PlexTrac for Pentesters: The Ultimate Cheat Code

Okay, well, that brings up the question. What do you listen to when you’re hacking? I mean, you can have that lofi hip hop. You can have the sound of the coffee shop in the background electronica. I picked up a subscription to Soma FM back in the day at a Def Con, and it got some really good channels for just kind of having that background noise so that you can focus on what you’re doing and not lose track of where you are. Quick, Dallon, change the poll questions. Let’s go down to the important stuff. What do you have to I’ll keep that in the back of my mind for a future webinar.

I’ll make it a LinkedIn poll because I’m getting tired of what I’ve got. So I do need some new music. That’s awesome.

And I haven’t had any kind of a theme song or anything going. It’s always been for me. Just screams from the blue team. I love it.

We’ve done it in silence. Now that I look back, I mean, it’s just no headphones or any of that. Just sitting there staring at the screen and just kind of zoning out and forgetting that there was a world above and beyond what I was doing. Awesome. Well, cool. On that note. Yeah.

We’re past the top of the hour here. Almost eleven one. So let’s get this show on the road. I know what you guys are thinking. Who are you and what have you done with Dan De Claus? My name is Dallon, and I work on the marketing team over here, and I’m going to be filling in as a pseudo moderator for this event. You won’t have to look at my mug for too much longer. I will pass it over to the experts here in a second.

But first, I just want to detail a couple of things. I’ll let our panelists introduce themselves. First off, we’ve got Sean Scott, our VP of success.

Hey, everybody. Sean Scott, happy to be here. Background in the DoD cyber operations and then a little bit of time as an independent practitioner. And I have been part of PlexTrac since the early days and so happy to be here and sharing the things we continue to do to support what was our first and most loved audience. Yeah, absolutely. Joe Perini, newer to the team career pen tester and product evangelist. Do you want to introduce yourself? Yeah.

Good morning. I’m Joe Perini. As Dallon said, I am new two months as of today, the product evangelist. I get excited about being able to deliver actionable reports to customers, things that they can look at they can use, making the process easier for pen testers, making the process easier for customers. And I’m excited to be here. So thanks, Dalen. Yeah, absolutely.

And last but certainly not least, we’ve got Brian McGaffin. He’s been with the team for a while. I think this is his first webinar as well. Brian, do you want to introduce yourself? Yeah. Brian Mugoffin. I’m a sales engineering lead here at Plex Track. And if you look at my history, it goes back since like 89, but it’s very ADHD.

I’ve done everything from pull cables to pen test to just the generic architecture route switch, WiFi, different stadiums and so on. But yeah, right place, right time. I decided to dedicate my career here and to security as a whole. And reporting was one of the main reasons why I love the pen testing. But reporting was just really difficult for me specifically. So, yeah, it’s one of the reasons why I didn’t stick with it. Awesome.

Yeah. And that leads right into our agenda for today. Yeah. We’re going to be talking directly to Pentesters people working in offset and really detailing the PlexTrac cheat code, if you will, for these individuals. So how you can use Plex Track across all workflow phases of a pen test, from discovery all the way up to the final report, just kind of getting into the format. Sean is going to be driving our Clicks track instance. And Joe and Brian are going to be kind of our color commentators of sorts, sharing their thoughts and stories from their experiences in the field.

So, yeah, with that, I will stop sharing here. And Sean, do you want to take it away? Absolutely. And while I’m bringing up the screen here, one thing I will say right off the bad is the limitation. Brian, we can help you with reporting, but we can’t help you. Right. So PlexTrac isn’t going to fix all of your problems? Well, let’s be clear. We can because we now have the ability to store previously approved and written content.

You don’t have to come up with it on the fly anymore. Once it’s done and approved, you just re pull it, import it into your report, and you’re done. Absolutely. And I think Joe here gave us a good segue into something that we didn’t even tease. But we’re going to announce and demonstrate. Did I give it away early? I’m sorry. Yeah, it’s okay.

We got a massive new feature that is coming to PlexTrac that is going to be extremely helpful to people in the technical space. So as I mentioned, I do have a background in testing. And I was actually an early stage user of PlexTrac because reporting obviously was a time suck for me too. And PlexTrac has grown significantly and we have so many modules that scraps only itches in information security. But the truth is that we were born of the Pen testing community and it’s still a community that’s near and dear at our heart. And so even if the platform continues to evolve, we’re going to continue to do everything we can to make everyone’s life easier. So the first place we’re going to actually start, people probably think we’re going to dive right into talking about documentation of testing and things like that.

But there’s some admin that actually happens with every engagement that is painful. It’s not information security and that’s just performing the statement of work generation. Right. What do you want us to do for you? And I know Joe, Brian, while I’m pulling up some of the things that we can do to help out in that area, what are some of the friction points you’ve run into in the past just with the admin items before an engagement even starts for me? Go ahead. I was going to say the biggest difficulties you have. First off, Pen testers, they don’t have to chase customers for information about the engagement. So if we can just give the pen testers, the operators what they need and let them get to it, that’s the way it should be done.

So operations or the project managers can be using the Plex Track platform to collect the rules of engagement, to collect the in scope, out of scope or fragile device lists the domains and store all of this within the platform. So it’s all in one place. In fact, you can go so far as to create a user for your customer and let them just put it in so we don’t have to chase emails. Where is it? It’s on the drive someplace. Where’s the spreadsheet? Who knows? It’s all in Plextrack now. Yeah, exactly, Joe. And what I actually want to show is something that we didn’t produce.

I want to share, actually a pre engagement questionnaire that was produced by one of our partners, one of our clients, and they actually have shared this with us. This is their work. You may choose to use this or modify this. You can actually pull this exact thing down off of our documentation. But we have quite a few of our existing partners that even before the start of technical testing, will do exactly what Joe mentioned. They will just begin an assessment, grab a link here for where that lives, create a non privileged account, what we call an analyst user and send it off to the actual partner that they’re going to be doing work for. And that allows them to come in in a secure environment and begin providing all of the details that you might need to scope out an engagement all the admin stuff.

What do you actually want us to do? And you can configure all of this however you see fit for the services that you offer. You can even offer guiding questions. I’ve seen a version of this where they’ll start out by what regulatory frameworks do you live underneath? And that’s going to kind of guide some of the technical testing. If you’re required to have your PCI segmentation stuff or your annual Pen test, you can capture all that stuff here as well. And our assessment module makes this really easy. It also makes it really easy to and I didn’t actually pre populate this one. I’ve got one that’s actually in progress.

I forgot what I did last night. But if I actually were to go back to this one, I’ve done a little bit of data entry. And you can actually have your clients in a secure, secure connection provide whatever sort of sensitive documentation they need right in the platform.

When they’re done, they hit submit. And the beauty is, you don’t have some sort of other additional platform that you’re not used to. All that data just gets normalized into the standard plus track report that you’re used to seeing. And so you can come in here, you can view the responses that were provided. And if you even want to get really Gucci, you could actually have a customer for template that spits all this data out into a preformatic statement of work. So people tend not to think about some of the Drudgery that exists on the front end. But I know that it’s that Drudgery that tends to make our lives full of things that we don’t want to be doing instead of the actual technical work.

Well, I’ve never had anybody ignore an email that I sent out asking about a no strike list, and then ended up hitting something that I wasn’t supposed to because of that. Right. So this is a way to make sure that you’ve collected all of that information and pull it all together. Yeah. And it’s super easy. And in fact, if you grab the actual sample we have off of Docs PlexTrac.com under our assessment library, you can even use that as a starting point. And you can hop in here yourself, or you can reach out to our team and you can modify this however you see fit.

You can set it up with whatever data you need to collect that’s really tailored to the types of work that you’re doing and the service is desired. You can completely modify this, set it up so they can check as many and you can get as much value out of your relationship as possible by providing as many services. Use these as conversation starters as well as a practice director. I gotta tell you, margins are tight out there, right? We’re in the marketplace to a certain extent. There are a lot of consultancies that are willing to do. Race to the bottom. Just do it cheap and dirty.

And if I can find any way that cuts down the amount of time required in any of the phases of my engagement, including set up, that can help me cut costs, and it can also allow me to take on more work. So this is fantastic. It goes straight to my bottom line. Awesome. Something else that we take very seriously and PlexTrac, as we start moving into the actual workflow before we’ve actually begin doing the work, is the actual process of providing the set up in the platform. Right. We take data segregation very seriously in PlexTrac, and we control access to data via the buckets of data that are the client buckets.

And this is how permissions are scoped at a high level. We’ve got different ways of handling that. But one of the things we make it really easy to do is to allow your teams to get off and running without having to do a lot of work while maintaining that data segregation. So any user can create a client. But the permissions and the abilities to interact with that data is an administrative function. Right. You don’t want Willy nilly people handed out access to every user or every set of data in the platform, especially as your consultancy grows gets larger.

Maybe you already work in a large organization. You should be implementing principle of least privilege. Right. We’re all security professionals. If I don’t need access to the work that Brian is doing and Joe’s doing, then I shouldn’t have it. At the same time, we want to make it easy to act as teams. So one of the neat things that we do in PlexTrac, and I present this as a tip and trick because I think it’s one of those overlooked things is you can have any of your users that are standard users.

And I’ve got one set up here, and this user I created this morning, they don’t have access to any client data at all. They haven’t been given it, and that’s fine. But let’s pretend that I’m a team lead and I want to get Joe and I want to get Brian on my team. They’ve been assigned to me, but I don’t have administrative access and I don’t need it. What’s really cool in PlexTrac is that when you create a client, I’ll create a client here. We’ll call this the Boise Coop. Why not? Because at least a few of us are here in Boise.

One of the interesting things that we do is we automatically elevate the permissions for clients that you create to the administrator level. So I created this client. I’m a standard user. For those of you who are familiar with Flex Tract, you would expect if I was an administrator that I’ve got those privileges. But I don’t. But this little tip and trick that I think a lot of people overlook is that if I actually go to a client that I have created. And by the way, this is me.

Even though I’m a standard user, I have been elevated to the administrator role. And that gives me the ability of adding additional users to my team without having to go submit a ticket to someone I know. As we have grown into larger consultancies, oftentimes the line testers don’t have administrative privileges, and they’ve got to submit a support ticket to get any sort of administrative function because the It team is holding those permissions back. I don’t know, Brian. You ever run into internal red tape that has hindered your ability to perform your mission? Never. All the time.

But once again, it’s an often overlooked tip and trick. You don’t have to give all of your testers, even if their team leads administrative permissions for them to be able to manage your team, be able to add and authorize additional users and get off to work.

All right, so, Sean, real quick, true story. And it’s kind of a confession. You talk about not giving people administrative permissions back. In one of my other practices, one of the other teams, I somehow accidentally deleted the entire file share that contained every bit of data for the last I don’t know, something like eight years. Thank God we had backups. So, yeah. Unnecessary permissions.

Probably a good idea to restrict it down. Yeah, absolutely. Well, when it’s time to actually start doing some work. Right. Where do you start? You starting to reconnect phase. And even though I think everyone prides themselves on manual penetration testing, why not use the tools that are out there and most people do for that initial pass of things. Right.

If you’re a user, you know this, we make it silly easy for you to import any sort of your scan results. I think most people are aware of this functionality. I’m going to grab a random scan result that we’ve got available for us here today. I’ll actually grab a burp sample here. By the way, another tip and trick that I often remind people about is when you are bringing in scan results, I always encourage you to use this one time opportunity to tag those things with the source because that makes it really easy if you start adding write ups from your write ups database or manually generating write ups to be able to segregate those easily in your environment. But I want to bring in these scan results to demonstrate not just how easy it is to bring these things into your environment, but also how you can actually do some work to make this data a little bit more usable. If you’re not planning on spitting out the raw results of the scan and you’re just planning on using this for the Recon phase, especially if you’re dealing with something like Nessus.

Right. And you’re probably going to be getting gobs and gobs and gobs of findings from anything you do. How do I actually make that data useful for me if I’m just using it for Recon purposes. And we’ve got a tool that a lot of people they overlook, and that’s called our Parser actions. Now this is an action that exists in the Administrative Control Panel, and because of that, I need to swap it back over to my administrator to be able to show that functionality. But what does parser actions do? It is a way of managing all of that scan data that you bring in. Harsher Actions is a learning module, right.

So as you bring in different scan results once it’s enabled, it is harvesting the plugin IDs that are detected in those, along with the title and the severity, and creating a database that you can create rules based upon. So I know the one that this is probably the most common example of the use of parser actions on the planet. Ssl issues. So if you’ve ever run it doesn’t matter. I’m calling up Nest this year. But it’s any of the scan tools, right? You’re going to get gobs and gobs and gobs of these. And most of them are going to have the same root causes, right? You need to stop using deprecated ciphers, you need to enforce TLS 1.2 Recreator.

Anything else I’m missing, right? Only use search from trusted CAS. But you can actually use this module to do a mini to one mapping. You can grab whatever those findings are that you’re looking for, and you can link those to a write up from your write ups database. And in preparation of this new environment, I don’t think I’ve put a generic SSL into a writer’s database, but you kind of get the idea. So what’s going to happen now is from here on out, anytime a user imports a Nest finding, all of these findings are going to be consolidated. All the affected assets are going to be added as a single right up that has got the language that you’ve defined inside of your write up database. So if you’re truly using this in a Recon fashion for a manual pen test, I don’t want to sort through 500 data items.

I want it to point to me what are the threads I need to pull and what are the assets I need to go pull those threads on, right. And the partial actions are really going to do a lot to save you time if you are using scan results as part of your Recon phase. I don’t know, Joe. Brian, I’m sure you folks have run into this before all the time. Actually, I was thinking in addition, like Qualis and Burp, they’ll do the same. Whereas for every insecure cipher that I have on a web app, they’ll all fire a separate finding. And something else, Sean, that I was thinking of.

Right while that popped up is we can do that for multiple sources as well. So if you run a Burp and a Nessus you have those all rewrite to that same SSL findings right up that you did. Now instead of having those duplicate between it’s all popping that one, and the assets all get correlated appropriately there too. So I was an auditor for many years and I would see a lot of different Pen test reports. And there tends to be kind of two schools of thought where we throw everything we can find everything and the kitchen sink into our report so that we have as many findings as humanly possible. And then the other school of thought tended to be we’re going to just drill into that which is most important and actionable. And that’s where I tend to come from.

But this is great if you’re just trying to narrow this down, because let’s face it, our customers are going to remediate whatever they have time to remediate. So they’ve got a finite amount of time. Let’s have them focus on what’s important. And 35 different SSL vulnerabilities is not all that important.

Well, I’ve never done this, but if you’re paid by getting paid by finding, I don’t know who gets paid by finding. But I did a bake off with another Pen test company and we had about 15 findings in our report and we felt it was fairly exhaustive. And then the other company came in with something like, I don’t know, 70, 80 different. And they were just the same vulnerability, kind of with a different title or slightly different. And even the customer kind of looked at it and went again, they’ve only got so many hours in their day. And if I’m trying to make them better, I want them to focus on what’s important. And the Parser actions is a great way of doing that, even if I have a customer that’s already agreed to, hey, look, if you see this finding like art poisoning, we know about it, it will cost us a million dollars to replace all the routers.

Don’t bother putting it in the report. And I can use Parser actions to go ahead and automatically make it informational and giving them what they’ve asked for, giving them what’s most important. Awesome. We got one more item I want to cover as part of the Recon phase of your work. And it’s one that it’s a best practice and it’s for use with PlexTrac actually to make your life easier. It’s one of those features that I think a lot of people overlook. I always try to make sure I flip stop at an initial training, but that is taking an Nmap discovery scan at the start of your engagement on whatever the network, assuming that you’re doing a network type test.

Right. And the reason why is in PlexTrac, we treat assets as an independent data object from any finance or reports that are associated with. And so when you create a finding, you’re going to associate an asset with that finding. And there’s very good reasons for that. Right? Because that allows you to look at an asset and see all of the findings that are associated with that. It doesn’t matter what reports they’re in, things like that. We can consolidate that.

But the process then of okay, I’m doing a manual test. I’ve moved past my scan phase. Right. I’ve detected a vulnerability, and now I need to associate the affected asset with that vulnerability. I want to show you a trick that’s going to make your life so easy to do that and really save you a ton of time. When you’re working with PlexTrac, it does require you to run a quick Nmap discovery scan. And maybe what I’ll do is I’ll grab that fresh client, the one that I just created here, to perhaps demonstrate this process.

But if I met the client level and I go to view assets, we have this capability to import assets. And what we’d be doing here is importing those assets so that we populate the database for this client with a list of assets. You can do that from Nmap, from the XML format, or from CSV. So I think I’ve got an in map here someplace. I do. Great. I’m going to throw that on in here and I’m going to upload that.

And what you will notice now is this client already had a couple of assets. I had brought some things in, but now we’ve got all these additional hosts that exist. I don’t have any findings associated with them yet, but they’ve just been created as assets. When we parsed in some of the other data, open ports and services, things like that, I won’t drill too hard into that at this point. But why did I want to do that? Well, if we go to one of these reports, like, we’ve got this one initial scan here and I pop in here and I am now editing, let’s pretend that this was not a scan result, but I find you that I brought up the right of database or I created manually. Now, when I go to my affected assets tab, if I’ve got additional assets that I want to associate with this finding, I don’t have to go through the process of creating the new asset where I’m providing it with a name. And then I have the option of writing additional that I don’t have to.

But I can skip that step. I can just go into assets and then add some existing assets and start firing away and pick the ones that I’m looking for based upon the fact that I’ve pre populated all these assets at the client just by importing that MMAP discovery scheme. Something that’s new. Is that the plug? Probably since the last time that I’ve been on a webinar. I guess it’s been too long now. And you got to get in these things more often is that we have revamped our entire method for editing and adding data that is associated with an effective asset. So for example, for this, let’s just pretend that this is an SSH issue.

I’ve got now this little split graphical method, I can indicate Port service data, things like that. Some people care about this stuff, some people don’t. However, where does this stuff really matter? Probably when you see things like it’s not on 422, it’s a 422 92 or something wacky like that. Right. Where do I actually go to look to find this sort of thing? So we make it really easy to have this data. We’re still parsing this stuff out automatically if you are bringing stuff up scan results, but really made it a lot easier if you are doing that manual type of testing to add that to your result. Something that is brand new that we didn’t have the capability of doing before is parsing out the vulnerable parameters in apps that work.

And I have to admit that I am not an app. That guy comes in the network world. But just to demonstrate what’s going on here, if you have a Uri and you grab that and you paste that into this box here, we’re going to parse out the parameters for you and you’ve also got the ability of adding additional parameters as well. Some other new capability that we’ve added that we didn’t have not that long ago is you’ve just got it seems fantastic. But you’ve got a place for things that are important about this asset in the context of the finding. Right. So what’s special about the instance of this finding on this asset? Things like that, because obviously not all manifestations of vulnerabilities are going to be identical across all hosts.

So brand new functionality really excited about that. But what would I primarily do this on? I would primarily do this on things that we have brought in from the right of database. Right. Because really what we find when we talk with our users that have been using PlexTrac for pentesting for years now is that the value of PlexTrac is tremendously increased in proportion to the effort they put into the Writeups Database. Are you spending the time to get the language the way that you want it, so that it’s standardized so that even Bryan Magoffin here with his poor writing capabilities can bring in language people aren’t going to scoff at. And so our Writeups Database has been an extremely valued piece of PlexTrac for a long time. We make it really easy to take items and put them into your Writeups Database that you’ve created yourself or to bring findings in from a Writeups Database.

It’s really easy to do that. You go to add findings from write ups database and you get the selection that you see here. But what’s brand spanking new for us is that we are announcing today that we have now introduced the concept of repositories in the write ups database. And what the repositories do for you in the past, all of the write ups, but you can still access all the write ups, right? You had simply a flat list of everything that exists today. You could use Tags to find those things. And that was a great way of organizing your write ups. But you have limited permissions because if you had the Rback permissions to rewrite access to the right of database, you had read write access to everything in the write up database, you had no ability to segregate things and larger teams.

Once again, principal leads privilege, right? You don’t want the GRC folks messing with your pen testing write ups for sure. And the write ups are going to be different, right? If I’m coming in from an incident response perspective versus a vulnerability management perspective, my context is going to be completely different. And you don’t want to use that same write up. I may have different write ups for different regulatory regimes. I may have different write ups for different clients. So this is great. Yeah.

Let me do a little bit deeper dive into how this process works so you can see that I’ve got five repositories on my screen right now. For those of you on the call that are current PlexTrac listeners, the migration strategy is pretty simple. All of the writeups that exist in your environment today, once your system is updated with this new code. By the way, this just hit our Edge branch today. So this will be being promoted into our stable environment within two weeks and will be pushed automatically for if you are a SAS customer and PlexTrac is hosting you or will be available for you within two weeks if you are an on Prem client. But the migration strategy is all of your existing write ups will repository. We give you this nice little helper text.

Right? Any existing write ups have been moved here and this is where you can find all of the things that you had before. However, what we have now is the ability of creating new repositories. So I have actually created four new repositories. One that segregates my network vulnerabilities and one that segregates my web app vulnerabilities. And then I’ve got these associated dropboxes here, right. And this is a use case that we know people are going to love. One thing that you’ll note is that these dropboxes are shared repositories.

What that means is if you’ve got the RBA permissions for rewrite for write ups database, you can interact and work with anything in the shared repositories. However, you also have the ability of creating a new repository and making it a private repository. So I’ve got network vulnerabilities and web app vulnerabilities here. I’ll go ahead and hop into web app. You’ll notice that I’ve moved some of my type findings here, but I can come in here now and I can manage users or permissions and I can say you know what? I think we’ve established that Brian can’t write. So maybe Brian these write ups and pulling these write ups in his report. But I trust Joe and Joe can come in here.

That’s a mistake.

I don’t want to let Brian PrivaC himself by managing this mode also way his ability to manage users back edit capability. I like to write. I can write if I need to, but yeah, you can come in here. You can manage additional users that exist in your tenancy and really gradually control things so that you can standardize the language that’s being brought into your write ups. Now, this is something that is really cool that people have been asking for for a long time. This makes me so happy to be here today to be able to show this. So I’ve got these cool bulk actions.

I can now take any of these and I can clone them from this right up to repository into another repository. Or I can just move them. Right. And so if I wanted to start, you mentioned Joe, where you’ve given different versions of write ups, some for more technical audiences, some for less technical audiences, things like that. Right. I can just copy these things in bulk today and say, I would like to add these. This doesn’t make much logical sense.

But to my network vulnerabilities library. And now I have added those into that network vulnerability library while retaining the original copy that is here. So absolutely cool capability. But let’s start stringing some things together. Let’s start stringing together the permissions that we’ve given you with this ability to clone. Okay. So I don’t trust Brian to write well, but every now and then Brian gets a good idea.

And from a technical perspective, yeah.

I hope you’re working from home, Sean, but I do want Brian to have the ability to contribute. Right. And so this is why these dropboxes are here. I’ve created these new repositories as public so that Brian can come in here. He can create or copy write ups from the write ups database, from his reports into this is empty right now. But we can come in here, create something, start from scratch, maybe use the field template, do everything he needs to go to make his submission, to include what repository I’m doing that in and what I think it should be and so forth. Right.

Once he creates that, that’s awesome. Now we can have Joe, who has that ability to actually edit that private repository for network findings. He can come in, he can edit it, he can review it. And if he decides that it’s a state that he wants to make it part of our approved write ups, he can just move it. Great. We can move it out of here and let’s get it where it belongs inside of the network vulnerabilities repository. And it’s moved out.

The trash is cleared out a joke and set a timer set an alarm or something to come in here, check this every now and then. But it doesn’t necessarily have to because he’s going to get a visual indication whenever something has dropped into the dropboxes. No, this is great because it puts a lot of structure around the QA process for write ups. The biggest issue I had in our practices is that Bob would have a write up finding for cross site scripting that had one title, and then Steve would have a finding that with a slightly different title. And if I had to do any analytics for my customer, I couldn’t tell you if they were different. And as a result, it was kind of a mess. Now with this, I can go ahead and have new findings written that are to be QAED, to be approved in a separate repository, that I can put some structure around and have specific individuals, my tech writers, my QA people, or that trusted peer to look at it and then move it into the approved for use repository.

And now we’re all using the same title. We’re all using the same finding. And my client can do analytics, or my project coordinators or operation can do analytics on findings over a period of time. Again, providing actionable information to the customer is what makes them sticky, what keeps them with my practice rather than going off to another one. Absolutely. Joe, we really stumbled upon something with this repository in the permission structure, and we love it. And that generated a lot of discussion, internal and PlexTrac.

And I don’t have this to show you today. It’s not coming for a while, but you’re going to see this repository structure again because we have lots of reusable data and PlexTrac. Yeah, we do.

We know today that people are using report templates as ways of reusing narratives that they dynamically bring into their environments. Right. And I’m going to show you how you can do that today here in a moment. We’ve also got content in our run books and procedures. And so we’re going to be over the course of this year, taking those various data elements and structuring them in the same repository format to bring the same level of control, permissions, and enablement of standardization and peer review into the other reusable content of the platform. This is great. This is the whole sharpen the saw idea, right.

If you have 6 hours to cut down a tree, you spend 4 hours sharpening the saw. And being able to set this up in advance, having everything you want perfectly tweaked with a couple of different sets of eyes will make your process go so much faster goes to the bottom line. Absolutely. And we’ve been talking a lot about findings. Financial important findings are the sexy part that everybody loves. Right. But you can’t deliver reports just finding.

You got to satisfy the sea levels with the narrative and the summaries introduction, methodology, all those parts of your report, they’re just expected to be upfront. They do provide value. But writing those was the bane of my existence, to be honest with you. I want to go in and go to my last report. I copy paste things. And so Flux track. We make it really easy to start once again.

Just like you can start from reusable content for your writeups, you can start with reusable content from your narratives. Right. And how do you do that? You can harvest them in from report templates. So I’ve got one created here that shows what I call my multi scope baseline. And obviously this would be more detailed. But all of your reusable language, your introduction, your methodology, your scope and test environments, these are things that you can bring in to start from a point of departure and that you don’t even have to use correct verb tense. Brian, somebody else already done that for you.

I got it on recording. You said you don’t like to write either have evidence. Now, it is true. I’m going to blow this up a little bit because I want to actually highlight some content here and a couple of things that are brand new, probably since the last time I’ve been on a webinar. And that is we’ve introduced our QA workflow tools. Right. So we now have track changes.

If I were to turn those on, there’s nothing cosmic about this. It works like you would expect it to if you’ve ever used Microsoft Word. I’ve got a track change in here. I can either accept or reject it. If I accept it, great. It goes away and the replacement happens. We’ve also added commenting capability.

And you can comment on anything that exists inside your rich text or even just on the titles themselves. Right. I could say I want to throw a title instead of calling this introduction. We’ll call this the starting words or whatever. We might want to comment. Right. And one thing I’ll note, make sure that you save this.

This works just like some comments in Google Docs. You want to save that to make it persistent, then obviously you can always get rid of that when you don’t want it. Yeah, I really don’t want that comment there. And we’re gone. Now, one thing you’ll notice that’s also interesting about the language that I brought in is we’ve got these odd looking Ducks here. And this is fairly new. We brought this out in December, I think.

And this is short codes. Right. But it’s not just built in short codes. It’s the ability to define your own short codes. And what am I talking about? So in PlexTrac at the report level. Right. So if we go to the report details here, I assign that template I was using.

We have these ability to template out and bring in report level custom fields. These are those pieces of metadata. What’s the version? Right. What’s the application name. Hey, why not? Let’s call this the PlexTrac app. Who’s the lead tester? It’s always Nick Save, and he’s the leader of everything in my book. Sorry, Alabama fan.

Who does your client lead? Things like that. And these values here can be mapped to short codes that you define. And where does this functionality live? Well, if I go to my account administration, you’ve got this new functionality called short codes, right? You click on here, you’ve got the ability of defining your own shortcode. So for example, I said for the string short application name rules on this, by the way, 2% on front, 2% on the back, single string in between. No special characters, doesn’t have to be capitalized or anything. But then I can define where do I want to draw the replacement data from? I would say the report custom fields is the most common. You can also do it to client custom fields if you have those available to you as well.

And then what is the associated label of that field? Right. So if we go back to the report that we were just in and we take a look at the report template that we brought in, I made sure that I populated it with the labels that I need to enable these short codes. Put it all together. Here’s where the magic happens, right? I purposely left one of these blank, but I’m going to go up to search and replace and I’m going to replace my shortcodes. And when I do that, you will note and I probably forgot to mention that I got a couple of built in shortcodes here as well. I also probably should have picked a smaller data set as well because it is a global action. Right.

So what you see that happened here is for our application name, we replace that with PlexTrac. Now, you’ll notice that we did not replace client lead. That just was left as it was. And the reason why is the same thing here with the report start date. That’s one of our built in short codes. Actually, if there’s no data associated, we’re not just going to take these short codes out and leave them blank. We want you to have an opportunity to go and add the data.

So if you come back over to your details and I was now to give it a project lead and we’ll say that that’s fair, Brian.

And maybe we’ll also fill in the rest of those. We’ll give it a start and end date. Right. Because we got three built in shortcodes and PlexTrac, start date, end date and client name save all that. And now I go back to my readout view and replace those one more time. You will see that they now have data and they can be replaced. So tremendous time savings.

And one thing I wanted I got to just interrupt here because one of my last places I had 60 different report templates and every single one of them had brackets in red with client name, start date, sfiec versus PCI, whatever. So this is a huge time saver right from the get go. I no longer have to make sure even during the QA process, making sure that they went through and they put in all of them. This is fantastic. Yeah, it’s definitely been probably one of the more popular features. I think everyone that I have shown this to you has implemented it immediately. Something I forgot to mention.

For those of you who may be on Prem clients, if you are here, I’ve been showing off the QA workflow tools, right? I clicked on the wrong tab there. This is something that we are going to be adding into a premium price tier in the future for new Flex Drive clients. But we are grandfathering our existing clients and so we got to take a little switch action on your box to make it happen. So if you don’t find that you’ve got these tools in your environment and you are an on Prem client, reach out to us to support a flashback.com. We’ll get you set up and make sure that you’ve got those available for you as well.

So getting everything ready to go is we’ve demonstrated getting our narratives in working with the data, working with the findings. At some point you are going to be ready to deliver this to your client. And anyone who has worked with PlexTrac in the past, you know that we can take your existing people ask us what is the report look like coming out of PlexTrac as far as the document? And like, I don’t know what’s your report look like now because we create a Pixel perfect representation using the Ginger and that’s great. Nothing’s changed there. We still do that for you. But one thing I’m sorry, using the what the Ginger that is a bastard child of Python is a method that we use to pull the data into your customized report template. And so I don’t want to spend time talking about that because there’s not much to show.

We pull the data and we put it where it needs to go in your look and feel. But I do want to talk a little bit about some of the things that Joe has been talking about about making your clients more sticky. Right. And how can I increase the engagement I’m getting? And that’s with electronic delivery. When we first launched PlexTrac to the public many moons ago, we started from the beginning with the vision of allowing people to use this as a delivery platform because I don’t like reading, much less writing 300 page reports. And I definitely have seen my fair share of dusty reports sitting in the bottom of shelves. I don’t know anybody ever come to an engagement six months later and found the exact same findings all the time.

How can I make the data more available to people so it’s more consumable for them and also make the clients more sticky in the process. Over the years, we have curated the Analyst role and Plex Track to be designed just for that something that you can give to your clients so that they can come into PlexTrac and they can get electronic delivery of the results. But what we’ve done over probably over the last twelve months is we’ve added a couple of little small bits of functionality that make this process even better. I want to highlight what those are. And it really comes down to when do I release data? Right. Because in an ideal world, if I’m doing an engagement and I come across things that a client could start working on right now, I don’t want to wait until I deliver my report.

Everything’s been through the formal QA process, but I don’t want to release everything. Right. And so what we’ve provided now in PlexTrac is some functionality that allows you to have much more control even at the report and finding level over what is provided to your clients. And so you give one of your clients that analyst role and you authorize them to their data. And I’ve actually got an analyst role here. And if I click over to this analyst role, you’ll see that I have no reports associated with this user. But if I click over into my administrator user, I can, in fact, see the report that we’ve been working in.

And why is that? It’s because this report is still in draft status. So we’ve added the ability that any reports that are in draft status are completely hidden from the analyst user. So you can have multiple reports. You did an engagement six months ago for this client. They still have access to that report. But you’re working on a new project and you’re not ready to release any of it yet. We start all of our reports in draft status now.

That’s new as well. So by default, it’s not going to be available for them until you move it out of draft status. So if I were to move this into ready for review, save that. And now I go back over to that analyst user. I need to give myself a quick refresh. But what I will note is that I now have visibility on that report. And so great.

That’s awesome. So I can hop into that report. But wait a minute, I don’t have any findings. But that’s kind of strange. Well, no, that’s not strange. That’s by design, that’s not a bug, that’s a feature.

So if I go back over into the findings in this report, one thing you will note is that all of my findings have this Orange hue, or so I’ve been told.

By the way, one of the greatest things about having Joe join our team is I was no longer the oldest member at PlexTrac. So when we start talking about people throwing jobs all day, darn it. For people like myself and Joe, we also added this nice little Orange dots to indicate that these findings are in draft status. If I were to grab some of these findings and take a bulk action to take these out of draft status into publish status, my Orange goes away. I accidentally clicked on a filter there, but not a big deal. But now if I go back over to that analyst user once again, I refresh my screen here. You will note that I’m going to have access if the demo God smile upon me to those findings.

Right? So let’s think about workflow. We’ve got this great new write ups database. We’ve got our curated write ups, but we’re still going to need to modify them a little bit. I mean, we’re not given we’re not given canned information security. We’re going to need to modify maybe the details of what was discovered, maybe tweak the recommendations a little bit. But the moment that we bring those things in, if we bring them in and publish status, they’re instantly visible to clients that have been given access to the platform. And we don’t want that yet because we haven’t done that.

So how do you get yourself into the world that more closely mirrors what you’ve been seeing me do? Where is as I bring in findings, they start in a draft status so that until I take the action to move them out of the draft status, they’re not visible. This is an option that you’ve got available to you. If you’re an administrator, you go up to your account administration section and you roll over to your general settings and you have this toggle here. What do I want this to be? Draft or published, and I can toggle that hit save on that. And if I put this into draft status, mine’s actually already in draft status. I think I moved it back, playing around, getting ready for things. But this will ensure that when you bring in any new findings, they automatically start in that draft status until you take that action.

So we’ve been talking about that in terms of use for the analyst users and client delivery, which is great, but it’s also just easy to use for your QA process. We’ve got these great new QA workflow tools in here. You come in here, you make edits that need review.

You pass those along. By the way, one way you can do that is you can assign these things to the user. Hey, I made some comments. I want to assign that to Sean so he knows he’s got to come in here and review some changes. I get a notification once I’ve accepted those changes. Great. We move this out of draft status into published status.

The tools are there for you to fit into your workflow for, however, doing formal QA or peer review. So super excited about those additional enhancements and they just pair so nicely with the write up database and increased use of that. Now, this is great because typically what happens is you give a customer report, you’re writing it in Word, you PDF it, you give it to the client, and they come back to you and say, can you break it up? I don’t want to give the network findings to the Windows team or we just want the executive summary available to so and so. And that brings up a question for me. I see the export button. Sean, is it possible that a client could have the ability to change my findings and then export the report and all of a sudden they have a clean report, not saying that they would a couple of customers. Okay, yeah.

Now they can’t change the findings right now, what do they do on export? I mean, we live in a world where you can take a document, manipulate anything you want. Right. But for what they have available to them in the platform. Notice the difference in the UI. I don’t have the ability inside of this user, this analyst role to edit this data. I can pop the preview modal and look at it all day long. That’s great, but I can’t modify that.

I will say also, we do have the ability very easily through our role based access control mechanisms. If you did want to restrict a user from doing their own exports because you’re concerned about them manipulating the export, you can do that. You can take that capability away from them and make them give them a less privileged role and you can still give them a document. So one of the things that we have in every report is an arbitrary file storage, right? And this isn’t a hypothetical. I know at least probably six or seven of our partners that have done that. They’ve created an RBAC role based upon the analysts, but taken away that ability to export and they do that for them. It’s important.

Some regulatory regimes are very you can’t let the customer modify or change the output of the report because this goes towards the audit and there’s kind of almost a chain of custody that you have to keep in mind. Absolutely. But then what they’ll do is they’ll do that for the partner and then they just hang it here in the artifact section and fire them off a quick email. Hey, your report, you can come in here and review all of your results electronically, which got a little bug there. That’s what the fun part about showing code is still in the Edge branch. By the way, there was a question about when rid of TV will be released. Let me go back here.

Did we not sacrifice a developer to the demo gods? We did not. Probably we should this hit our Edge environment, our Edge code end of last week. And so we always Bake it for a few weeks in our test environment. By the way, if you are a Plex Track partner, you are fully authorized to have a test environment as part of your license agreement with us that you can run on our Edge branch. We do make the Edge branch available to all of our partners to allow you to see new features, test out how they may work, but definitely don’t want to be running this in your production environment. And we actually got about 30 partners that are doing that today. So we’ve got a great community that’s doing that and that’s great for us.

Right. It helps us shake out all these new features, especially something that is fundamentally different as we’ve done here with restructuring the write up database, for sure. There is one more thing that I had on my list of things to share today, and I know we’re getting close on time. There’s a couple of questions, and that one question or that one point is that the engagement does not have to stop with the delivery of the report. Right. Whether that’s electronic or whether that’s document based.

We have partners that have structured their engagements in a beautiful fashion. Where in the statement of work they include billable hours for retest. Right. And how do we perform that retest process in the most efficient way possible? Well, how about we just allow the clients to let us know with a quick notification when an issue is ready for retest. So if you have provided that analyst level capability for your user, let me get over here to report that’s got some data. So this is that analyst level user and they don’t have the ability to edit the data, but what they can do is they can come in here and they can move this to in process. By the way, we do have sub statuses.

I didn’t set up this environment with it, but assign this back to the team, back to the lead for the test, because the lead of the test is going to have access to the report too. Ready for retest. Right. And now we have just automated that process. We can retest this individual item and not have to wait for everything to be ready for retest and start charging more billable hours.

What else happens when you do that? Do they get an email? They do. They do. So the tester will get an email notification. They’ll also get a little Bell icon here. Next time they log in to PlexTrac, they’ll get you got mail. Sorry. Dating myself a little bit.

You’re so old.

We do have one unanswered question just about deployment options for PlexTrac. Yeah, we can deploy anywhere and we can deploy on any Nix box. We’ve got ones we prefer over others. I wouldn’t make a plug, though. PlexTrac where stock two type two certified. We are probably the most pen tested platform on the planet because it turns out all of our clients are pen testers and don’t trust us inherently.

By the way, if you are on and you do find a vulnerability that you’d like to report, we love you for you to reach out to us@securityoflectrack.com and maybe even provide us with a Ptrack of what you found.

Most definitely. I think we’re getting close to time here and I think we’ve answered most of the questions that I have seen. So maybe open down, maybe I’ll hand it off back to you. Yeah, sounds good. You want to stop sharing real quick and I can wrap this puppy up.

Yeah. Awesome.

Cool.

I’d be remiss as a marketer if I didn’t leave you guys with a couple CTAs.

Obviously, we talk a lot about the offset audience pen testers. We’ve got a great white paper that was actually originally written by Sean and our founder and CEO, Dana Class that you can go view online to learn the Ins and outs of writing the penetration test report.

Also, stay social with us. We’re on Twitter, YouTube, LinkedIn and we’ve actually got an Instagram handle now as well. You can find us at PlexTrac on Twitter, YouTube and LinkedIn, and at PlexTrac official on Instagram. And the last thing I will mention, if you like what you see and you want to get in touch with our team, you can book a demo at plextrack. Comdemo. Happy to walk through a specific demo for your use case and your team. So, yeah, thank you to Sean, to Joe and to Brian for joining us.

Today was a great discussion and showed off a lot of really awesome new functionality on the platform. And Sean, happy to have you back on webinars and I took your note and we’ll cancel you in for some more here pretty soon.

But yeah, that’s what I’ll leave you with. Guys, any closing thoughts here before we let everyone go? Just a couple of things to chat Darn. People were asking whether it be slides or things like that. The recording will go up, I’m sure, in our YouTube channel. Right. So that’ll be available. And there was a question about if there’s a limit to the number of Reposit that’s attached by licensing.

Now, I cannot say that I’ve stress tested in the three days I’ve had the code how many thousands of repos I can create. But I think if you’re creating thousands of repos, you’re probably missing the point or you’re huge or you’ve got thousands and thousands upon engagements. So the other thing I’d like to call out is the cup of Joe series where we’re going to take this and kind of extend it in small bites and give you even more tips and tricks on how to use the Plustrack platform. Yeah, absolutely. Stay tuned to the blog as well as our YouTube channel that will have both a video and a written component to it.

Well, awesome. Yeah on that note I will let everybody go to like an extra minute of everyone’s time but yeah have a great rest of your Tuesday everybody.

Thanks so much, cheers see you soon.

Bye.