AttackForge Answers The Tough Questions

How many vulnerabilities have we discovered this year? What about last year?

AttackForge keeps track of all your vulnerability data from security and penetration testing projects and can provide you with the detailed statistics you need.

What return of investment are we getting on our penetration testing program?

Get to know how hard your team is actually working at fixing discovered issues. Know exactly how many vulnerabilities have been discovered, retested and fixed - at any time.

How many open vulnerabilities do we have for that system right now? What about that business group or client?

Know exactly how many open or closed vulnerabilities for every asset, system, business group or client. Get the details fast.

I need to brief the executives. Are we getting better or worse?

Compare vulnerability and trend data over time. Measure how fast your organisation is at discovering and remediating critical vulnerabilities.

What are the Top 10 Most Vulnerable Assets in our organisation? What about Top 10 Most Common Vulnerabilities?

Discover your most common vulnerabilities, vulnerable assets, and failed testcases across your entire organisation, business group or client.

Where should we invest more in training and awareness?

Trends and analytics can help you make sense of your vulnerability data to better understand where you need to focus resources within your organisation or business groups.

Across All Industries & Verticals

img
AttackForge Enterprise

Made For Enterprise


AttackForge Enterprise brings Business, Technology and Security teams together to reduce vulnerability remediation lead times and increase go-to-market speed. AttackForge Enterprise is proven - put to work in large organisations to help save direct costs, increase visibility and reduce effort on every pentest.

Save Time

High-quality customisable reports, on-demand and when you need them.

Save Effort

Integrated, Centralised & Rich Issue Library. Speak a consistent language.

Save Money

Tools and workflows to reduce project overheads and costs by up to 40%.

Team Collaboration

Business, Technology and Security teams collaborating in one place.

Methodology

Pre-loaded with industry benchmarks - for compliance and auditing.

Clearer View

See your organistion's vulnerable areas. Know your real weaknesses.

Still interested? Request a Demo

img img
Portfolios

Portfolios

Track & Manage Your Security Testing Programs

Portfolios help you create dedicated programs to track and manage your security testing activities. Want to know how your internal systems compare to your external systems? Or wanting to track security posture for your applications? Portfolios makes this easy!

Work Streams

Work Streams

Track & Manage Your BAU Testing Activities

Work Streams help you to consolidate all of your related testing activities for an application, platform, business group and more - into a single stream. Work Streams can help you track all tests completed in any given month / quarter / year, and understand where to focus your time and resources more effectively.

Enterprise Reporting

Enterprise Reporting

Custom Reports On-Demand

Create fully customised on-demand reports in a fraction of the time. Personalize your reports to your own style and corporate branding. Download Multi-Reports or even Group Reports across business units and functions.

Enterprise Analytics

Enterprise Analytics

Know Your Security Posture - At Any Time

Track vulnerabilities and trends over time, across the entire organisation or individual business units. Track vulnerabilities by SLAs. Compare against periods of time. Know what are your Top 10 Most Vulnerable Assets, Top 10 Most Common Vulnerabilities and Top 10 Failed Testcases. Measure your Mean-Time-To-Remediate (MTTR). Better plan your investment in training and awareness. Executive and line reporting out of the box.

Methodologies & Runbooks

Methodologies & Runbooks

Industry Standard Benchmarks and Methodologies

AttackForge Enterprise is loaded with industry benchmarks from OWASP, NIST, PCI, OSSTMM and others. Enforce and Control exactly how you want it tested, every time. Bring standardization and consistency to your pentesting program. Keep your auditors happy.

Libraries

Libraries

Centralized Libraries. Unified Vulnerability Language.

Create standardized vulnerability definitions and recommendations. Ensure your teams are all speaking the same language. Reduce time & effort on review cycles. Bring vulnerabilites immediately to development teams and engineers - Reduce Time-To-Remediate (TTR).

Collaboration

Collaboration

Bring Business, Engineering & Security Teams Together.

Connect with your teams on every project. Exchange vulnerability information fast, so you can remediate even faster! Integrations with Microsoft Teams, Slack, and Discord.

Enterprise Scheduling

Enterprise Scheduling

Schedule and Plan Your Testing Program

Keep on top of your testing program. Let your customers request new projects in a standardized way. Track projects in the pipeline. Availability assistant & detailed planner to help manage resources effectively.

Assets Management

Assets Management

Manage and Control Assets Across Your Enterprise Testing Program

Centralize tracking and management of individual assets. Assign assets to groups and projects - for complete visibility and accountability. Assets Management can help to create standardization, consistency & repeatability when performing testing against enterprise assets. Each asset can include detailed information such as type of asset; unique identifiers from other systems such as CMDB; and details on the asset.

Enterprise Search

Enterprise Search

Vulnerability Information When You Need It

Search helps you to find the vulnerability information you need. Search vulnerabilities by asset; discover vulnerabilities within a group; find vulnerabilities by title; or dill-down by tags. Answer the tough questions within a fraction of the time!

Attack Chains

Attack Chains

See Attack From Hackers Perspective

Attack Chains help demonstrate exactly what an attacker is doing at every step - in a simple and clear visual story. Understand how vulnerabilities can be grouped together to cause devastating attacks against your organisational assets. Map Attack Chains to MITRE ATT&CK® Framework in minutes!

Import Vulnerabilities

Import Vulnerabilities

AttackForge Connector Helps You Import Vulnerabilities From Tools, Platforms and Scripts

AttackForge Connector helps you import vulnerabilities to your projects from tools such as Tenable Nessus and Burp Suite Proxy. Or you can use the API for custom imports.

Export Vulnerabilities

Export Vulnerabilities

AttackForge Connector Helps You Export Vulnerabilities Into Your Enterprise Ecosystem

AttackForge Connector helps you export vulnerabilities to your enterprise ecosystem and ticketing tools, including JIRA, ServiceNow, Azure DevOps and more.

Self-Service API

API

Self-Service API For Workflow Automations

Easily automate workflows using our Self-Service API. Perfect for customisations and integrations into your enterprise ecosystem. Manage and control access to each API for peace of mind. Setting up service accounts are a breeze.

Integrations

Integrations

Enterprise Integrations Into Your Ecosystem

Integrate & Sync with common enterprise tools and services such as JIRA, Azure DevOps, Microsoft Teams, Slack and ServiceNow. Plug into your own Identity and Access Management Provider - oAuth, SAML, Azure AD, Okta.

Retesting

Retesting

Track Remediation Efforts and Retesting

Know if and when vulnerabilities are remediated or fixed. Transparency and traceability - audit logs & recorded history for every vulnerability. Request, track & perform retesting.

Global Dashboard

Global Dashboard

Single Pane of Glass Into Your Security

Monitor how your organisation is performing against its security & penetration testing program. Drill-down on key vulnerabilities and projects. Track performance of projects and make more informed decisions.

Group Dashboard

Group Dashboard

Monitor Your Business Units

Keep on top of your security posture for a business unit, division, subsidiary, 3rd party or team – know which areas in your organisation are doing well or which areas need improvement. Group membership provides easy to manage access controls for your teams.

Project Dashboard

Project Dashboard

Control Panel For Your Pentests

View testing progress & vulnerabilities for your projects - at a glance. Download reports in multiple formats. Export vulnerabilities into ticketing systems. View daily tracking. Participate in team chats. Create fully custom reports. View attack chains.

Daily Progress Tracking

Daily Progress Tracking

Easily Track Pentesting Progress

Track how your projects are performing – on a daily basis. Know if issues are being experienced & when they are resolved. Get to know your project team. Daily breakdown of vulnerabilities found & test cases actioned.

Stealth Mode

Themes

Personalise Your Theme

Enable different themes based on your mood and preference. Discover themes such as Stealth Mode, The Matrix, Lightning, Halloween, RedBack, Neptune, Firestorm, Lost Woods & Amethyst.

...

Now Available

Download our white paper on how to run an effective and efficient centralized penetration testing program. Learn how to get better Return of Investment on your pentesting; Extract maximum value from the findings; and Provide visibility to executives & managers on the performance of your pentesting program.

Need Help? Check out our Support Site

Case Study

INSURANCE COMPANY


Client

This client is one the biggest insurance companies in their class. They execute a pentesting program to ensure security for a few dozen applications, internal and external networks, and other IT assets. The client operates in highly regulated Asia-Pacific market and is subject to strict auditing and compliance that includes penetration testing activities, vulnerability management and remediation....

Problems

Client’s Security Manager had multiple issues with how pentesting was done. But the most concerning were the following:

  1. It takes too long from finding a vulnerability to fixing it. Business stakeholders are frustrated with delays. Results of a traditional penetration test is a static report that takes time to write and pass through peer and technical review before it gets to the security manager. The result was that it had taken one to three weeks between time when a vulnerability was found and the relevant team who could start fixing it. That process delayed applications go-live for multiple weeks and cost business tens-and-hundreds of thousands of dollars in project burn costs and lost revenue.
  2. Consistency. There was no way to compare last years' pentest with this years pentest of the same application. Pentesting activities were not executed in a consistent, repeatable manner. Traditional penetration testing process does not ensure that different pentesters and vendors are using the same methodology, and even terminology was different from one vendor to another. This prevented the client from assessing if they are getting any better or worse - over time.
  3. Complex and painful auditing. It takes days to show the auditors all pentesting reports, all remediation reports, and all confirmation emails from pentesters. Regulatory regime required that the client would demonstrate multiple facets of the penetration testing program. This included:
    - Auditable use of consistent methodology
    - Coverage of all in scope applications and infrastructure
    - Auditable records of remediation activities, and
    - Qualified assessment that vulnerabilities are indeed closed/fixed

As client’s security manager put it: “I need a way to get business apps fixed faster, and keep auditors off my back”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. This allowed the client to bring pentesters and developers together so fixing vulnerabilities could start minutes after discovery. Business stakeholders learned about the progress of pentesting activities and remediation immediately with minimal delay for go-live.

AttackForge provided pentesters with guidance on the methodology, and a comprehensive vulnerability and issue library. This helped to ensure that different pentesters and providers on their panel would use client’s approved methodologies and terminology.

AttackForge provided auditors with clear records of all pentesting activities, dates, times and names when test cases are executed, and when vulnerabilities are found and remediated.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2018. Training supported by video tutorials allowed pentesters to start using AttackForge immediately. Development leads were provided access before the first vulnerability was found. Business stakeholders were introduced in September 2018 with the second project. Following projects had pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and discovered vulnerabilities.

Results

1. Go live. After nine months of operations and dozens of pentesting projects done using AttackForge Enterprise - the average delay on go-live as a result of pentesting was reduced by 14 business days.

2. Consistency. Switching between pentesters and providers required 80% less time from the internal security team. Efforts required for quarterly reporting on the status of vulnerabilities reduced from 3 days of efforts to 30 minutes. The report recipients could check the status of the relevant vulnerabilities for their applications and teams directly on AttackForge.

3. Auditors praised the client for presenting log records of the relevant activities using AttackForge Enterprise capabilities. Time spent by auditors on penetration testing activities reduced from 3 days to 0.5 day.

4. AttackForge became cost positive after 30 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement were reduced by 10-30%.

Additionally, the client mentioned that pentesters loved the automated reporting and ability to communicate directly with developers. Developers appreciated that remediation tasks were allocated using AttackForge JIRA integration instead of emails.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free. The client identified that simplicity was one of the key reasons why AttackForge Enterprise worked for them.

Case Study

FINANCE AND IDENTITY VERIFICATION COMPANY


Client

This client is a provider of online identity verification services, as well as risk and marketing software as a service. They provide services to a large number of other financial organisations, insurance companies, and government departments. The client has a significant volume of highly regulated information in its custody, and relies on theie unique intellectual property to process that data. The clients' business model is dependent on their customers trust and ability to demonstrate high security standards. The client operates a significant number of externally facing applications, integration points, and interfaces....

Problems

Client’s information security department employed multiple people to monitor security compliance, to ensure ongoing execution of a complex penetration testing program and continuous remediation activities.
Information Security Manager identified key problems related to penetration testing:

  1. Significant time dedicated to scheduling, scoping, and executing the penetration testing program. The high number of regular penetration testing activities required attention of several dedicated security professionals to ensure that pentesting providers have access to all necessary information such as:
    - API definitions
    - Intarface details and Testing credentials
    - Binaries
    - Contact details
    - Design documents
  2. Consistency across multiple pentesting providers. Pentesting activities were executed inconsistently, with every provider using different methodologies, and different definitions for the same vulnerabilities. Information Security Manager could not produce meaningful metrics to the CEO and the Board.
  3. Business would blame security team for the delays in moving key applications into production. Client’s business depends on its ability to bring new sophisticated solutions that leverage big data that client has access to. Every day of delay reduces their market advantage and costs hundreds of thousands of dollars. Pentesting vendors would take at least a week after finishing the actual testing to produce a report, whilst development team waits. The remediation and retesting would take at least another one-two weeks. The overall delay from the end of pentesting to go into production was usually more than ten business days. This was costing the business more than a million dollars in lost revenue and project costs, per year.

As the client’s CISO put it: “I spend hundreds of thousands of dollars on external pentesting vendors, a few more on the internal resources to keep an eye on those vendors, and all of that does not help me to understand if we are any better than last year. And business blames my team for every delay”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. With developers and infrastructure team talking directly to pentesters over Slack channel, developers could start fixing vulnerabilities minutes after discovery. Pentesters could perform retest minutes after the fix is ready, usually whilst pentest is still happening. Business stakeholders can make decisions on identified risks and what could and could not be accepted in production.

AttackForge ensures that change of pentesting providers does not affect the consistency and quality of their work. Each provider and each pentester is guided by client’s approved methodologies and terminology through AttackForge Enterprise Test Suites and Vulnerability Library.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2017. Training supported by video tutorials enabled pentesters from two different providers to familiarise with AttackForge Enterprise and start working on projects within a few days. Development and Infrastructure leads were provided access before the first vulnerability was found. Business stakeholders were introduced in after the completion of the third project. Following on, for each project there was pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and identified vulnerabilities.

Results

1. After one year of operations, Security team efforts to manage penetration testing program reduced by 50%. With all ongoing logistical information stored and protected by AttackForge and applications team communicating directly with pentesters - the security team could focus on improving security posture.

2. Consistency. Client security team stipulated use of AttackForge test suites and vulnerability library for all pentesting providers on the panel. This ensured quality and uniformity of pentesting activities. After 12 months of operations, it allowed the security team to establish metrics for thier application security, and identify the causes of the most persistent vulnerabilities.

3. Faster production transition. After one year of operations and more than 60 pentesting projects completed whilst utilising AttackForge Enterprise, the timeframe between finding a vulnerability and closing it was reduced by 23 business days.

4. Efforts required to address customers due diligence enquiries in relations to penetration testing, reduced by more than a 20 business days in the last 6 months of operations.

5. AttackForge became cost positive after approximately 35 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement was reduced by 10-30%.

Additionally client mentioned that external providers indicated that their pentesters loved the fact that they did not need to write any more reports.

Application team established role of an application security champion as the result of regular communications with the security team and external petesters.

The client identified that collaboration that AttackForge Enterprise helped to change the overall security culture within the organisation.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free.

Pricing


POPULAR

Cloud 50

AttackForge Enterprise

$40K

per year

Unlimited Users
50 Projects Per Year
Additional Project Plans Available*
12-Months Licence (Multi-Year Available)
Private Dedicated Infrastructure in
Azure Region of Your Choice
Whitelabelled For Your Organization
Unlimited Groups (Teams / Customers / Business Units)
Advanced Support SLA
Upgrades & Enhancements
Training Workshops
Access to AF Ticketing System
Custom Tenant Configurations
Single-Sign On (SSO)^
Custom Agreements
Portfolios & Work Streams
Asset Management
Trend Analysis & Personalized Analytics
Self-Service API for Automations
and Integrations
Notifications Engine for Custom Emails
All amounts are in US Dollars
*Priced separately
^Standard integration included. Custom integrations priced separately


Server 50

AttackForge Enterprise

$60K

per year

Unlimited Users
50 Projects Per Year
Additional Project Plans Available*
12-Months Licence (Multi-Year Available)
Self-Hosted & Offline /
Air-Gap Capable
Whitelabelled For Your Organization
Unlimited Groups (Teams / Customers / Business Units)
Premium Support SLA
Upgrades & Enhancements
Training Workshops
Access to AF Ticketing System
Custom Tenant Configurations
Single-Sign On (SSO)^
Custom Agreements
Portfolios & Work Streams
Asset Management
Trend Analysis & Personalized Analytics
Self-Service API for Automations
and Integrations
Notifications Engine for Custom Emails
All amounts are in US Dollars
*Priced separately
^Standard integration included. Custom integrations priced separately


Cloud

Server

Deployment

Dedicated Infrastructure / Single Tenant Hosted in Microsoft Azure Region of Your Choice, Fully Managed Service
Self-Hosted
Offline / Air-Gap Capable
Handover SLA 10 days 10 days
Custom Domain
Whitelabelled / Company Logo
Single-Sign-On (SSO)
Two-Factor Authentication (2FA)
IP-Whitelisting & Network Access Controls
Custom Tenant Configurations

Licence & Fees

12-Month Licence
* Cloud & Server are billed in US dollars
$40K+ $60K+
Multi-Year Licence Available
Included Projects Per Year
50+ 50+
Additional Projects / Plans
Contact us Contact us
Users
Unlimited Unlimited
Assets
Unlimited Unlimited
Uploads
Unlimited Unlimited
Groups (Teams / Customers / Business Units)
Unlimited Unlimited
Custom Terms & Conditions
Upgrades to Latest Features

Support

Priority Email
Ticketing System
Advanced Support 30 Hours 50 Hours
Support SLA Advanced Custom
Support Centre & Training Videos
Training Workshops 2 3

Portfolios & Work Streams

Create Portfolios to Manage Your Security Testing Programs
Track BAU Testing Activities in Work Streams

Reporting

Professional On-Demand Reports (PDF, DOCX, HTML, CSV, JSON)
Customizable On-Demand Reports (PDF, DOCX, HTML, CSV, JSON)
Quality Assurance (QA) Workflow & Revision Notes
Group Reports
ReportGen Offline - For Custom Reports In Your Own Styles, Templates
ReportGen Integrated - For Custom Reports On-Demand

Vulnerabilities

Global Dashboard
Advanced Search
Attack Chains
Integration with CI/CD tools - JIRA, ServiceNow, Azure DevOps
Integration with Vulnerability Management Tools
Retest Workflows
Full Support for CVSS v3.1

Projects

Dashboards & Project Tracking
Dedicated, Secure Workspace for Every Project
Scheduling & Calendar
Resource Management
Roles-Based Access Controls
Project Request Workflows
Custom Notifications
Integration with Collaboration tools - MS Teams, Slack, Discord

Libraries

Centralized & Customizable Vulnerability Templates
Pre-loaded Vulnerability Templates from CWE & CAPEC
Centralized & Customizable Test Suites & Methodologies/Runbooks
Pre-loaded Test Suites from OWASP, OSSTMM & Others

Assets

Asset Management & Register

Groups

Groups (Teams / Customers / Business Units) Unlimited Unlimited
Group Dashboard & Tracking
Link Groups to Project, Vulnerabilities, Users
Link Groups to Active Directory (AD) / Identity Provider (IDP)

Analytics

Analytics Dashboard
Trend Analysis & Comparison
Personalize Analytics Dashboard

Self-Service API

80+ Documented APIs with Examples

Notifications

Project Event Notifications
Custom Project Event Notifications
Custom Global Notifications (Daily Updates, SLAs, Overruns, etc.)

Need help choosing? We've got you covered

Technology Partners

Integrations Into Your Enterprise Eco-System

Security

For Peace of Mind


As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. Check Out Our Full Security Statement