AttackForge Answers The Tough Questions

How many vulnerabilities have we discovered this year? What about last year?

AttackForge keeps track of all your vulnerability data from security and penetration testing projects and can provide you with the detailed statistics you need.

What return of investment are we getting on our penetration testing program?

Get to know how hard your team is actually working at fixing discovered issues. Know exactly how many vulnerabilities have been discovered, retested and fixed - at any time.

How many open vulnerabilities do we have for that system right now? What about that business group or client?

Know exactly how many open or closed vulnerabilities for every asset, system, business group or client. Get the details fast.

I need to brief the executives. Are we getting better or worse?

Compare vulnerability and trend data over time. Measure how fast your organisation is at discovering and remediating critical vulnerabilities.

What are the Top 10 Most Vulnerable Assets in our organisation? What about Top 10 Most Common Vulnerabilities?

Discover your most common vulnerabilities, vulnerable assets, and failed testcases across your entire organisation, business group or client.

Where should we invest more in training and awareness?

Trends and analytics can help you make sense of your vulnerability data to better understand where you need to focus resources within your organisation or business groups.

Across All Industries & Verticals

img
AttackForge Enterprise

Made For Enterprise


AttackForge Enterprise brings Business, Technology and Security teams together to reduce vulnerability remediation lead times and increase go-to-market speed. AttackForge Enterprise is proven - put to work in large organisations to help save direct costs, increase visibility and reduce effort on every pentest.

Save Time

High-quality customisable reports, on-demand and when you need them.

Save Effort

Integrated, Centralised & Rich Issue Library. Speak a consistent language.

Save Money

Tools and workflows to reduce project overheads and costs by up to 40%.

Team Collaboration

Business, Technology and Security teams collaborating in one place.

Methodology

Pre-loaded with industry benchmarks - for compliance and auditing.

Clearer View

See your organistion's vulnerable areas. Know your real weaknesses.

Still interested? Request a Demo

Benefits


img
Automated Reports

High-Quality Automated Reports

On-demand reporting at the click of a button, whenever Business or Technology teams need it. Reports can be customised and includes templates for Executives, Risk Managers, Third-Parties such as Auditors, and Developers. All reports can be downloaded in PDF, HTML, DOCX, CSV & JSON.

Vulnerability Library

Know Your Security Posture - At Any Time

Track vulnerabilities and trends over time, across the entire organisation or individual business units. Know what are your Top 10 Most Vulnerable Assets, Top 10 Most Common Vulnerabilites and Top 10 Failed Testcases. Measure your Mean-Time-To-Remediate (MTTR). Better plan your investment in training and awareness. Executive and line reporting out of the box.

Teams

Enterprise Integrations

Integrate & sync with common enterprise tools and services such as JIRA, Slack and ServiceNow. Plug into your own Identity and Access Management Provider - oAuth, LDAP, ADFS.

Automated Reports

Industry Standard Benchmarks and Methodologies

AttackForge Enterprise comes pre-loaded with common industry benchmarks from OWASP, NIST, PCI, OSSTMM and others. Determine what will be tested against each asset, every time. Bring standardisation and consistency to your pentest program. Keep your auditors happy.

Vulnerability Library

Schedule and Plan Test Activities

Keep on top of all your projects. Know what pentests are in the pipeline and manage resources effectively. Single view of all projects and their status per month, week or day. Resource Manager views and filter by users.

Teams

Track Remediation Efforts and Retesting

Know if and when vulnerabilities are remediated or fixed. Audit logs contain full history and actions for every vulnerability for transparency and traceability. Easily request and perform retesting.

Vulnerability Library

See Attack From Hackers Perspective

Attack Chains help demonstrate exactly what an attacker is doing at every step - in a simple and clear visual story. Understand how vulnerabilities can be grouped together to cause devestating attacks against your organisational assets. Map Attack Chains to MITRE ATT&CK® Framework in minutes!

Enterprise Connector

AttackForge Connector - Import & Export Vulnerabilities Into Your Enterprise Ecosystem

AttackForge Connector helps you Import and Export vulnerabilities To and From your AttackForge Enterprise Tenant and 3rd Party Tools and Platforms.

Self-Service API

Self-Service API For Workflow Automations

Easily automate workflows using our Self-Service API. Perfect for customisations and integrations into your enterprise ecosystem. Manage and control access to each API for peace of mind. Setting up service accounts are a breeze.

ReportGen

AttackForge ReportGen - Create Custom Reports

Create fully customised reports in a fraction of the time, based on your own DOCX templates. Personalize your reports to your own style or corporate branding. Creating custom reports is a breeze with AttackForge ReportGen!

...

Now Available

Download our white paper on how to run an effective and efficient centralized penetration testing program. Learn how to get better Return of Investment on your pentesting; Extract maximum value from the findings; and Provide visibility to executives & managers on the performance of your pentesting program.

Need Help? Check out our Support Site

Case Study

INSURANCE COMPANY


Client

This client is one the biggest insurance companies in their class. They execute a pentesting program to ensure security for a few dozen applications, internal and external networks, and other IT assets. The client operates in highly regulated Asia-Pacific market and is subject to strict auditing and compliance that includes penetration testing activities, vulnerability management and remediation....

Problems

Client’s Security Manager had multiple issues with how pentesting was done. But the most concerning were the following:

  1. It takes too long from finding a vulnerability to fixing it. Business stakeholders are frustrated with delays. Results of a traditional penetration test is a static report that takes time to write and pass through peer and technical review before it gets to the security manager. The result was that it had taken one to three weeks between time when a vulnerability was found and the relevant team who could start fixing it. That process delayed applications go-live for multiple weeks and cost business tens-and-hundreds of thousands of dollars in project burn costs and lost revenue.
  2. Consistency. There was no way to compare last years' pentest with this years pentest of the same application. Pentesting activities were not executed in a consistent, repeatable manner. Traditional penetration testing process does not ensure that different pentesters and vendors are using the same methodology, and even terminology was different from one vendor to another. This prevented the client from assessing if they are getting any better or worse - over time.
  3. Complex and painful auditing. It takes days to show the auditors all pentesting reports, all remediation reports, and all confirmation emails from pentesters. Regulatory regime required that the client would demonstrate multiple facets of the penetration testing program. This included:
    - Auditable use of consistent methodology
    - Coverage of all in scope applications and infrastructure
    - Auditable records of remediation activities, and
    - Qualified assessment that vulnerabilities are indeed closed/fixed

As client’s security manager put it: “I need a way to get business apps fixed faster, and keep auditors off my back”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. This allowed the client to bring pentesters and developers together so fixing vulnerabilities could start minutes after discovery. Business stakeholders learned about the progress of pentesting activities and remediation immediately with minimal delay for go-live.

AttackForge provided pentesters with guidance on the methodology, and a comprehensive vulnerability and issue library. This helped to ensure that different pentesters and providers on their panel would use client’s approved methodologies and terminology.

AttackForge provided auditors with clear records of all pentesting activities, dates, times and names when test cases are executed, and when vulnerabilities are found and remediated.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2018. Training supported by video tutorials allowed pentesters to start using AttackForge immediately. Development leads were provided access before the first vulnerability was found. Business stakeholders were introduced in September 2018 with the second project. Following projects had pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and discovered vulnerabilities.

Results

1. Go live. After nine months of operations and dozens of pentesting projects done using AttackForge Enterprise - the average delay on go-live as a result of pentesting was reduced by 14 business days.

2. Consistency. Switching between pentesters and providers required 80% less time from the internal security team. Efforts required for quarterly reporting on the status of vulnerabilities reduced from 3 days of efforts to 30 minutes. The report recipients could check the status of the relevant vulnerabilities for their applications and teams directly on AttackForge.

3. Auditors praised the client for presenting log records of the relevant activities using AttackForge Enterprise capabilities. Time spent by auditors on penetration testing activities reduced from 3 days to 0.5 day.

4. AttackForge became cost positive after 30 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement were reduced by 10-30%.

Additionally, the client mentioned that pentesters loved the automated reporting and ability to communicate directly with developers. Developers appreciated that remediation tasks were allocated using AttackForge JIRA integration instead of emails.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free. The client identified that simplicity was one of the key reasons why AttackForge Enterprise worked for them.

Case Study

FINANCE AND IDENTITY VERIFICATION COMPANY


Client

This client is a provider of online identity verification services, as well as risk and marketing software as a service. They provide services to a large number of other financial organisations, insurance companies, and government departments. The client has a significant volume of highly regulated information in its custody, and relies on theie unique intellectual property to process that data. The clients' business model is dependent on their customers trust and ability to demonstrate high security standards. The client operates a significant number of externally facing applications, integration points, and interfaces....

Problems

Client’s information security department employed multiple people to monitor security compliance, to ensure ongoing execution of a complex penetration testing program and continuous remediation activities.
Information Security Manager identified key problems related to penetration testing:

  1. Significant time dedicated to scheduling, scoping, and executing the penetration testing program. The high number of regular penetration testing activities required attention of several dedicated security professionals to ensure that pentesting providers have access to all necessary information such as:
    - API definitions
    - Intarface details and Testing credentials
    - Binaries
    - Contact details
    - Design documents
  2. Consistency across multiple pentesting providers. Pentesting activities were executed inconsistently, with every provider using different methodologies, and different definitions for the same vulnerabilities. Information Security Manager could not produce meaningful metrics to the CEO and the Board.
  3. Business would blame security team for the delays in moving key applications into production. Client’s business depends on its ability to bring new sophisticated solutions that leverage big data that client has access to. Every day of delay reduces their market advantage and costs hundreds of thousands of dollars. Pentesting vendors would take at least a week after finishing the actual testing to produce a report, whilst development team waits. The remediation and retesting would take at least another one-two weeks. The overall delay from the end of pentesting to go into production was usually more than ten business days. This was costing the business more than a million dollars in lost revenue and project costs, per year.

As the client’s CISO put it: “I spend hundreds of thousands of dollars on external pentesting vendors, a few more on the internal resources to keep an eye on those vendors, and all of that does not help me to understand if we are any better than last year. And business blames my team for every delay”.

Solution: AttackForge Enterprise

AttackForge's main purpose is to bring together the pentesting team, developers and business into one collaboration platform. With developers and infrastructure team talking directly to pentesters over Slack channel, developers could start fixing vulnerabilities minutes after discovery. Pentesters could perform retest minutes after the fix is ready, usually whilst pentest is still happening. Business stakeholders can make decisions on identified risks and what could and could not be accepted in production.

AttackForge ensures that change of pentesting providers does not affect the consistency and quality of their work. Each provider and each pentester is guided by client’s approved methodologies and terminology through AttackForge Enterprise Test Suites and Vulnerability Library.

AttackForge Enterprise was introduced to pentesting providers and IT teams in August 2017. Training supported by video tutorials enabled pentesters from two different providers to familiarise with AttackForge Enterprise and start working on projects within a few days. Development and Infrastructure leads were provided access before the first vulnerability was found. Business stakeholders were introduced in after the completion of the third project. Following on, for each project there was pentesters, relevant IT team members, project managers and business stakeholders accessing the project workspaces and having visibility for the overall progress and identified vulnerabilities.

Results

1. After one year of operations, Security team efforts to manage penetration testing program reduced by 50%. With all ongoing logistical information stored and protected by AttackForge and applications team communicating directly with pentesters - the security team could focus on improving security posture.

2. Consistency. Client security team stipulated use of AttackForge test suites and vulnerability library for all pentesting providers on the panel. This ensured quality and uniformity of pentesting activities. After 12 months of operations, it allowed the security team to establish metrics for thier application security, and identify the causes of the most persistent vulnerabilities.

3. Faster production transition. After one year of operations and more than 60 pentesting projects completed whilst utilising AttackForge Enterprise, the timeframe between finding a vulnerability and closing it was reduced by 23 business days.

4. Efforts required to address customers due diligence enquiries in relations to penetration testing, reduced by more than a 20 business days in the last 6 months of operations.

5. AttackForge became cost positive after approximately 35 projects. With AttackForge replacing manual reporting with automated report generation - the efforts and costs associated with each pentesting engagement was reduced by 10-30%.

Additionally client mentioned that external providers indicated that their pentesters loved the fact that they did not need to write any more reports.

Application team established role of an application security champion as the result of regular communications with the security team and external petesters.

The client identified that collaboration that AttackForge Enterprise helped to change the overall security culture within the organisation.

Will It Work For Your Organisation?

If you are concerned with getting your applications live faster without compromising on security; if you are in an industry that mandates mature penetration testing processes, and you want to reduce friction between security and IT - AttackForge will help. If your penetration testing program is more than 30 projects, then go for AttackForge Enterprise. Otherwise try AttackForge.com for free.

Features & Pricing


Pricing plans to accomodate all sizes

Choose a plan that suits you

We have multiple plans which scale as you grow.
Each Plan includes Project Credits - to use within Licence Period.
Each Plan has Unlimited Users - for Unrestricted Collaboration.

  • Enterprise 50
  • Enterprise 100
  • Enterprise 200
  • Enterprise 300
  • Enterprise 500
  • Enterprise Unlimited

AttackForge Enterprise is provided as either:

  • Cloud Software-as-a-Service
  • On-Premises & Offline

Enterprise 50 Cloud

Monthly

$18K

Unlimited Users
50 Project Credits
12-Months Licence
Private Dedicated Infrastructure in
Azure Region of Your Choice
Whitelabelled For Your Organization
Single-Sign On (SSO)*
Support Level Agreement (SLA)
Integrations & Automations*
Upgrades & Enhancements
Training & Support Centre

All amounts are in US Dollars *Priced separately

Enterprise

Vulnerabilities

Global Dashboard For All Your Vulnerabilities
View & Search Vulnerabilities by Project, Asset, Priority and Status
Track by Open, Closed and Ready For Retest
Analytics & Trends Discovery Across Organisation and Groups
Track Vulnerabilities Against Groups (Clients / Business Units)
Create Attack Chains & Map to MITRE ATT&CK® Framework
Import Vulnerabilities Into Your Projects via API or Connector
Export Vulnerabilities Into 3rd Party Tools & Platforms via Connector
Export & Sync Vulnerabilities With Your JIRA Project
Export Vulnerabilities Into Your ServiceNow Tenant
RESTful API Available For Data Imports or Exports
Detailed Vulnerability Information
Upload and Store Vulnerability Evidence & Artefacts
Audit Logs For Life of Vulnerability
Access & Manage Vulnerability Library (1300+ Vulnerabilities)
Choose When Your Vulnerabilities Are Visible To Project Team
Choose Your Scoring System, Including CVSS v3.1

Projects

Global Dashboard For All Your Projects
Clients / Stakeholders Request New Projects
Admins Review & Approve or Reject New Projects
Create & Manage Projects
Daily Notifications on Start/Stop Testing
Project Overview & Dashboard
Daily Tracker For Testing Progress
Track Projects, Assets & Users Against Groups (Clients / Business Units)
Secure Workspace For File Uploads
Create Private, Team & Reporting Notes
View & Action Test Cases
Access & Manage Test Suites and Methodologies
Storage For Testing Logs
User Access Management
Multi-Stage Workflows Available

Collaboration

User Profiles
Invite People To Collaborate on Your Projects
Scheduling & Calendar - Filter By Projects and Users
Private Slack Channels For Communication
Request, Track and Perform Remediation Testing
Define & Manage Groups (Clients / Business Units / Pentest Teams / etc.)

Reporting

Automated & On-Demand Reporting
Detailed Vulnerability Reports (PDF, HTML, DOCX, CSV & JSON)
AttackForge ReportGen - Create Fully Customised & Personalized Reports
Export JSON Into Your Own Reports and Tools
Group Reports (Clients / Business Units)
Customise Executive Summary
Templates for Executives, Auditors, 3rd Parties, Developers
Customise Your Reports
Upload & Add Your Own Logo To Reports

Security

Dedicated Infrastructure / Single Tenant Hosted in Microsoft Azure Region of Your Choice
On-Premises 100% Offline Deployment Option Available (Can Operate In Isolated / Air-Gapped Network)
Mandatory Two-Factor Authentication
IP-Whitelisting & Network Access Controls
Enterprise User Management & Audit Logs
Encrypted Communications & Storage
Role-Based Access Controls (Users / Projects / Groups)

Enterprise

Platform-As-A-Service - Turn-key Solution For Peace of Mind
Unlimited Users - For Unrestricted Collaboration
12 / 24 / 36 Months Licence
Upgrades to Latest Features & Modules
Whitelabelled - Custom Domain, Logo & Colours
You Own The Data
RESTful API Available For Data Imports or Exports
Self-Service API for Custom Dashboards, Reports, Analytics & Workflows
Enterprise User Roles Available
In-built Knowledgebase For Help & Support
Training Workshops
Email, Phone & On-Site Support Available
Security

For Peace of Mind


As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. AttackForge Enterprise Cloud deployment option is built on Microsoft Azure (Azure) and MongoDB Cloud (Mongo) compute and storage ‘As-a-Service’ technologies, which are compliant with a wide variety of industry-accepted security standards, and hosted on dedicated single-tenant infrastructure in any Azure region of your choosing - worldwide.

If you prefer the On-Premises deployment option, AttackForge Enterprise is provided as a Dockerized solution that runs on a single Linux x64 server. It's designed to operate in air-gapped environment, and does not require any Internet connectivity or external dependancies. Installation package can also be run offline. All data persists on the server in Docker volumes. You can adjust the security of your on-premises AttackForge Enterprise tenant to your own security and risk requirements or appetite.

Additionally, our engineers have security backgrounds and utilize proven security technologies and techniques in order to protect our systems, data, and information from unauthorized access in the best possible way.

We rely on a number of strict security controls built into our people, processes and technologies; as well as subject to third party assessments including penetration testing.

Where is my data stored? (Cloud deployment)

For data storage, analysis, and backups, AttackForge utilizes Azure and Mongo cloud services and therefore shares several Azure and Mongo standards and accreditations.
All virtualized servers are run in the Azure region of your choice.

Amongst others, Azure is certified by the following security compliance standards:
• ISO 27001, 27017, 27018
• SOC 1, 2 and 3
• FIPS 140-2
• GDPR

Amongst others, Mongo is certified by the following security compliance standards:
• ISO 27001
• SOC 2 Type II
• GDPR
• HIPAA
• PCI DSS
• EU-US Privacy Shield

Where is my data stored? (On-Premises deployment)

On-Premises deployment utilizes Docker for a containerized solution. There are two (2) containers which make up AttackForge Enterprise - Web Application Server and Database Server.

All data persists on your own Linux server that you installed the application on, and is stored in Docker volumes.

AttackForge team does not have any access to your data, server or environment. You manage and control all aspects of your tenant. AttackForge will provide you with regular application updates via our online portal, that you can download and apply at your choosing.

Who has access to my data? (Cloud deployment)

AttackForge does not share customer data with third parties.

Administrative access to customer data is restricted to a small number of closely managed AttackForge administrators.

Access to production systems and data follows the security standard of Least Privilege.

Who has access to my data? (On-Premises deployment)

AttackForge does not have any access to your data, whatsoever.

You control and manage all aspects of your tenant, including installation, operation and backups.

How is my data protected? (Cloud deployment)

Network Security

• All traffic to and from our service is encrypted using the TLS v1.2 protocol.
• We enforce the usage of strong TLS cipher suites.
• All systems are firewalled to a minimal number of access points.

Account Security

• Multi-Factor Authentication (TOTP) is mandatory and enforced on all application and administrative interfaces.
• We enforce a strong password policy.
• Passwords are stored hashed and salted (bcrypt).
• Role-Based-Access-Controls (RBAC) on a user-level and project-level are utilized to manage authorization to data.
• Access to an account, including actions performed by the account, is logged, tracked, and audited.
• Anti-automation controls are utilized to prevent brute-force login attempts.
• Session monitoring & management is utilized to prevent authenticated abuse of the platform.
• Email notifications for events such as new logins from different IP addresses are enabled.

System Security

• All operating systems are managed, patched and maintained by Azure and Mongo.
• Unnecessary users, services, and components are disabled.
• All systems are constantly monitored.

Secure Data Storage

• Data is stored on virtualized servers on Azure and Mongo.
• All data is encrypted in-transit and at-rest.
• Database backups are stored and transmitted encrypted at all times.
• Vulnerability reports are generated in memory on request by user, and never stored.