Core Impact Reporting
Robust reporting capabilities are a critical part of Core Impact’s centralized toolset, as pen test reports are used to plan and prioritize remediation efforts, as well as prove compliance for regulations like PCI DSS, GDPR, and HIPAA.
Manual pen test reporting can be a time-consuming effort that varies in details and quality. Core Impact’s automated reporting features ensure consistency and increase efficiency, creating a thorough record for all aspects of a pen testing engagement.
Reporting Categories and Formats
A number of reports, including the executive summary, cover all three vectors, and are classified under general reports. There are also vector specific reports covering the three types of pen tests that Core Impact performs:
Network
These reports cover tests that target your infrastructure, like hosts, IPs, or different operating systems attached to the architecture.
Client-Side
These reports cover social engineering tests, targeting end user interaction through the deployment of phishing emails.
Web Applications
These reports cover tests of web applications targeting web pages and urls while monitoring for the OWASP Top 10 Web Application Security Risks.
Reports are typically formatted as spreadsheets, with some offering charts and graphs that can be tailored as needed. Final versions of reports can also be generated as pdfs to deliver to clients or stakeholders.
General Reports
Executive Report
This summary report fully covers every pen testing activity Core Impact completed throughout an engagement, along with the test results. Data includes summaries of:
- Exploited vulnerabilities
- Discovered hosts and network devices
- Targeted users
- Most exploited vulnerabilities by operating system
- Most exploited vulnerabilities overall
Delta Report
This report provides a side-by-side display of the test statistics of two workspaces for comparison. For example, a pen tester may run the same test twice, once as an admin user, and once as a user with lesser privileges in order to spot differences between the two user accounts.
Activity Report
This report provides a detailed list of all the modules run during a penetration test, to show exactly what work testers completed.
Attack Graph Report
Any successful breach of a system during a penetration test can be graphically represented, showing the type of attack used, and any systems or applications involved.
Identity Report
This report provides details about identities collected by brute force or post-exploitation actions.
Network Host Report
Available for both network and client-side pen tests, this report provides information about any hosts tested during the pen test. Details include the number of compromised hosts, CVE names of vulnerabilities, services and applications found on each host, and the average number of exploited vulnerabilities on compromised hosts.
Vulnerability Report
This report provides information about vulnerabilities that were successfully exploited on each host, and includes CVE and CVSS numbers for additional details.
Trend Report
This summary report provides a graphic representation of the changes across two or more workspaces over a given time period. Reports can be run daily, weekly, monthly, or yearly to show both short-term and long-term trends.
FISMA Exploited Vulnerabilities Report
This summary report includes all the necessary information and formatting to meet the requirements of the U.S. Government Federal Information Security Management Act (FISMA). This report can also be used to help you gain National Institute of Standards and Technology (NIST) compliance.
Network Reports
Network Report
This report provides details about hosts that were discovered and any vulnerabilities that were successfully exploited.
Host Based Activity Report
This report lists all the testing modules run on any detected host.
Network Exposure Report
This report details what was discovered during the information gathering step.
Network Mitigation Report
This report provides details on any vulnerabilities found. It is formatted as a checklist so it can serve as a reference document when addressing issues related to these vulnerabilities.
Network Vulnerability Validation Report
This report uses data imported from external vulnerability scanners and provides validation and severity information for the vulnerabilities found during a scan.
PCI Vulnerability Validation Report
This report is formatted to meet PCI DSS compliance requirements, and uses data imported from external vulnerability scanners and provides validation and severity information for the vulnerabilities found during a scan.
Network Remediation Validation Report
This report should be run after an engagement is over and measures have been taken to improve security. It provides a comparison to the original results to see if remediation efforts successfully resolved the security weaknesses uncovered by the initial tests.
Network Wellness Report
This report shows how many tests were performed on a selected target, and which tests resulted in a vulnerability being found and exploited. Knowing the ratio of tests run to vulnerabilities found gives you an idea of the overall health of the target.
Network Wireless Report
This report provides details on any known wireless relationships discovered while testing a wireless environment.
WiFi Fake Access Points Report
In order to execute the most effective Man in the Middle (MiTM) attacks, if a known access point can’t be found, a fake access point must be created. From there, the pen tester can target any devices that connects to it. This report provides information about any fake access point attacks while testing a wireless environment.
WiFi MiTM Report
This report provides the results of a Man in the Middle (MiTM) attack using a known access point that tests the wireless environment.
Client-Side Reports
Client-Side Penetration Test Report
This report includes detailed summaries of client-side pen tests, including attack types, exploits used, and email messages sent to deliver attacks or link them to a malicious site.
Client-Side Phishing Report
This report provides a detailed summary of phishing campaign simulations, and includes information on targets, as well percentages for targets who viewed the email, visited the phishing web site, and who entered data once on the site.
User Report
This report gives a detailed list of any users that were discovered and targeted during a client-side pen test.
Information Publicly Accessible Report
This report provides the results of the client-side information gathering test, which includes a search of discovered documents and metadata.
Web Application Reports
Web Apps Executive Report
This summary report provides the information obtained during the pen test, including discovered hosts, compromised vulnerabilities, and executed tasks.
Web Apps Vulnerability Report
This report provides a list of all the vulnerabilities that were successfully exploited, along with additional information, such as which web page had the vulnerability, and how much access the vulnerability provided.
Web Apps Remediation Validation Report
This report should be run after an engagement is over and measures have been taken to improve security. It provides a comparison to the original results to see if remediation efforts successfully resolved the security weaknesses uncovered by the initial tests.
MITRE ATT&CK™ Reports
The MITRE ATT&CK framework is a matrix of tactics and techniques used by real-world threat actors that has become a standard in defensive security, helping cybersecurity professionals create threat models to better prepare against risks that threaten the safety of critical data. Core Impact offers two reporting types that map and categorize engagements in MITRE.
The ATT&CK Navigator Report
Based on the techniques executed during an engagement, this report uses the MITRE layer to classify and prioritize risk, and includes the option of exporting results with the ATT&CK Navigator JSON format.
The NIST 800 Navigator Report
Building on the impressive work being done by MITRE’s Center for Threat-Informed Defense, this report offers a modified JSON output for organizations who want to align their activities with both ATT&CK and NIST’s catalog of security and privacy controls, known as NIST 800-53.
Reporting with the Plextrac Integration

Gather all your pen testing data in one place. With Core Impact’s integration with Plextrac, you can collect reporting information from vulnerability scanners and any other tools used during your pen test, consolidating the information so it can be shared as one comprehensive report.