about Flex Track and and building the the platform to really help pentesting teams and pen testers and anybody doing kind of security assessments to stay focused on the fun stuff, the most important things. And that’s hacking, that’s finding complicated exploits, that’s being able to collaborate effectively, not only with your team members, but with your customers on the findings that you’re identifying and and the risks that are involved in that. Um, today I wanted to highlight, you know, the awesomeness around PlexTrac and being able to create reports effectively, conduct an entire engagement, and just show off some of the some of the exciting things that we have in the platform to help you do your job more effectively. Um, so as a pentester, you know, I want to be able to kind of, view and schedule my engagements. So, we have our our scheduling capability here in PlexTrac. You can see I’ve already got some some scans and some assessments scheduled. Um, I’m going to go ahead and create a new one just to kind of show you how that works. So, we’re going to say like, hey, this is our annual pentest for 2025. I’m going to select the client as CEK astronomy. And I’m going to say like no holds barred pentest. And I could give it the scope. Um I could just say CEX organization. And we’ll go ahead and continue here. If Oh, I got I got to test select a test window here. So that’s not applicable. We’ll let we’ll let people test whenever they want. And then I can upload I could upload files here. I could upload network diagrams, scoping diagrams, anything related to that. I’ll I’ll go ahead and pass on that for now. But this is where you can upload anything related to the engagement. I can also now now create a report. So I’ll go ahead and say annual pentest for 2025.

Um I’ll keep this I’ll keep the report status and draft status. The other nice thing about PlexTrac is that you can template out the types of reports. So I’ll show you how to how to do this, but I’m going to go ahead and select our pentest template. This is going to pre-build the narrative sections of the report. it’s going to associate the export template to that to that report, and then that that’ll just save time when I want to go in to start editing the report. And then if I want when I want to export it out, it it’s already in the template that I’ve selected for that template. Here I could have a findings layout where we could specify different fields as as well. Um, I can select reviewers on the report. I’ll go ahead and just put Jane Doe as she’ll be a reviewer. And I’ll just say like annual um I can create a tag here for annual pentest, right? If I wanted to track that. Now go ahead and continue. Um now I want to select the dates of when we’re going to be doing this. Let’s go ahead and and say who’s going to be doing it. So it’s going to be just me. I have options of some other folks here as well. Um and then I’ll go ahead and select the dates as today through the next two weeks. And we’ll go ahead and save that. And so now what will happen is that will that will create the report. It creates the engagement as scheduled and once I move that that that report into a new status, it’ll show that it’s in progress. It will automatically pick it up tonight. Since I started it today, it’ll pick it up tonight as in progress and change it into this into this blue category as well. Um, so let’s go into that report that got created and just kind of see what happened. As you can see, I selected that template and so now it’s populated the entire report narrative um that I pre-built. We we support short codes here. So when I’m done with the report, I can just search I can do a quick search and replace for all the short codes. I can just replace short codes. It’ll populate all of that in. Um, but you can see here that that it’s created this narrative um from a pre-built template. So now all I have to do is go in and edit this as I’m doing the engagement. Here’s the additional details of that report that we populated as well. Here’s where you can actually edit the narratives. Um so if I want now as I conduct the engagement, I can come in here and I can edit these narratives as I go. And what’s also really cool is I can create the findings as I go too. Um so let’s go ahead and just um let’s just get some findings in quickly. So I’m going to go ahead and add some from actually let me let me take a step back. What we have is this this capability for for test plans and test procedures. So procedures being these are things that we have a methodology. We always want to be executing on these on these test procedures throughout an engagement. What’s nice about these procedures is that I can create a test plan that all my testers can follow and then but we can also add procedures as we go. So I’m going to go ahead and show you how to do that. I’m going to add from the repository and it’s going to I have lots of different options from all the different procedures that are possible. You can have methodologies like you know we love miter and miter attacks. So um we’ve created a penetration test plan of procedures based on that. So I’m just going to go ahead and select I’m actually going to make sure all of these will show up at once and then I’ll select these. So now I’ve got 24 procedures selected as part of our our standard pen test. So this this just serves as a guide, right? And now I can come in and I can actually come into these procedures and see what I need to execute. I can actually execute the procedures and fill out the the details. I can add the assets that are associated with this. And let’s just say I did I was successful in in executing on this one. You can have the red team and blue team come in and fill this out. Um, but but it you don’t have to have the blue team portion filled out. You can just execute the steps and then like I’m gonna just go ahead and say like, hey, we we executed this and it worked. I’m going to go ahead and add that to findings. Go ahead and save and close this. So now we have this this here. So we can we can funnel through all of these procedures as we go to kind of get perspective on what’s been executed and what what hasn’t within the test. But again, it it it can be just used as a guide. I can still populate more findings along the way and I don’t even have to fill in the procedures. From this procedures tab though, you do see that we have different coverage of the different tactics and techniques within the within the MITER attack life cycle. Um, and when we go over to findings, you’ll see that I have this finding here um that I promoted from the procedures. I’m going to come in and edit this as well. I’m going to say, hey, this is actually going to be a high. I could give it a CVSS score if I wanted to. I could add additional screenshots. I could add recommendations. I could use our AI module to help write for these things. And I’ll show you a couple other examples of that here in a second. And then I could also add affect the affected assets. So let’s let’s go ahead and add some existing assets. Um let’s say we’ve got um 192

and we will now now we have these assets associated with with this and you’ll also notice that these findings are in draft status but they’ve also been applied now a risk score. So that risk score is actually calculated right here automatically based on an algorithm that we’ve set up. I created this regulated industries and and and put this criteria against it. So um the whatever source of the information may be reporting it differently than what it actually is from the algorithm that gets created. And this helps with that prioritization conversation as well. Um so that’s one way to get findings in. I’m going to go ahead and add a bunch more in. So we have our writeups database where this is just this is just super handy, right? I can add in like let’s say we did find some SQL injection and I want to get bring this in from the default repository. I can go ahead and add some of these in and these are pre-built text. So now I can this is pre-built. So I now I can come in and and edit this as well. Um and then also we can bring in in findings from file imports and and other integrations. So I’m going to go ahead and um select a Nessus file here. Um going to add that in. Going to go ahead and upload this. And so this will queue up and this will start parsing things. I could also I could also tag findings and assets which is really nice. So like let’s say I want to just say like hey these are part of a PCI scan as well or they’re part of the PCI CDE. I can bring that in. So now it’s going to ceue up those finding. It’s going to it’s going to parse that out. Okay. So I I uploaded that Ness’s file and it parsed through all that data and brought those findings in. So you now have seen like I could create a finding on my own. I brought in some findings from our write-ups database and I’ve also imported some findings in from a from a a scanning tool like this one was Nessus, but we support a lot of different scanning tools. So um so what’s nice is like now I can actually start getting to the to the nitty-gritty of of adding adding information to the report. I can add screenshots. Um, I can adjust all these things and remember that that this is geared towards being a client portal in addition to being able to export into my custom documentation templates. So all these findings are in a draft status. Um, and I can move them in and out of draft status. I can also provide notifications through through our our platform. And I can also do workflow automations as well, which is really handy. So, I’ve got some workflow automation set up and I’ll show you those in a second. But, um, let’s just say that I’m in the middle of an engagement and I’m really excited, um, to be finding some critical issues, but because I found some critical issues, I want to notify my customer that, they should probably come in and and take a look at these. Um, this scan file obviously brought in quite a few critical vulnerabilities, but for the sake of brevity, I’ll just kind of show you like, okay, I want to notify them of these two right away. So, I’m going to go ahead and um I’m going to go ahead and update the status. I’m going to say, hey, I’m I’m notifying these folks. And then I’m also going to and and you’ll actually be able you can actually see that sub status here if we go ahead and add this column, which um if you if you’re not familiar with our column customizer, it’s really handy. So, I kind of like to bring this right here by the status. Um, and so you’ll see that these are two now are open and notified. But, let’s go ahead and actually publish those findings so that they actually will get the notification. And what I have in my workflow automation is that it will any publish anytime a finding gets published or edited via being published it will then it will then go ahead and update the status of the finding to in process. So you’ll see here if I now that I I come in this finding is now updated to in process and you’ll see that it’s updated by that regulated industry findings to in process workflow. So, how did that do that? Let’s go ahead and check it out because it’s really cool. And you can and then I can enable one to actually show that it can get assigned to a Jira ticket and stuff like that. But I can still do that manually. I can link to Jira. I can link to service now. So if my customer has has those set up, I can link straight to it and create a ticket and it’s birectional. So um what this is all this can all be done while I’m doing the report. I’m still in the engagement and I can interact directly with them on some critical findings. Um, but let’s jump over to our workflow automation engine just to kind of show that off for a second. You’ll see here that I got a few I have a few workflows created and and enabled. Um, one where it’s like, hey, if all the information if a finding comes in from Nessus and it’s formational, I just don’t even want to worry about it. So, like once that gets published, I just want to close out the finding. I don’t you could also maybe you know have it be deleted but let’s just say I don’t want to delete the data. I want it to still be there as formational but I don’t want to I don’t want to have it be as like an open finding. I just want to close it. Um so that’s what this workflow will do. If we come into the the one around the change of the status when it’s in that regulated industries’s client group. See, we can we can specify what client groups may have specific workflows assigned to them as well. So, because it’s in this specific client group um and the the finding met that criteria, I’m going to go ahead and change it to in process. But, um what’s really going to be cool is now I’m going to actually enable this one around escalating critical findings. I can go back to that report. Just go into my work. I could come back into this report. I can say I can select these two right and I can say like hey let’s move these from let’s move these from in process um to triaged right now by doing that that will trigger the workflow and now what it will do is it will create a it’ll basically escalate these to create a Jira ticket and send an email. So, if we come back in here, you’ll see that this has now been, changed back to open and notified and, linked to a Jura ticket. I’ve now gone back into some of these and said, “Hey, now I’m moving these back into in process and triage so that now I can actually, communicate and collaborate with the customer on fixing these.” So, like, this is all during the reporting process. Like, I haven’t even finished the engagement yet. But you can see how the workflow automation engine is very powerful to be able to conduct during engagement operations and being able to edit findings on the fly and notify my customers right away. Um, so one a couple of the things I want to talk chat about like that are really handy when like doing the report writing piece and I’ll show you one really cool thing using our AI, I can add findings on the fly. So I’m going to say like hey we found privilege escalation with Mimi Cats, right? U most of you are going to be familiar with Mimiats. I’ll go ahead and set this as critical. It’s going to create this. It’s going to keep it in draft status for now. I could go ahead and let’s let’s just use our cool calculator for CVSS4 to calculate the score. So, I’m going to say like, hey, you can get there here. You don’t need privileges or low privileges first. You do need some user interaction. It’s a low complexity. I’m just kind of making this up, right? Just to kind of show you how we have all the all the calculations, you know, available. I want to make sure this is going to make the right kind of assessment here. So, I’ve got this data 9.3. That’s that sounds about right. So, I can go through and make all these other status updates and things, but um but I’d like to like to create a description and I’m you know sometimes maybe I get challenged with like writer’s block like I don’t know necessarily what how I want to write this. This is where AI functionality really comes handy. So, I can say, “Hey, um, generate me a description for privilege escalation with Mimiats.” What this is doing is it’s it’s probing our AI engine and and actually coming back with the information to help populate my description. And so, this is going to be really handy. It gave me kind of an initial initial place to start, right? So, I can insert and replace this. Now, I can I can edit this as I go. Well, let’s let’s have it use this for the recommendations as well. So this is nice and you know now it’s going to create recommendations based on its knowledge of the industry and how to how to what it has related to Mimi Cats. And if I didn’t like it, I could click regenerate. You have a whole history here of of things. And so but I like that like that’s a good starting point. So um so from here I could say like hey maybe I’m working collaboratively with with a with one of my other teammates. And so I’m like, “Hey, John, um, can you add your screenshots here?” Right? And so now John can come in, you know, I have this full QA workflow and editing capabilities as well. One thing that I forgot to to mention is that, you know, you can you can enable track changes on the report itself or on specific sections of the report. So it would be like um instead of maybe saying um powerful I want to say you know effective right I can have those track changes so now you have a full QA workflow you also can have a full real-time collaborative experience within this this which is really cool so from a team perspective multiple people can be in here at once just making the report as you go you can have these track changes and that flows through um to where you can have that that that full QA life cycle within a report. I’m going to go ahead and add a couple assets here just to kind of keep consistent with what’s going on.