Reporting for Decision-Makers & Security Practitioners with the BreachLock Unified Platform

Unify your security testing with the BreachLock Unified Platform consolidating all your product solutions and test findings. Leverage a common data model, validate attack paths, and map your entire attack surface – all in one place.

BreachLock breaks down silos and connects solutions to deliver a unified view of your security landscape for comprehensive asset visibility. By leveraging the power of integration, BreachLock consolidates PTaaS, Attack Surface Management, continuous pentesting and automated scanning, as well as Red Teaming capabilities in one data model for endless clarity and reporting.

Flexible & Customized Reporting

The Reporting feature in the BreachLock Unified Platform excels in providing robust flexibility for our users to customize reports based on their target audience – whether compliance-ready for auditors, internal for security teams, or business specific top-line summaries for Boards and Executives – reports are multi-faceted and easy to generate within the BreachLock Unified Platform.

Reporting Dashboard

The Reporting dashboard provides a cumulative view of all reports that have been generated by approved users within the organization. Reports are based on scope and security testing performed to date.

The dashboard includes the name of the report and a link to the report so that users can either Browse, Preview (meaning the report is ready for review but has not been actually generated yet), or download a PDF. The report will include the product for which the report was generated, the module or type of report, who created it, and when it was created.

Generate Report

Users can generate a report with a click of a button and will be taken through of a series of steps that provide the customization needed to ensure the report provides the information that is important to security teams and business.

Users have the option of Reporting Module with reports available for:

• Penetration Testing as a Service (PTaaS): Report includes all findings from human-led or certified manual pentesting performed by BreachLock experts.
• Attack Surface Management: Report for internal (ASM) or external (supported by PTaaS), automated pentesting and scanning, and vulnerable assets and associated exposures found during Asset Discovery.
• Automated Pentesting (APT) Web: Report for automated pentesting performed on external web applications and the Dark Web.
• Automated Pentesting (APT) API: Report for automated pentesting and scanning conducted on an API or multiple APIs.
• Automated Pentesting (APT) External Network: Report for automated pentesting on external networks such as web servers, AWS, Azure, Google Cloud, DNS infrastructure, Email servers, external firewalls and perimeter security devices, VPNs, IoT and embedded systems, third-party services, and more.

Also, report types include either a Detailed Report or Executive Summary. The report in the screenshot above is being created for a Board Meeting, and in this case an Executive Summary was selected.

• Executive Summary (Board, Executives): A critical document for Board members as it bridges the gap between technical findings and their business implications. By distilling complex technical data into insights that highlight potential financial, operational, and reputational risks, this summary equips decision-makers with the high-fidelity data needed to better understand vulnerable assets and why they may be business critical. It emphasizes the alignment of security initiatives with business objectives, to prioritize investments, and address vulnerabilities that could have the most significant impact on the organization’s financial stability and market trust.
• Detailed Report (DevSecOps, Auditors, Compliance): An essential report providing an in-depth analysis of vulnerabilities, their root causes, and remediation steps. For DevSecOps teams, this report serves as a roadmap to prioritize and implement security fixes, ensuring alignment with secure development and deployment practices. Auditors rely on the report to validate the organization’s adherence to internal controls and external compliance requirements, such as GDPR, PCI DSS, or ISO 27001. Additionally, compliance teams use the detailed findings to demonstrate a proactive approach to managing risks, meeting regulatory mandates, and mitigating potential liabilities.

Generate Report: Select Pentest

Users will be offered a list of all pentests that have been run to date and are completed. In the image above, the user has selected to generate a report for Web Application Pentest Black Box. If multiple pentests were available under PTaaS, the user could select as many product types as they would like to include in the report.

Generate Report: Select Assets

On this screen the user will select the assets to be included in the report. Each asset will bel listed by name of the subdomain (or URL), asset type, whether it is active or inactive, and whether the asset was auto discovered or manually added. There may be a rolling list of multiple assets but in this case, we see only one in the above screenshot with the option to filter assets for those that were auto discovered (part of an automated pentest or APT scan and was picked up during testing), or manually added assets that were added by the user for additional testing after the original scope was agreed upon.

Generate Report: Review

The last screen before previewing and generating the report is a “Review.” In this section, the user can review the reporting criteria to make sure it is accurate and includes the necessary pertinent information for its intended audience. The platform will aggregate all the selected criteria and immediately provide a report for Preview. Note, that the user has not generated the report yet as is still in Preview mode.

Generate Report: Preview – Vulnerabilities Summary

An Executive Summary will provide an overview of technical data with more emphasis on the business impact to the organization whereas a more Detailed Report will have an emphasis on technical, high-fidelity data and context for all vulnerabilities, including:

• Document Information: Engagement scope, pentest name and engagement timeframe.
• The Assessment Scope: Type of pentest, asset, methodology, and date conducted.
• Executive Summary: Goals of the assessment, BreachLock pentest expert certifications that were used for the project.
• Vulnerabilities Summary: Vulnerabilities by severity discovered during the manual pentesting engagement. Please note that BreachLock supports both CVSS 3 and 4. This includes the total number of all vulnerabilities that were found during this pentest and a colored grid of all vulnerabilities by risk severity.
• Severity Definitions: A legend defining risks from Critical to High, Medium, Low, and Informational. This is very helpful when conveying a story to Board Members related how the vulnerabilities would impact the business if prompt action were not taken.

Generate Report: Preview – Vulnerability Details

The user can simply scroll through the Executive Summary to review all of the vulnerabilities discovered during this pentest starting with Critical all the way through Informational.

Generate a Report: Preview – Testing Methodology & Assessment

As the user scrolls the report, it will come to Section D which includes:

Testing Methodology: This summary will include the testing methodology and what is a Black Box test, and the requirements provided by the user when the pentest was actually performed. This section will also define White Box and Gray Box testing which highlights the differences in methodology to ensure security teams agree with the methodology they have chosen.

Web Application Assessment: The next part of the Executive Summary is the Web Application Assessment. The Black Box methodology was based on the standard Web App OWASP Framework used. Other standards BreachLock uses as part of their Penetration Testing process might include, CREST, Open-Source Security Testing Methodology, NIST, CIS Benchmark, SANS Top 25, CISA Known Vulnerabilities, OWASP Top 10 for LLM Applications and more.

Scoping Information & Gathering: The scoping and information gathered includes testing for:

• Configuration and deployment
• Identity management testing credentials that may have been included
• Authentication that took place
• Authorization
• Session Management
• Data Validation
• Error handling and Weak Cryptography
• Business Logic
• Client-Side Testing, and
• Final findings according to the user’s SLA.

Generate Report: Vulnerabilities Classification

This section is especially important as it builds the story that Boards and Executives will most want to hear providing detailed context into threat agent factors and business impact to the organization. It emphasizes the alignment of security initiatives with business objectives to prioritize investments, and address vulnerabilities that could have the most significant impact on the organization’s financial stability and market trust.

Customizable and flexible reporting is a vital component of effective proactive security testing. Within the BreachLock Unified Platform, users are able to tailor reports to specific assets, testing methodologies, and timeframe.

Detailed Reports for auditors and compliance teams provide technical insights to meet regulatory requirements, while Executive Summary reports offer high-level business impact implications for Boards and Executives to guide strategic decisions and prioritize security investments.

The value of customizable reporting extends beyond compliance to strategic security planning. It enables stakeholders to distill complex findings into actionable formats tailored to their needs to ensure adherence to standards like ISO 27001 or PCI DSS, while an executive summary aligns security risks with business objectives. This versatility enhances transparency and equips organizations to address vulnerabilities quickly, strengthening their defenses against evolving threats.

Watch all demos of The BreachLock Unified Platform here.

Author

Ann Chesbrough

Vice President of Product Marketing, BreachLock