Core Impact Reporting

This report provides a side-by-side display of the test statistics of two workspaces for comparison. For example, a pen tester may run the same test twice, once as an admin user, and once as a user with lesser privileges in order to spot differences between the two user accounts.

This report provides a detailed list of all the modules run during a penetration test, to show exactly what work testers completed.

Any successful breach of a system during a penetration test can be graphically represented, showing the type of attack used, and any systems or applications involved.

This report provides details about identities collected by brute force or post-exploitation actions.

Available for both network and client-side pen tests, this report provides information about any hosts tested during the pen test. Details include the number of compromised hosts, CVE names of vulnerabilities, services and applications found on each host, and the average number of exploited vulnerabilities on compromised hosts.

This report provides information about vulnerabilities that were successfully exploited on each host, and includes CVE and CVSS numbers for additional details.

This summary report provides a graphic representation of the changes across two or more workspaces over a given time period. Reports can be run daily, weekly, monthly, or yearly to show both short-term and long-term trends.

This summary report includes all the necessary information and formatting to meet the requirements of the U.S. Government Federal Information Security Management Act (FISMA). This report can also be used to help you gain National Institute of Standards and Technology (NIST) compliance.

This report lists all the testing modules run on any detected host.

This report details what was discovered during the information gathering step.

This report provides details on any vulnerabilities found. It is formatted as a checklist so it can serve as a reference document when addressing issues related to these vulnerabilities.

This report uses data imported from external vulnerability scanners and provides validation and severity information for the vulnerabilities found during a scan.  

This report is formatted to meet PCI DSS compliance requirements, and uses data imported from external vulnerability scanners and provides validation and severity information for the vulnerabilities found during a scan.

This report should be run after an engagement is over and measures have been taken to improve security. It provides a comparison to the original results to see if remediation efforts successfully resolved the security weaknesses uncovered by the initial tests.

This report shows how many tests were performed on a selected target, and which tests resulted in a vulnerability being found and exploited. Knowing the ratio of tests run to vulnerabilities found gives you an idea of the overall health of the target.

This report provides details on any known wireless relationships discovered while testing a wireless environment.

In order to execute the most effective Man in the Middle (MiTM) attacks, if a known access point can’t be found, a fake access point must be created. From there, the pen tester can target any devices that connects to it. This report provides information about any fake access point attacks while testing a wireless environment.

This report provides the results of a Man in the Middle (MiTM) attack using a known access point that tests the wireless environment.

This report provides a detailed summary of phishing campaign simulations, and includes information on targets, as well percentages for targets who viewed the email, visited the phishing web site, and who entered data once on the site.

This report gives a detailed list of any users that were discovered and targeted during a client-side pen test.

This report provides the results of the client-side information gathering test, which includes a search of discovered documents and metadata.

This report provides a list of all the vulnerabilities that were successfully exploited, along with additional information, such as which web page had the vulnerability, and how much access the vulnerability provided.

This report should be run after an engagement is over and measures have been taken to improve security. It provides a comparison to the original results to see if remediation efforts successfully resolved the security weaknesses uncovered by the initial tests.

Building on the impressive work being done by MITRE’s Center for Threat-Informed Defense, this report offers a modified JSON output for organizations who want to align their activities with both ATT&CK and NIST’s catalog of security and privacy controls, known as NIST 800-53.