PlexTrac Like a Pro: New Features to Boost Efficiency and Effectiveness

We’re bringing a lot of new really awesome features to PlexTrac, and our awesome team will be showing that off. But it’s all around the idea of helping you do your job quicker, better, and in one centralized location. So, yeah, we’re excited to get started here. And, yes, without further Ado, I will introduce our panelists. My name is Dallan, and I’ll be the moderator for today’s session. But I’m by no means the star of the show. Sean Scott is our VP of success.

Sean, you want to say Hi to the people, everybody? Hey, people. Sean Scott. I think I’ve probably talked to about four fifths of the people I see in the call here. Been with PlexTrac since 2019, since the early days. So happy to be here and happy to be on with some newer members of the team. Yeah. And.

Yeah. Next we’ve got Landon Reese. He’s our VP of product. And Landon, I believe this is your first webinar with us. Right? You got it. This is the inaugural webinar for me. I don’t know how I got out of it for three quarters of a year.

I’ve been here for quite some time now, but excited to be here to chat with you all. Awesome. And last but not least, we’ve got Brian Mcgowffin on the call with us today. He’s lead sales engineer. And, Brian, you want to introduce yourself? Yeah, Brian McGaffin. I’ve been here a little shorter time frame than Landon just hit in seven months. And loving to hear.

I used to do pen testing and GRC work way in the past. And one of the reasons that I didn’t do it was documentation and having to find everything that I’ve already done before, I just couldn’t remember where. So it’s awesome to be here. As soon as I saw it, I knew that’s where I got to go. Awesome. Well, sweet. Yeah.

Thanks, E Three, for joining us today. And, yeah, before I turn it over to you, I will detail the agenda for today. So, yeah, like I mentioned, we’re here to maximize your efficiency and effectiveness as a security team and a professional. And we’ve got some really awesome new features to help you do that. So first we’ll start out with a couple of new integrations we’ve got with Hacker One and Sneak, and then we’ll jump into Trends and SLAs and show off that new functionality. Then we’re going to hop into Redisdb Multiple Repos, which is an awesome new feature and the start of something really special on the platform. And then we’ll close it out with short codes and QA workflows, and then all things time permitting.

We’ll have a little bit of time there at the end for any questions that you have. But we’ve got Q and A functionality on this webinar, so if you’ve got any questions, don’t hesitate to throw those in the chat and we’ll get to those as soon as we can. But, yeah, that’s all I’ve got. I’ll turn it over to the pros now. Sean, do you want to take over and get this thing started? Yeah. Thanks, Dan. Appreciate that.

And we’re going to show off a lot of great new functionality today. And the functionality and what you can do with the platform is awesome. But honestly, what I am just as excited about having been with PlexTrac from the start is how we got here and the process improvements that we’ve put into place.

This is Landon’s first webinar, and we’re so excited to have him here. But a lot of the features that we’re going to be showing today are direct results of the incredible work that our product team has done and helping us as we grow, mature the organization, and really take that product driven approach to deliver very well polished and very functional features. So before I actually get started on button smashing, I actually would like to turn it over to Landon just real quick maybe for the folks that have been with us for a long time and are used to just throwing all their great ideas my way about how the product function works within PlexTrac today. Yeah. No, thanks, Sean. I appreciate it. And thank you for the kind words, too.

I promise not to take a ton of time. I could wax politically for all 45 minutes, but we’ll just take a couple of sentences here. We got a lot of great features to go through. Ultimately, my team is all about listening to the market and listening to the company, our customers, and figuring out what to build next and then getting it in front of customers and our internal stakeholders and all you pros out there as fast as we possibly can to make sure that we hit the Mark. And so a lot of the features you’ve seen here today, I actually recognize some names on that list as well. It won’t be a surprise to you. And for those who is not a surprise, thank you so much for all your feedback as we go through.

So that’s the gist of my organization. We were full of designers and product managers, if you’ve ever heard those roles, but we’re here to make sure we delight our customers in a margin enhancing and hard to copy way. All right. Thanks, Lynn. I appreciate that. I like especially the hard to copy way.

Outstanding. All right, so the first thing we’re going to talk about today is our Hacker One integration. And if you’ve not been completely deaf to the industry over the last year and a half, two years, you have definitely been aware of the rise of Pen testing as a service. There are many services out there. Hacker One is one that is popular, and it is the first Pen testing as a service integration that PlexTrac is providing. So before I start clicking buttons, Landon, do you have a couple of words on kind of what our approach to this has been? Yeah. Our goal here was to really help you be able to utilize your bug bounty programs or Pen testing as a service tools inside the platform and allow for the same kind of reporting and remediation that you get when you do your traditional Pen testing.

And so that was the main thought process that we went through as we were designing this. And the value I think, Sean, will be able to show as you go through. But now you can push your triage like bug bounty findings or your Pen test service findings from Hacker One into PlexTrac in an automated way. And just one less step for you all as you try and get out of those reporting. And one more bonus of consistency as you try and deliver your message to your internal folks or your customers. Outstanding. So one thing that I do want to point out from the get go is this is an API level integration.

There is no documents exports required, no imports, no parsing. Once this is available in your instance of FlexRack, you’re going to have a new feature in your administration control panel called integrations. And so clicking into Integrations, I have my Hacker One demo set up, but this is one integration in a list. And so we have actually delivered a new framework that’s going to provide the foundation for all of our API integrations going forward. You may want to touch on that, Landon. I do. And so what I’ll do is for all those who are watching here, I want you to think about this as a pattern.

Yes. This is the way that it works to import your bug bounty information or the reports that come from Hacker One. But this could easily be the way that you get your findings from Snake, or it could easily be the way that you do an automated integration from a home management tool or a home scanner. So this capability or this pattern is something that we’re really leaning heavily into as we continue to invest in our API level integration. So just keep that in mind. And I think, Sean, if I recall, for today, we’re going to walk through Hacker One, and we can talk a little bit about how it works with sneak. But the beauty is when that comes out in the next couple of weeks, it’s going to be the same pattern.

It will look very familiar to what we see today. And that is on purpose. Outstanding. Setting this up is very simple. You throw it a name. This is an arbitrary string. Could be whatever you like.

Because once again, you’re going to have potentially numerous integrations at the API level. So you want to keep them distinct, your username and API key. That’s what you’re going to get from Hacker One. Pretty simple pop it in there. And actually, if I go ahead and hit Save configure successfully, one thing I was going to actually tear this down. But what’s really nice is when you do first initially authenticate, you get a nice success message, lets you know everything’s going smoothly. Something else that we’ve heard with our integrations from customers that have existed at the API level with Tenable, which is an existing API integration, is having some sort of in platform method of getting situational awareness on the health of the integration.

So part of this new pattern is that we are providing a sync log with these. So if you have questions about the health of the integration, you can simply pop into this sync log and get the success indicators. Hopefully that everything is going well. If not, you might want to just check your outbound firewall settings. Right. For the Hacker One integration, we are doing the poll once per hour. All right.

And so what is happening is once per hour, we are going and we are fetching all of the available findings that can be downloaded. We’re going to demonstrate what that looks like coming into a report. But what’s really cool is this other tab here, which is mapping. And Landon, I’m going to let you actually take a moment or two to talk about how the schema works today and where we’re going with in the future. Yeah, absolutely. So if you look at any kind of integration, the very first step you need to get through before you think about all the different, like authentication, etc. Etc.

Is what data goes to what right. It’s a giant mapping exercise. And frankly, what we’ve learned from our customers and we’ve learned across the market is not one size does not fit all. And so part of the pattern that we’re deploying here is the ability to have you map one field to another from Hacker One or whatever tool we’re talking about into a PlexTracs finding entity. So this is the way that we are going to handle that kind of mapping going forward. We want it to be as simple as possible, least programming as possible. And then as we continue to invest in our framework, we’re looking at things like maybe we do more than one unidirectional sync, maybe it’s bidirectional, maybe it’s the other way.

So as we continue to invest on the framework, we’re going to see the more capability. Come here. Outstanding. Well, enough of the set up. Let’s actually see this in action. So getting this data into a report is dead simple. If you are at all familiar with PlexTrac, you know that getting a report created is dead simple itself.

I’m just going to call this my Hacker One report from today. No need to set up any additional fields for today, but I’ll go ahead and submit that and we will be in a blank report that we can begin playing in. Findings from so many of you in the past have used the ad findings from tools to bring things in from our static pursers, from those XML or JSONs or Gambles that you can export from other tools. But now you have this option for from integrations. So in choosing from integrations, we see that right now it deployed directly to our Hacker One integration because that’s the only one that I’ve got configured. You’ve got a number of filters that are available for you on the left hand side that will allow you to drill in and fetch the data from various Hacker One projects and methods of organization that exists within Hacker One. The filters that you see today.

These are unique to how the Hacker One integration works. You’ll see the same sort of pattern, though. You may see additional or different filters with other integrations based upon how their organizational structure is in their environment. But with no filters applied, you can see that I have four of these findings that are available for me from Hacker One to pull into my PlexTrac record so I can grab a few of these and then select that I would like to add these to my report. And when we do that, you now see that we have brought those into a report, just as if you parse the static integration as well. Now what’s really cool is if I go back to do that again. So if I go back to add finance from integrations once again, we’ve got the Hacker One as our integration here.

And of course I did not sacrifice my go to the demo gods. I also forgot to provide my usual Disclaimer that we are sharing our beta testing of Hacker One. So don’t be shocked if we see a few things or two that doesn’t quite line up. But what you’ll notice that I’ve only got two findings available for download right now, and the reason why is I’ve already downloaded the other two doesn’t mean that I can’t redownload them. They’re not available for me if I come up here and I unclick this button to show Hacker One reports already added. Actually, it’s well, once again, I’ve got the ones here. These are the ones that I’m going to add now.

But you’ve got this filtering so that you can see the ones that you’ve broken or you’ve already pulled into your environment. So adding those additional findings and now we’re back to all four findings. Everything else from this point forward with the Hacker One integration is the same. You’ve got a finding in your environment. You can edit it, you can enrich it, you can modify it as you see fit. So Brian, I know back in your day you didn’t have a whole lot of use of pen testing as a service. But I know you got a lot of friends in the community.

What do you see as far as trends out there, as far as being used both in both enterprise and even for consultancies as a service? The problem is when you have consultancies or enterprise starting to use multiple platforms, they don’t all integrate together. Right. They’re not pulling things together. You’ve got to go to multiple locations just to pull together one report. And so that’s where the value, I think of PlexTrac in this use case comes into play.

It’s that one throat to rule them all. The one ring to I was going to say throw it to choke, but this is all, you know, we’re helping things breathe better, if you will. But, yeah, that’s my thoughts on that.

From what I’ve seen, Brian, is that when organizations are outsourcing some of their work to pen testing service, that they’re being very deliberate. They’re choosing their Crown jewel assets, the things that they want continuous testing on. They want someone banging away at because they want to know right away if something is a miss. But once they have that information, now we start entering the remediation workflow. Right. And if I’ve got my Crown jewels that I got the world banging away at and they do find something, I’m going to want to get that taken care of quickly and mature. Programs, from what I’ve seen have internal processes or benchmarks or service level agreements for time to remediation.

And that can be based on a number of different attributes. It can be just based upon something as simple as the severity of the finding, or because not all critical findings are created equal. It can be a combination of attributes. Right. It can be the severity of the findings with, for example, assets that are Crown jewels, the domain controllers, the identity and access management providers, things like that. And this is something we’ve heard loud and clear. Flux Track for a long time has provided a great method for you to track remediation, but we’re taking it to the next level with our new feature, service level agreements.

And, Landon, you want to give us a little bit of a set up on what we’re going to be seeing here? Yeah. Maybe I’ll start with the overall vision. When you can aggregate the data, you can help report and remediate from all the different platforms and tools. You have an opportunity to automate even more of the workflow and make it even more efficient. And the goal of service level agreement is to help you all figure out what should I be doing today or next and what’s coming up soon. Right. And how can I have the system tell me that rather than have to remember in a spreadsheet or take a note and go find it? And so this is an investment in that space one of many that will continue to make over our time in the product, but really excited for this capability to come and for Sean to show you all awesome.

So first and foremost, when you pop into your service level agreements, which does exist in your administrative functions, you’re going to see that we’ve got four pre built ones here, right? And these will actually all be disabled by default. You can enable them if you like. Now what you see for the name here. This is also just an arbitrary string. You will note that I’ve created my own service level agreement, which I call it Critical and High on Crown jewels. I have been an information security leader. Once again, not all findings are created equal, and a high finding that exists on a critical asset may be something that I want to prioritize for remediation over a critical finding, if you will, on a laptop in the marketing Department.

No offense there, Angie.

So the beauty of this is that I can create my own service level agreements that are tailored to really target those particular things that I care about most. So I’ve created this one here and I’ll kind of walk you through a little of the functionality. The first thing is, what is my target time for remediation? Right? And so for this I’ve selected two days. I would probably be wanting to do that faster if it truly is on a Crown jewel, but I’m giving myself a little bit of slack here. I have them the option to start assigning the attributes that I want to associate with this SLA so I can choose either one or multiple different findings severities. Now, I do have to choose a Finding severity, but luckily enough, I can choose them all if I still choose to see fit. Right? But the Finding severity is just one of the attributes I can use.

I could also say Finding severity of critical or High. And the finding itself has a certain tag, right? And what is that tag? It can be whatever you like. Or maybe going back to my analogy of this being present on an asset that is extremely important in my business, I can choose it based upon other attributes of the assets that are associated the affected assets. So those of you who are familiar with PlexTrac reporting know that for every finding, you have an opportunity to assign affected assets. And those affected assets have something like, I don’t know, 36 different possible attributes you can assign. But one of the more important ones is the asset criticality. Right? You don’t have to use this.

It’s an option for you. And once again, that becomes an and statement with the severity of the overall finding. But the last attribute that we can use is the asset Tags themselves. So assets and PlexTrac exist as independent data objects from any findings are associated with that’s. What allows you to get that macro level view, that asset view of everything that is impacting a particular asset, and you can tag your assets. And so what I’ve chosen for the attribute for this particular SLA is simply the tag of Crown jewel common industry standard term. I think most people understand it.

So great. Now I have set up what types of data go into this bucket. Well, what am I going to do with this? Well, the first thing that we can do is set up notifications, and notifications can go to two audiences. The first one is to the user that is assigned to the finding. For every finding of PlexTrac, you have an option to assign it to someone for remediation or other action. Right. And so I can say I’d like for this given user to get a daily summary email.

And this is pretty cool because roll up emails are a pretty new bit of functionality. Landon, you want to comment on that at all? I mean, there’s not a lot to share to add the role of capability, but it’s pretty exciting. I think what I’ll say and I don’t know if you plan on showing it or not is we put in a lot of thought on what we want to do in a roll up email because we know that this information is private, we know this information is important, and we need to stay within our platform. So what I’ll assure you is that it is truly a roll up in a summary that just in case, for some reason, this gets in a place where it might be exposed that we aren’t sharing anything but a number. Thanks, man. And yeah, I totally failed my prep to bring up an example, but the email that you do get, it simply gives you account of the number of findings that are either approaching, approaching or have exceeded the particular benchmark with a hyperlink that will take you back to the platform. There’s no titles of the findings.

So you’re not going to get an email that says CVE 24 is present on VPN endpoint 2223. It’s just going to be a simple hyperlink that goes to take you back to PlexTrac so that you can investigate that further. And I’m going to show you where you can do that in just a moment. Right. But another option that you’ve got is, hey, start sending me a little bit of gentle nudging Ping me. Right. If I get to say within 12 hours of this busting this gate, this benchmark, hit me up with an email, let me know, and then also maybe send me something when I’ve actually busted it.

Okay. Now, I know that the boss is going to come looking for me, or if I’m the boss that I need to go looking for somebody. Right. But if you are the boss, one thing also is really cool about our notifications is you can also identify other recipients that get and have options for the same sorts of emails. So maybe if I’m the CEO and I really just want to know when the team hasn’t met their objective, I can choose to get a notification and I can choose to get this email myself as well. Now, for the recipients, the selections here are going to be users that exist in your PlexTrac tenancy. Once again, that security concept.

We don’t want you setting this to Putin at Russia Ru. Right. So you want to make sure that you’re sending it to somebody who is going to be able to do something with the hyperlinks that are sent and also obviously could offset there. But one thing that I’m really excited, though, is how granular we’ve gotten with our notifications. I really think you can tailor this to the level and the volume, so you’re going to get the signal and not the noise that you’re looking for.

All right. So now I’m actually not going to save that because I don’t want to start the cascade of emails to my inbox. But we’ve got this set up for notifications, but I probably want more data than just having emails about this stuff. And so we’re super excited to unveil a new area of our analytics. So if I pop over to analytics, those of you who may have updated recently may have noticed that the trends tab has been changed to trends. And SOAS what do we got going on here? Well, the first thing that you’ve got is a simple meantime to remediation chart. Right? There’s very few industry standard metrics that everyone in this industry can agree upon from a defensive perspective.

And I think that meantime remediation is one of those few. And so what you get is an indication over time of what your meantime remediation has been within any given time frame. Right.

And actually what I’m going to do is I’ve got a filter in place. These filters work, by the way, just like filters do in all the other areas of analytics. And we default to the last 30 days. I want to take a little bit longer review. So I’m actually going to go back a couple of months and we can get a look at what is our maintenance remediation since the beginning of December. And you can see that in general, we’re probably doing close to the right things. We’re resolving things that are critical severity quickly, at least more quickly than our highs and putting off some of the remediation of those less severe categories like mediums and low.

So we’ve got a little bit more bandwidth. Now, these metrics right here, this is the aggregation of all closed findings by severity. This isn’t dependent upon what SOAS that you have enabled in your environment. This is just your overall meantime remediation. So if you’re preparing your packets for the board meeting, this is an incredibly useful graphic to probably take a screenshot if you’re telling a good news story, you might not want to share it if you’re going in the wrong direction. Right. Brian, is this the sort of thing that in your past life that you would have been useful to you and your reporting up to the board? Oh, yeah, to the board, to the people that I was working with and doing the actual remediation.

They wanted to have some of these metrics as well to see how they were doing on their own types of metrics. How is my team doing? Not how is the company or how is it from a management perspective or a board perspective? Hey, it’s time for my annual review. How did I do on what I was working on over the last year type of things, too. So it goes both ways. Yeah, it’s a good point. And to that point as well. If I was doing Brian’s here performance review, and I really wanted to just drill down into what he was responsible for.

Once again, all those standard filters are here. I’ve only got one client built out today. But, you know, I could definitely hold Brian to the fire on that. But we don’t stop there. So moving on down, this is the same. This is nothing new on this. But if you haven’t paid attention to this, it is useful.

Right. Because I always call this the winning losing graph, because ultimately I kind of want to see some parity, maybe ideally even more a little bit green, because red are findings that I’ve opened and green are findings that I’ve closed. And blue is my line of the total open right now. I just imported another scan result last night. Haven’t done a lot of work, but that’s okay. But this is a great one stop shop. Once again, if you’re looking for that real time feedback, am I winning or am I losing the security battle here? This is a great high level view of that.

But let’s get to the start of the show and get down before you go on. You asked me not to close anything, so you can’t use this.

I did. You’re getting ready for this this morning. I was like, all right, Brian, I’ve got my data set in the platform. Don’t go in there. Start monkeying around with it, or I’m not going to have pretty colors to show.

All right, so let’s get to the start of the show, which is the actual graphs on the SOAS now, these are fairly simple graphics, but that’s okay because they’re here to tell one story. And that story is, am I meeting my benchmarks or not? And so for each of the SLAs that you have enabled, what you get is the line that is established. And as you can see here, we’ve got three days. This is the line I have set for my target remediation time for all critical findings. Right. And we can see that historically, based upon the findings that are closed, that I’m not doing as hard as I want to do lately as I was towards the end of last year. I blame it on Homicron, right? Blame it on what you will.

But you’ve also got these widgets up here, and these widgets will give me the actual finding detail on each of these findings. So what you’ll see is that we have one finding here that has busted the time to SLA that is still open. And I can even take this further and hop directly into that finding to get greater detail about it. You’ve also got the historical data for things that have closed, and you can see that, yes, these are closed now, but we didn’t meet the benchmark for it. We were a little bit over. And once you’ve got this modal open, you can actually pop in between and see other findings. So if I wanted to see things that are within the SLA, it doesn’t look like I have any Criticals or nearing the SLA.

Not much to show there, but that would be the same as if I chose these other widgets. It’s just a different way of getting to the data. So I can now go back to exceeding and see that same sort of view. Just taking another look at this one here, you’ve got your Criticals with high and highs on your Crown jewels. Once again, it’s a simple story, but a powerful 01:00 A.m.. I meeting the objectives that I have set for my internal remediation.

So really excited to get this out the door. Any additional words on that? Either Brian or Landon? I love this view. I think it’s so valuable to just tell that story of historically, how are we doing in a little more granular way? Because it’s filterable down on the specific SLAs that you have set.

Just a couple of things to add, I think one is just to note, as Sean was growing down, you may have saw a purple gear with an edit settings button. You have to scroll up to show it if you need to get to the administrative panel and you want to be able to configure them. We actually put that link right there for you in the application. And that’s just to make it simpler because we’re thinking about efficiency even when it comes to building our product, not just doing the work that our product helps to do. So that was something that I wanted to make sure that you saw.

And I think the other piece that’s really nice to remember is that this is filterable and configurable by you, just like any of the other things within our analytics. So know that you can use this to help slice and drive your team the way that you need to, right? Yeah. And by the way, just to maybe nail that one more time with a hammer on our focus on user experience, new member of our team is Malcolm that we just added, as our user experience expert, I don’t even know researcher. Yeah, he’s a user researcher. As we think about scaling out, when I said tongue in cheek, we listen to our market and our customers and we figure out what we do next. A lot of our job is to help us do really active research, both qualitative and quantitative. And so PlexTrac is investing in not just those who do the work, but also those who help us research and figure out what’s best to do the work and help us look at the signal across the noise as we think about what to do next.

User researchers is just what they sound like. It’s almost like a security analyst just in product land.

All right, so now on to the write ups database repositories. Now if you saw the last webinar that I was on, we did a little bit of a preview, a little bit of a teaser for this. It was still very much in beta, but this has been in production for about a week and a half, maybe two weeks now and really excited to talk about the functionality that we have here. So once we get to the right of database, we have something brand spanking new called repositories. Now maybe I should start out back in legacy land. You’ve got this other tab here called Write Ups and the Write Ups tab, it will give you the list of all the available write ups that you have. If you’ve used PlexTrac in the past and you went to the writer’s database, this is what you saw.

You had a flat list. You had Tags that can help you organize these things. But we’ve been hearing for a long time from our users that they would like two things. They want more organizational capability around these, and they want greater control over permissions. And the control over permissions really gets more important as our partners teams scale because you inevitably have a Delta. You’ve got very junior folks that you are introducing to the industry, that you want to be able to use write ups, but you don’t want touching your write ups with a ten foot pole on up to the actual people who are the experts and who are maintaining the accuracy of these, but now also ensuring that we have integrity of the data that is here. Those are the two functions that Write up Repositories bring for you.

So before I start talking about the use cases and the functionality here, for those of you who have been updated this last weekend that we are hosting or have updated your environment or about to, when you come to your right of database, you will have only one repository. You will have this default repository. And the default repository is where we have migrated all of your existing write ups too. Now, as far as the permissions that are associated with those, there will be no fundamental change to your users, because this is a type open repository, which means that any user that has access to the repositories has the ability of having read or write access to the data to the findings that are in here. But before I go into a deeper discussion of that, I am going to bounce over to our role based access control, because we have had some changes there. So if I go down into security and I head into role based access control, and I’m going to inspect the standard user profile for this RBAC role, and if we scroll all the way to the bottom, we will notice that we’ve actually simplified the permissions around right up database, and it is now simply two permissions. Do I have access to the write ups repositories, or do I not? And if I have access to these, then any permissions on the content is going to be controlled at the repository level within the repositories.

Right. And then do I have the ability of managing write ups and repositories? And what does that mean? That is the ability to create or delete. So there’s a good reason why we did not include this as a standard permission for the standard user, because the ability to delete a repository is pretty powerful. You can make hundreds, maybe thousands of lines go proof in a heartbeat. So you want to be very conscious of who has this authority. You may even want to consider a custom RBAC role that mirrors your administrative function that does not have this permission, because out of the box, your administrators all have the ability to create or delete repositories. Moving back to the write up database repositories.

So as I mentioned, we’ve got three different classes of repository. When I go to create a new repository, I’m given the option of choosing which one I want, and they go from least restrictive to most restrictive. Right to left. Now, an open repository. If you create this type of repository, anybody can read, write, add, delete, findings, edit, whatever they need be. Okay, there’s some pretty logical use cases for this type of repository. I’m going to walk through with you and then you’ve got the next step up in restrictions, which is managed.

Now, for a managed repository, any user that has that left permission, the ability to access repositories, will have the ability to view and use. When I say use, I mean pull these write ups into a report from a managed repository. However, only the creator of the repository will initially have edit permissions. And then of course, they’ll have permissions or the ability to give other users those edit capabilities, as well as well as the ability to manage additional users. Right. And then the most restrictive. And by the way, before I move on, manage repositories is going to be the workload course for most organizations.

This is going to be where you want to put your production write ups so that everybody can use them, but only a limited number of people have the ability to manage the actual content. Right. And then you’ve got the absolute most restrictive, which is private. Now, private differs a little bit in the initial permissions because unlike managed or open users that have access to repositories don’t get any access whatsoever to a private repository unless they are discreetly permissioned. Right. So let’s talk about use cases for these things. As I mentioned, manage is probably going to be your production place that allows everybody to use these things and to pull them into the reports.

However, if you’ve got a team of maybe 150 testers, you may have a monopoly on the permission to edit things, but you don’t have a monopoly on good ideas. And so a common use case for the open repository type that we’ve already heard from our beta testers is having dropboxes, right. And so this gives anybody the ability to think of it if you’re familiar with software development to submit a PR. Right. Hey, I’ve got a great idea for a new write up, and I think that this should be included. A privileged user can then come in, review this just like they would any other write up, make edits as need be. And if they choose to accept it into production, this is pretty cool.

Some new functionality that we’ve got is you can copy or clone or move this. I want to keep my Dropbox clean. I’m going to accept this one. So I’m going to move this out of the Dropbox and into my app section repository. Right. And so that’s it. So really common use cases for the open that we’re already hearing.

Now when might I want to use a private repo? Well, this is where I might want to start working on new things, right? Hey, a new zero day is out and we’re just getting the details. And so we start building out our write up, but we don’t have all the details. We don’t want people to start pulling into the reports yet. So I can start building that in my private repository. And then once it is ready, just as I move something up from a less restricted to a managed repository, I can then once this is ready for production, just simply move this now into my production repository. Right now I did mention that for the private repositories, that when you initially created, no one’s got access to it other than the creator. But the creator can simply go up to users and permissions and they can add additional users.

So I can choose that. I want to give Landon permission to be a viewer to either view this or be an editor. And maybe I also want to give Landon the ability to manage other users.

And so now I’ve given those additional permissions. It works the same way when I’m working inside of a managed repository. Only the creator of the manage initially has edit capability, but I can simply come up here. And since everyone already has the ability to use this, it’s simply just choosing who do I want to have edit capability and who do I want? That’s a bad idea right there. Pardon me. Sorry. That was a bad idea to give me to.

It awesome. So really excited about this before I kind of go into the report, maybe open it up for the peanut Gallery here if you got any other thoughts on this. I’m really excited. This organizational structure that we came up with I think is amazing. And I don’t know if we want to talk about what the future is structured at all, but I’ll turn it over to Landon. Well, I think one of the things that we talked about a lot, and I want to harp on this this way without going into too much detail. But one of the ways that we really want to help our users is with patterns and consistency.

And so if there’s a way that we’re managing content or there’s a way that we’re managing integrations or the way that we’re managing something that you kind of have an idea of how it should be because we use the way we do it another way in other places. And so when we’re introducing repositories for write ups, you can imagine where there’s other reusable content in our platform that we’re investigating how we can have a similar approach. And so just like I mentioned, with our integrations, we’re really leaning into this pattern to help you all have a more efficient way of managing the content, whether it’s narratives, run books, type stuff, you name it in a repeatable fashion.

Outstanding. All right. We do have a question. Any plan to make writers permissions more granular? Read, edit, delete? See, I see what you’re saying. Not just the ability to edit, but the ability to delete and separating that permission. That is a great idea. I actually do want to maybe take a moment to highlight something that we have gone live on about eight weeks ago.

This is going a little bit off script, but I’m going to do it live. Right. And so while I get logged in here, Landon, do you want to maybe talk about a little bit about what I just brought up on the screen? Yeah, absolutely. So for those who are our current clients and that are part of our PlexTrac family, you are able to submit customer ideas and then vote on other customers ideas that come in. My product management team is actually engaged in managing these, and we allow this to influence our roadmap and how we look at optimizing our product. So these types of questions right here that came in around, how do we get more granular permissions? This is the perfect kind of fodder for submitting within. Here we have product managers that are actively engaging.

They will ask questions if there’s any kind of clarification. And then if and as it gets promoted into our development process, you get automatic notifications via email, but also through status inside the portal on what we’re doing. And so when I mentioned that we really listen to our market and customers, I really meant it. And this is one of the ways that we do it at scale. Yes. And this is what I’ve been really proud about. And my team doesn’t own this process.

This is Lens team. But I’ve been just really proud of the fact that this is not a place where things go to die. They are actively engaged. This needs clarification indication here. This means that one of the project managers has reached out to the submitter for following information. Help me understand exactly what you’re looking for here. This is a success story.

Hey, we’re going to do this. It’s gone into a planned sprint or a planned epic, I should say. Future consideration is this isn’t a bad thing. We love this idea. It doesn’t fit cleanly. And correct me if I’m wrong on any of this land, it doesn’t fit cleanly into a bucket right now of something that we already have on the near term roadmap. But we like it.

We’ll stay in consideration. Yeah, exactly.

We try and be as transparent. We want to treat you all as like in the findings. Not everyone has the corner on great ideas and we want to listen to wherever we can have them.

This is our good idea. Bucket. Yeah. I just dumped the link to this in the chat. Now, if you’re not a current PlexTrac client and you go there and you try to register, it’s not going to work out so hot for you. You do need to have the email domain of one of our current clients.

Perfect. Let’s jump back. Yeah. All right. So cool. I know we got a lot to cover in a little bit of time. Last thing I want to cover on the write ups is just the other things are going to behave as you would expect.

So as I go into my findings, when I want to maybe commit a new write up to a write ups database that I’ve prepared that’s new so that I didn’t pull that was reusable. I now have the options, and the options that are presented to me are based upon those that I have that edit capability to use. So outstanding. All right. So where we want to head to from here is what we’re going to transition to now is a couple of features that have been out for a little bit of time, but are so powerful that we want to make sure that we are highlighting those to anybody that we may have missed. And so the first one I want to bring your attention is Short Codes. So Short Codes are a new feature that exists in account administration.

You’ve got short codes here in your tenant settings. And let’s talk a little bit conceptually about what short codes allow you to do, because there has been some initial confusion of people, because a lot of folks know that we use Ginger as our Templating language and we replace data on export into a document. Short codes are about in application replacement of variables with text that you also put into the platform. Right. So we just spent time talking about writeups reusable content. We alluded to other reusable content. We’re going to talk in a minute here about where you might use these in your report templates.

But any place that you’ve got reusable content in the platform that you would otherwise need to go searching through. I need to change the company name. I need to change the application name. I need to change the short name of the client. Any of those things that you would want to have variables for in a reasonable content.

We give you the ability to define those yourself in PlexTrac. And how that process works is pretty simple and intuitive. First of all, you have to have the string that you are going to use. I’ll just edit this one to kind of demonstrate the strings that you choose that you are going to put into your reusable content. All need to start with a percent and end with a percent present. And what goes in between just needs to be a single continuous string. Those special characters doesn’t have to be all caps.

I like it. It makes it stand out nice and easy for me. And then you get to choose. Okay.

When I go to replace this spring in my reusable content, where am I fetching that data from? Well, I can fetch it from one of two places for my custom shortcodes. There are some built in that I’ll talk about in a bit, but I have two choices. For my custom shortholds, I can choose to either get that data from report custom fields or from client custom fields. Right. And then there can be, of course, many different report custom fields. So what is the actual label of that report custom field that I’m looking for? Right. So pretty simple to set up, but once you’ve got those set up, you want to actually use those.

Right? So I’m going to show an example in the report template. So here’s my baseline Pen test template. And so I have set this up so that whenever I start a report using this template, I will have automatically populated my application name, a start date, and an end date. And this may look familiar. Right. We set up a short code to pull from report level custom fields for application name and also for start date. Right.

And an interesting thing about start date. We’ve actually got a couple of different ways you can use shortcodes, and I’ll explain that here in a moment. All right. So if I get down into my reusable narrative sections. And obviously in a real template, you’ll have multiples of these methodologies scope, rules, engagement limitations, any of those things, you use these shortcodes and to put these in where you would normally do things like put bracket company name and have to manually replace this stuff. So you can see that I’ve got start date, which maps to my shortcode of start date here. We’re obviously not going to put the values in because that’s going to be dependent upon your report.

And I’m using my client name. Now, client name is a built in short code that actually pulls from the actual name of your client in PlexTrac. And then I’ve got application name, short name, things like that. So let’s see this stuff actually in action. So I’m going to go into clients and I’m going to create a new report. And when I do that, you will note that there are no report level custom fields now. But as soon as I choose that report template, you’ll see that we’ve got now those templated, report fields.

So application name. I’m going to call this Landon’s App. All right. And for the start date, I am actually going to do something a little bit wonky. And I’m going to say it is the 9 December in the year 2022. I’m going to explain why I’m doing it in a moment. And I haven’t bothered the end date here.

Now, I’ve already got a start date and end date picker here. The reason why I’m demonstrating the use of me having set up a short code is because when you use a shortcode for this, this is one of those little tips and tricks, those pro tips. Right. We’re PlexTrac like a pro.

We have worldwide customers and we have pretty much realized that there is no way we are going to satisfy everyone with the date time format. So this gives you full control versus the built in short codes. So when I submit this, what you will note is that I’ve got my pre built narrative that comes in from my report template along with all of my short codes to include the built in one that I’ve now picked dates for. So if I go to search and replace and I simply hit replace short codes, it is going to then fetch that data. And you can see now we’ve got the 9 December. We’ve got my client name. Sorry.

We have my client name thought to the industry pulling from the actual client name. We’ve got that short name of Sawtooth. Right. And then we’ve got my built in short codes as well. You can see the difference in dates. And there’s Landon’s App. Right.

So, Brian, how much time would this have saved you in your previous life? Oh, man.

Where this hits me personally is whenever one of my templates would get corrupted, right. You get a customer name or you get an application name stuck buried somewhere in a narrative section that you do, you’re fine and replaced, but you’re looking for the wrong thing, right? So it’s already been replaced. They got auto saved and overwritten or something like that. And this would have saved me on so many times because you don’t want to have to go back and read every page of a 300 page report to make sure that you don’t have an Acme when it should have been salty, right? Not to mention the oh, crap moment when you realize after it’s shipped that you’ve included a previous client name. Now what’s interesting, by the way, is if you do have a short code that you don’t have data for, we don’t replace it with blanks. We just leave the short code in so you can visually see that and then go back, put your data in, rerun short load replacement.

All right. But that brings me I know we’re running short on time. I think we did a good job of scope and the content here. Last thing we want to cover on this is the feature that’s been in PlexTrac the longest, but still not everybody’s aware of it. And that is the QA workflows tools. So today and demo gods, I am going to hop over to a new environment because I forgot to turn it on in this environment. So while I’m doing that, somebody tell a dad joke and tap dance.

It’s not too bad you think about how much we showed. That’s all. Yeah. While you’re jumping over, I’ll speak a little bit about the benefits here. We know that a lot of our clients have more than they do beyond just like giving the actual report and filling in that technical data. They have series of reviews that they do on top before they deliver this product to their client or before they share it with their partners.

Depending on where you are, that could be the technical editor, like the senior Pen tester, but it could also straight up be an English major or a technical writer who’s helping to review your grammar, your syntax, your tone, your style to match how your company wants to present itself or your brand. So we know a lot of that list today in Word or Google Docs. And so what we really wanted to do was enable that within our platform so that you can keep all of that goodness inside PlexTrac. If you improve your findings to the point where you want to be a writer, it’s easy to do so. And so that was a lot of the intention behind the delivery of the suite of features. Outstanding. Well, thanks for that set up.

And now I am ready to go. I have rapidly hopped into a new environment and thrown some Laura Mipsum, by the way. Laura Mipson IO great little website if you’re ever needing some content on the fly real quick. All right, so what are the QA workflow tools. It’s really the same things that you are already using and whatever your tool is today, whether that’s Google Docs, whether that’s work, whether that is I don’t know pages, if anybody actually uses that. So what do we got here? We got two big pieces of functionality. First of all, if I turn on track changes right away, as soon as I start changing words, I am getting a record.

And by the way, I’ve got this blown up for the purposes of demos. That’s why things are a little bit squishy here. But you can see that I’ve got the record of my track changes and the ability to accept or reject that. Right? So if I accept it, the replacement is made. We’re back to Greek from Latin. Whereas if I had rejected it, exactly what you would have expected to happen happened. If you are making track changes, take this back to Latin and you turn off track changes.

Your markup stays persistent and it’s there for you available until someone accepts or rejects the change. Right now, in addition to the actual track changes, we’ve also given you commenting capability, right? And so if I were to grab and highlight the section and simply click the comment button, I can make a comment. Right. And this is just like if you’re working in Google Docs, you want to save that to ensure that it stays persistent for you, and then that’s it. The great thing about QA Tools is they’re pretty simple. But I want to talk a little bit, just briefly in the few minutes we have left about how you might work these into your workflow. So one of the neat things about all of our findings in Flex Traffic is that you have this capability of having them all either in a draft or published state.

In my other environment, I have everything set so that it starts off in a draft state. And my recommendation is that if you’re using these as part of your QA workflow and you are the person who’s doing the QA as you work your way through these, if you don’t have changes or comments that need to be reviewed, that’s your opportunity to grab those that you can move into that published status. And then the ones that do have comments and do require further collaboration, perhaps with the original tester you leave in that draft status. That’s an incredible visual indicator to the recipient once it gets kicked back that they’ve got work to do. We are just about out of time and we are just about out of things to talk about today. So I’m going to turn it over really quick to Landon or Brian. I got the last comments and then we’ll take it back over to Dallas.

None from my end. It’s been a pleasure chatting with you all, and I look forward to continuing to have these conversations. Same here. This was awesome.

I think these are great functionality that’s coming out and around and we’re here for the existing customers that need a little bit more. We’re here to help make sure that you guys adopt these properly in your environment. Yeah, reach out to your CSMS, ask them to explore more during your recurring check ins and we’ve got more to follow in the near future. We are growing fast, developing fast and constantly improving the product. Over to you down awesome. Yeah I just want to give a quick shout out to you three. Sean, London and Brian, thanks so much for demoing all these giving great insight and kind of detailing our mindset when creating features like this.

I want to end it with just a few shout outs to a couple of areas you can follow for a lot more content from us. The first is going to be our YouTube channel. You’ll find a huge catalog of webinars just like this one there over at YouTube. Comcplextrack as well as little mini demos, tips and tricks. Lots of really cool stuff over there and we’ve got a lot of really cool stuff going on on social as well. You can see we’re on Twitter, YouTube, LinkedIn. We’ve even got an Instagram now and if you’ve got any more questions or want to see a live demo with your specific use case, go book a demo over at FlexRack.

Comdemo. We’d love to share more with you but yeah, I will stop sharing here and if anyone else has last minute feedback, feel free to let us know. But yeah. Thanks everybody for tuning in today.