AttackForge Enterprise

Made For Enterprise


AttackForge Enterprise brings Business, Technology and Security teams together to reduce vulnerability remediation lead times and increase go-to-market speed. AttackForge Enterprise is proven - put to work in large organisations to help save direct costs, increase visibility and reduce effort on every pentest.

Save Time

High-quality customisable reports, on-demand and when you need them.

Save Effort

Integrated, Centralised & Rich Issue Library. Speak a consistent language.

Save Money

Tools and workflows to reduce project overheads and costs by up to 40%.

Team Collaboration

Business, Technology and Security teams collaborating in one place.

Methodology

Pre-loaded with industry benchmarks - for compliance and auditing.

Clearer View

See your organistion's vulnerable areas. Know your real weaknesses.

Still interested? Request a Demo

Benefits


Automated Reports

High-Quality Automated Reports

On-demand reporting at the click of a button, whenever Business or Technology teams need it. Reports can be customised and includes templates for Executives, Risk Managers, Third-Parties such as Auditors, and Developers. All reports can be downloaded in PDF, DOCX and CSV.

Vulnerability Library

Know Your Security Posture - At Any Time

Track and measure vulnerabilities and trends over time, across the entire organisation or individual business units. Know what are your Top 10 Most Common Vulnerabilites and Top 10 Failed Testcases. Better plan your investment in training and awareness. Executive and line reporting out of the box.

Teams

Enterprise Integrations

Integrate with common enterprise tools and services such as JIRA, Slack, RSA Archer, Service Now. Plug into your own Identity and Access Management Provider - oAuth, LDAP, ADFS.

Automated Reports

Industry Standard Benchmarks and Methodologies

AttackForge Enterprise comes pre-loaded with common industry benchmarks from OWASP, NIST, PCI, OSSTMM and others. Determine what will be tested against each asset, every time. Bring standardisation and consistency to your pentest program. Keep your auditors happy.

Vulnerability Library

Schedule and Plan Test Activities

Keep on top of all your projects. Know what pentests are in the pipeline and manage resources effectively. Single view of all projects and their status per month, week or day.

Teams

Track Remediation Efforts and Retesting

Know if and when vulnerabilities are remediated or fixed. Audit logs contain full history and actions for every vulnerability for transparency and traceability. Easily request and perform retesting.

Vulnerability Library

See Attack From Hackers Perspective

AttackChains help demonstrate exactly what an attacker is doing at every step - in a simple and clear visual diagram. Understand how vulnerabilities can be grouped together to cause devestating attacks against your organisational assets.

Case Study

INSURANCE COMPANY


Client

This client is one the biggest insurance companies in their class. They execute a pentesting program to ensure security for a few dozen applications, internal and external networks, and other IT assets. The client operates in highly regulated Asia-Pacific market and is subject to strict auditing and compliance that includes penetration testing activities, vulnerability management and remediation.

Problems

Client’s Security Manager had multiple issues with how pentesting was done. But the most concerning were the following:

  1. It takes too long from finding a vulnerability to fixing it. Business stakeholders are frustrated with delays. Results of a traditional penetration test is a static report that takes time to write and pass through peer and technical review before it gets to the security manager. The result was that it had taken one to three weeks between time when a vulnerability was found and the relevant team who could start fixing it. That process delayed applications go-live for multiple weeks and cost business tens-and-hundreds of thousands of dollars in project burn costs and lost revenue.
  2. Consistency. There was no way to compare last years' pentest with this years pentest of the same application. Pentesting activities were not executed in a consistent, repeatable manner. Traditional penetration testing process does not ensure that different pentesters and vendors are using the same methodology, and even terminology was different from one vendor to another. This prevented the client from assessing if they are getting any better or worse - over time.
  3. Complex and painful auditing. It takes days to show the auditors all pentesting reports, all remediation reports, and all confirmation emails from pentesters. Regulatory regime required that the client would demonstrate multiple facets of the penetration testing program. This included:
    - Auditable use of consistent methodology
    - Coverage of all in scope applications and infrastructure
    - Auditable records of remediation activities, and
    - Qualified assessment that vulnerabilities are indeed closed/fixed

As client’s security manager put it: “I need a way to get business apps fixed faster, and keep auditors off my back”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. This allowed the client to bring pentesters and developers together so fixing vulnerabilities could start minutes after discovery. Business stakeholders learned about the progress of pentesting activities and remediation immediately with minimal delay for go-live.

AttackForge provided pentesters with guidance on the methodology, and a comprehensive vulnerability and issue library. This helped to ensure that different pentesters and providers on their panel would use client’s approved methodologies and terminology.

AttackForge provided auditors with clear records of all pentesting activities, dates, times and names when test cases are executed, and when vulnerabilities are found and remediated.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2018. Training supported by video tutorials allowed pentesters to start using AttackForge immediately. Development leads were provided access before the first vulnerability was found. Business stakeholders were introduced in September 2018 with the second project. Following projects had pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and discovered vulnerabilities.

Results

1. Go live. After nine months of operations and dozens of pentesting projects done using AttackForge Enterprise - the average delay on go-live as a result of pentesting was reduced by 14 business days.

2. Consistency. Switching between pentesters and providers required 80% less time from the internal security team. Efforts required for quarterly reporting on the status of vulnerabilities reduced from 3 days of efforts to 30 minutes. The report recipients could check the status of the relevant vulnerabilities for their applications and teams directly on AttackForge.

3. Auditors praised the client for presenting log records of the relevant activities using AttackForge Enterprise capabilities. Time spent by auditors on penetration testing activities reduced from 3 days to 0.5 day.

4. AttackForge became cost positive after 30 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement were reduced by 10-30%.

Additionally, the client mentioned that pentesters loved the automated reporting and ability to communicate directly with developers. Developers appreciated that remediation tasks were allocated using AttackForge JIRA integration instead of emails.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free. The client identified that simplicity was one of the key reasons why AttackForge Enterprise worked for them.

Case Study

FINANCE AND IDENTITY VERIFICATION COMPANY


Client

This client is a provider of online identity verification services, as well as risk and marketing software as a service. They provide services to a large number of other financial organisations, insurance companies, and government departments. The client has a significant volume of highly regulated information in its custody, and relies on theie unique intellectual property to process that data. The clients' business model is dependent on their customers trust and ability to demonstrate high security standards. The client operates a significant number of externally facing applications, integration points, and interfaces.

Problems

Client’s information security department employed multiple people to monitor security compliance, to ensure ongoing execution of a complex penetration testing program and continuous remediation activities.
Information Security Manager identified key problems related to penetration testing:

  1. Significant time dedicated to scheduling, scoping, and executing the penetration testing program. The high number of regular penetration testing activities required attention of several dedicated security professionals to ensure that pentesting providers have access to all necessary information such as:
    - API definitions
    - Intarface details and Testing credentials
    - Binaries
    - Contact details
    - Design documents
  2. Consistency across multiple pentesting providers. Pentesting activities were executed inconsistently, with every provider using different methodologies, and different definitions for the same vulnerabilities. Information Security Manager could not produce meaningful metrics to the CEO and the Board.
  3. Business would blame security team for the delays in moving key applications into production. Client’s business depends on its ability to bring new sophisticated solutions that leverage big data that client has access to. Every day of delay reduces their market advantage and costs hundreds of thousands of dollars. Pentesting vendors would take at least a week after finishing the actual testing to produce a report, whilst development team waits. The remediation and retesting would take at least another one-two weeks. The overall delay from the end of pentesting to go into production was usually more than ten business days. This was costing the business more than a million dollars in lost revenue and project costs, per year.

As the client’s CISO put it: “I spend hundreds of thousands of dollars on external pentesting vendors, a few more on the internal resources to keep an eye on those vendors, and all of that does not help me to understand if we are any better than last year. And business blames my team for every delay”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. With developers and infrastructure team talking directly to pentesters over Slack channel, developers could start fixing vulnerabilities minutes after discovery. Pentesters could perform retest minutes after the fix is ready, usually whilst pentest is still happening. Business stakeholders can make decisions on identified risks and what could and could not be accepted in production.

AttackForge ensures that change of pentesting providers does not affect the consistency and quality of their work. Each provider and each pentester is guided by client’s approved methodologies and terminology through AttackForge Enterprise Test Suites and Vulnerability Library.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2017. Training supported by video tutorials enabled pentesters from two different providers to familiarise with AttackForge Enterprise and start working on projects within a few days. Development and Infrastructure leads were provided access before the first vulnerability was found. Business stakeholders were introduced in after the completion of the third project. Following on, for each project there was pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and identified vulnerabilities.

Results

1. After one year of operations, Security team efforts to manage penetration testing program reduced by 50%. With all ongoing logistical information stored and protected by AttackForge and applications team communicating directly with pentesters - the security team could focus on improving security posture.

2. Consistency. Client security team stipulated use of AttackForge test suites and vulnerability library for all pentesting providers on the panel. This ensured quality and uniformity of pentesting activities. After 12 months of operations, it allowed the security team to establish metrics for thier application security, and identify the causes of the most persistent vulnerabilities.

3. Faster production transition. After one year of operations and more than 60 pentesting projects completed whilst utilising AttackForge Enterprise, the timeframe between finding a vulnerability and closing it was reduced by 23 business days.

4. Efforts required to address customers due diligence enquiries in relations to penetration testing, reduced by more than a 20 business days in the last 6 months of operations.

5. AttackForge became cost positive after approximately 35 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement was reduced by 10-30%.

Additionally client mentioned that external providers indicated that their pentesters loved the fact that they did not need to write any more reports.

Application team established role of an application security champion as the result of regular communications with the security team and external petesters.

The client identified that collaboration that AttackForge Enterprise helped to change the overall security culture within the organisation.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free.

Features & Pricing


Pricing plans to accomodate all sizes

Choose a plan that suits you

We have a multiple plans which scale as you grow. You can choose to pay monthly or yearly.

  • Enterprise 50
  • Enterprise 100
  • Enterprise 200
  • Enterprise 300
  • Enterprise 500

Enterprise 50

Monthly

$3.25K

Unlimited Users
50 Project Credits*
12-Months Licence
Initial Set-Up
Hosting & Support
Training Workshops

*Top-ups available All amounts are in US Dollars

Enterprise

Vulnerabilities

Global Dashboard For All Your Vulnerabilities
View & Search Vulnerabilities by Project, Asset, Priority and Status
Track by Open, Closed and Ready For Retest
Analytics & Trends Discovery Across Organisation and Groups
Track Vulnerabilities Against Groups (Clients / Business Units)
Create Attack Chains
Import Vulnerabilities Into Your JIRA Project
Detailed Vulnerability Information
Upload and Store Vulnerability Evidence & Artefacts
Audit Logs For Life of Vulnerability
Access & Manage Vulnerability Library (1300+ Vulnerabilities)

Projects

Global Dashboard For All Your Projects
Clients / Stakeholders Request New Projects
Admins Review & Approve or Reject New Projects
Create & Manage Projects
Daily Notifications on Start/Stop Testing
Project Overview & Dashboard
Track Projects, Assets & Users Against Groups (Clients / Business Units)
Secure Workspace For File Uploads
View & Action Test Cases
Access & Manage Test Suites and Methodologies
Storage For Testing Logs
User Access Management

Collaboration

User Profiles
Invite People To Collaborate on Your Projects
Scheduling & Calendar
Private Slack Channels For Communication
Request, Track and Perform Remediation Testing
Manage Groups (Clients / Business Units)

Reporting

Automated & On-Demand Reporting
Detailed Vulnerability Reports (PDF, DOCX & CSV)
Group Reports (Clients / Business Units)
Customise Executive Summary
Templates for Executives, Auditors, 3rd Parties, Developers
Customise Your Reports

Security

Dedicated Infrastructure / Single Tenant Hosted in Microsoft Azure Region of Your Choice
Mandatory Two-Factor Authentication
IP-Whitelisting & Network Access Controls
Enterprise User Management & Audit Logs
Encrypted Communications & Storage

Enterprise

Platform-As-A-Service - Turn-key Solution For Peace of Mind
Unlimited Users - For Unrestricted Collaboration
12 / 24 / 36 Months Licence
Upgrades to Latest Features & Modules
Whitelabelled - Custom Domain, Logo & Colours
You Own The Data
Integrations Into Your Enterprise Tools
Custom Dashboards, Reports, Analytics & Workflows
In-built Knowledgebase For Help & Support
Training Workshops
Email, Phone & On-Site Support Available
Security

For Peace of Mind


Two-Factor Authentication

Access to AttackForge and all administrative interfaces have mandatory two-factor authentication (2FA) enforced.

Data Location

All data is stored encrypted in any Microsoft Azure region of your choice.

Encryption

All data is encrypted in transit and at rest.

Backups

Data is backed up daily and stored for up to three (3) years. All backups are stored encrypted.

Passwords

All passwords are stored hashed and salted using security best practices.