10 years ago, no pentester had ever heard of the term “pentest management”. Today, it’s everywhere, and pentest management, collaboration, and pentest-as-a-service platforms are quickly taking over.
Suppose you’re looking for an alternative to managing pentests in Excel, reporting in Word, and communicating project scope over email and phone. In that case, pentest management platforms are also the way to go.
However, many can require significant onboarding periods, with workflow adjustments, reporting, and scoping.
Pentest management and collaboration tools usually incorporate work and client management into the cloud. These are similar to generic work management tools like Asana and Trello, except that they’re built for cybersecurity assessments and the needs of those assessments. For example, it’s normal to see integrated imports for vulnerability findings, individual ticket pages per finding, project scoping, automated pentest workflows, etc.
That usually splits into multiple base functionalities, including:
Vulnerability Library: The pentest management tool should offer a vulnerability library function where you can build and maintain descriptions, import data from frameworks, and pull relevant criticality and risk data.
Client Portal: Clients should have their login with a dashboard, the ability to request pentests, and options to see and manage found vulnerabilities. Many also include asset and team management. This portal is typically essential for the delivery of pentest-as-a-service.
Pentest Management: Pentesters can use workflows, checklists, runbooks, and integrated calendars to manage pentests, workloads, and work completed to automate as much overhead as possible. This often includes vulnerability frameworks, compliance frameworks, and other integrations.
Pentest Reporting: Pentest report generation tooling typically pulls from the rest of the portal, enabling quick generation of reports based on existing data. This can include everything from simple, collated reports from a single tool to highly customizable report templates with automated sections.
Pentest Collaboration: Pentests can collaborate on security and remediation with their clients, including tracking vulnerability status, direct communication, and immediate access to services such as retesting or recommendations to fix.
Together, these features make up the “pentest management” or pentest collaboration platform. While they vary a lot, some of the best on the market include:
AttackForge is one of the oldest pentest management platforms on the market. It launched in 2018 and was available everywhere by 2019. Today, pentesters from every continent use it. In addition, AttackForge has a premium and free-to-use version (self-hosted), making it an ideal fit for internal teams in need of on-premises solutions.
Pricing otherwise starts at $50 per month per pentester, with separate add-ons and extra projects priced separately.
AttackForge is primarily a pentest management platform with tools to manage projects and programs. It offers:
Faraday, formerly Faraday Security, is a vulnerability management platform primarily designed to manage assets and vulnerability data from other tools. To that extent, Faraday imports 150+ integrated tools.
It also offers criticality ratings, maps to vulnerability frameworks, and automation for imports, deduplication, and importing content from your global vulnerability descriptions.
Faraday also offers an open-source (free) version, which does not include cloud deployment, reporting, prioritization, project planning, ticketing, pipelines or workflows, or deduplication. In addition, you’ll have to install it on-premise yourself. Its premium option starts at $640 per month and includes those features plus a scanner, PDF and docx reporting, up to 5 users, and cloud deployment.
Hexway is a pentest suite designed for pentest management and collaboration. The tool is also entirely self-hosted, meaning you’ll have to handle security and deployment yourself. However, it also offers a full suite of pentest project management tools. This includes tracking, work assignments, and pentests.
methodologies and checklists, project notes, tagging, and a project dashboard. It also offers report generation, imports from 20+ tools, and an API to simplify your workflows and imports.
You can also build your knowledge base, compare scans, deliver a cross-project dashboard, and onboard clients to a dashboard for asset and pentest management. The free version limits you to 3 projects and 3 checklists. The premium version starts with no limits at $78 per month but includes about half the features. Therefore, most users will want the enterprise solution.
PlexTrac is one of the most extensive pentest management and collaboration platforms. It also offers a full suite of tools for pentest reporting, management, and collaboration. This includes automation tools for project planning, documentation, and communication.
The Core tool includes reports, Content Library, analytics, runbooks, assessments, and a client portal. From there, you can add integrations for an extra cost. PlexTrac does not offer transparent pricing but does charge per user and project.
PlexTrac also allows you to manage pentests from end to end entirely. That means setting up the project based on templates and methodologies, onboarding clients, managing workflows with runbooks, importing from scanners, and merging files from vulnerability libraries. You can then collaborate on remediation with the client.
Reconmap offers a dashboard, pentest management, and project and task management in a cloud tool. However, the tool is limited, and not everyone can get in. However, Reconmap does offer a wide variety of pentest collaboration tools. For example, it’s one of the only options on the market to provide a command-line tool with automation so teams can centralize commands to avoid work duplication. You can also see
analytics with key insights per user. All project and task management, including assigned tasks and due dates, is also in one place. Plus, with client integrations to manage client teams and assets and to automatically send reports to clients, it simplifies how you send and share reports. Reconmap also offers role management.
However, unlike other options, Reconmap is about pentest collaboration inside a team, not between the client and the pentester. It costs $47 per month for 2GB of storage.
Dradis Pro is a reporting and collaboration program for infosec teams. The tool is designed to automate reporting by integrating all data into a single platform and generating reports based on a template.
The Community version is completely free but requires that you host yourself and doesn’t include branding, multiple products, methodology integration, or a large number of features in the pro plans. The pro plans start at $79 per month per user and include docx reports, vulnerability libraries, rules engines for automation, a client portal, and remediation tracking.
Dradis is primarily known for its free reporting software. However, with the pro version, you also get significant collaboration and pentest management tools, although the platform is still built around reporting first.
The Pentest Collaboration Framework is an open-source tool to share, modify, and store information for Pentest projects. The tool is entirely open source and can be deployed locally on your server and unlike any competitor, it’s portable.
In addition, it offers process automation for workflows during testing, importing from tools, using vuln/issue templates, and automatically generating reports.
PCF offers chat, an API, team management, credentials management, proof of concept, and other features.
Cyver Core is a pentest management and collaboration platform offering tools for managing pentests in the cloud and pentest-as-a-service delivery. It launched in 2018 and has the most users on every continent. It also offers a full client portal with reporting dashboards, findings as tickets, and asset management.
Clients can also export findings to their tooling, manage prioritization, and see dashboards for criticality, time-to-fix, and other data. Cyver Core’s pentest management functionality includes project planning, team management, workflows, runbooks, integrated compliance norms, and more.
Plus, Cyver Core generates PDF reports based on that data, with fully customizable sections and descriptions. You also get a vulnerability library with automatic data merging, deduplication, and framework imports for data like CVSE, OWASP, etc.
Cyver Core starts at 99 euros per month, with no limit on users or projects. However, team management, role-based access, and API integration start with the Professional subscription at 449 euros per month.
Eventually, the best way to choose a pentest management and collaboration platform is to demo and try more options. Getting to know the market, what’s available, and what each provider will offer for your team is the best way to make a selection. Hopefully, this list of the top 8 pentest management tools helps you get started.
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…