Core Impact Reporting

Automated pen testing reports that provide the details needed to take your next steps

VIEW A SAMPLE REPORT

Robust reporting capabilities are a critical part of Core Impact’s centralized toolset, as pen test reports are used to plan and prioritize remediation efforts, as well as prove compliance for regulations like PCI DSS, GDPR, and HIPAA. 

Manual pen test reporting can be a time-consuming effort that varies in details and quality. Core Impact’s automated reporting features ensure consistency and increase efficiency, creating a thorough record for all aspects of a pen testing engagement.

Reporting Categories and Formats

A number of reports, including the executive summary, cover all three vectors, and are classified under general reports. There are also vector specific reports covering the three types of pen tests that Core Impact performs:

COBALT STRIKE
Network

These reports cover tests that target your infrastructure, like hosts, IPs, or different operating systems attached to the architecture.
Social Engineering
Client-Side
These reports cover social engineering tests, targeting end user interaction through the deployment of phishing emails.
Browser Pivoting
Web Applications
These reports cover tests of web applications targeting web pages and urls while monitoring for the OWASP Top 10 Web Application Security Risks.

Reports are typically formatted as spreadsheets, with some offering charts and graphs that can be tailored as needed. Final versions of reports can also be generated as pdfs to deliver to clients or stakeholders.

General Reports

  • Delta Report: This report provides a side-by-side display of the test statistics of two workspaces for comparison. For example, a pen tester may run the same test twice, once as an admin user, and once as a user with lesser privileges in order to spot differences between the two user accounts.
  • Activity Report: This report provides a detailed list of all the modules run during a penetration test, to show exactly what work testers completed.
  • Identity Report: This report provides details about identities collected by brute force or post-exploitation actions.

Identities

Image taken from Network Host Report

 

Network Host Scan

Image taken from Network Host Report

  • Executive Report: This summary report fully covers every pen testing activity Core Impact completed throughout an engagement, along with the test results. Data includes summaries of:
    • Exploited vulnerabilities
    • Discovered hosts and network devices
    • Targeted users
    • Most exploited vulnerabilities by operating system
    • Most exploited vulnerabilities overall
  • Attack Graph Report: Any successful breach of a system during a penetration test can be graphically represented, showing the type of attack used, and any systems or applications involved.
  • Network Host Report: Available for both network and client-side pen tests, this report provides information about any hosts tested during the pen test. Details include the number of compromised hosts, CVE names of vulnerabilities, services and applications found on each host, and the average number of exploited vulnerabilities on compromised hosts.

 

  • FISMA Exploited Vulnerabilities Report: This summary report includes all the necessary information and formatting to meet the requirements of the U.S. Government Federal Information Security Management Act (FISMA). This report can also be used to help you gain National Institute of Standards and Technology (NIST) compliance.
  • Trend Report: This summary report provides a graphic representation of the changes across two or more workspaces over a given time period. Reports can be run daily, weekly, monthly, or yearly to show both short-term and long-term trends.
  • Vulnerability Report: This report provides information about vulnerabilities that were successfully exploited on each host, and includes CVE and CVSS numbers for additional details.

 

 

Vulnerabilities Report

Image taken from Network Host Report

Network Reports

PCI Vulnerability Validation Report

This report is formatted to meet PCI DSS compliance requirements, and uses data imported from external vulnerability scanners and provides validation and severity information for the vulnerabilities found during a scan.

Client-Side Reports

Client Side Phishing Reports

Image taken from Client-Side Phishing Report

  • Client-Side Phishing Report: This report provides a detailed summary of phishing campaign simulations, and includes information on targets, as well percentages for targets who viewed the email, visited the phishing web site, and who entered data once on the site.
  • User Report: This report gives a detailed list of any users that were discovered and targeted during a client-side pen test.

 

  • Information Publicly Accessible Report: This report provides the results of the client-side information gathering test, which includes a search of discovered documents and metadata.
  • Client-Side Penetration Test Report: This report includes detailed summaries of client-side pen tests, including attack types, exploits used, and email messages sent to deliver attacks or link them to a malicious site.

Client-Side Penetration Test Report

Image taken from Client-Side Penetration Test Report

 

Web Application Reports

Summary

Image taken from Webapps Executive Report

  • Web Apps Executive Report: This summary report provides the information obtained during the pen test, including discovered hosts, compromised vulnerabilities, and executed tasks.
  • Web Apps Remediation Validation Report: This report should be run after an engagement is over and measures have been taken to improve security. It provides a comparison to the original results to see if remediation efforts successfully resolved the security weaknesses uncovered by the initial tests.

 

  • Web Apps Vulnerability Report: This report provides a list of all the vulnerabilities that were successfully exploited, along with additional information, such as which web page had the vulnerability, and how much access the vulnerability provided.

Vulnerability Report

Image taken from Webapps Executive Report

MITRE ATT&CK™ Reports

The MITRE ATT&CK framework is a matrix of tactics and techniques used by real-world threat actors that has become a standard in defensive security, helping cybersecurity professionals create threat models to better prepare against risks that threaten the safety of critical data. Core Impact offers two reporting types that map and categorize engagements in MITRE.

The ATT&CK Navigator Report

Based on the techniques executed during an engagement, this report uses the MITRE layer to classify and prioritize risk, and includes the option of exporting results with the ATT&CK Navigator JSON format.

Reporting with the Plextrac Integration

PlextTrac logo

Gather all your pen testing data in one place. With Core Impact’s integration with Plextrac, you can collect reporting information from vulnerability scanners and any other tools used during your pen test, consolidating the information so it can be shared as one comprehensive report.

Get to Know Core Impact

Find out about all of Core Impact's many features like agents, phishing capabilities, reporting, and more.

LEARN MORE