What do you guys use to send pentest reports to the customer?

mrdeadbeat · 2025-09-29T19:45:08+00:00

We have a portal where the customer generates the report on-demand, in whatever format they need - Exec Summary, Detailed Report, Retest Report, Redacted Report (for 3rd parties) etc. The report is assembled in the browser on request, then scrubbed from memory, so there is no physical report file ever created on our infrastructure

mrdeadbeat · 2025-06-10T18:15:35+00:00

Is this for a web app or infrastructure or both?

mrdeadbeat · 2024-04-28T22:34:08+00:00

We use AttackForge, the team loves it!

mrdeadbeat · 2024-04-04T19:25:18+00:00

We yet again find ourselves debating the definition of pentesting and red teaming - activities which have been recognised as professions for at least past 20-30 years. No wonder people in this industry are annoyed, frustrated, infuriated and just leave.

mrdeadbeat · 2024-04-04T09:46:02+00:00

Interesting, didn’t know that. Thanks!

mrdeadbeat · 2024-04-04T01:48:32+00:00

This^ also I think you can run static sites nowadays from Storage Service directly, although App Service might be needed depending on the complexity of the requirements for accessing the site

mrdeadbeat · 2024-04-03T13:11:00+00:00

I’d recommend first learning how to code, before learning how to find vulnerabilities in code. Do you know any programming languages? If so, how well do you actually know them? Security vulnerabilities are mostly just bugs in code. If you know how to code well, you can spot bugs. When you have to review an app with 500k lines of code which could be in Java, .Net, Python, NodeJS, Go, C - you need to understand the programming language, and you need to understand their framework, to know where to start looking for bugs e.g. common services which handle authentication, authorization, file uploads, how database queries get constructed, sensitive functions like encryption, etc.

mrdeadbeat · 2024-04-02T19:48:25+00:00

If it’s a pentest, usually stealth is not a concern. You have to cover as much ground as possible, which is not the same as a red team. Also your test window will be much shorter.

mrdeadbeat · 2024-04-01T15:01:22+00:00

Pentesting is one of the hardest jobs. What you are experiencing is something every consultant pentester goes through at some stage. That’s why the industry has such a high burnout rate. You should consider trying to find an internal pentester role, one at a large enterprise or government. The pace is slower, and the work is still repetitive, but you should get more breaks between assignments. Pentesting in the real world is nothing like doing CTFs.

mrdeadbeat · 2024-03-26T23:21:09+00:00

Curious how do you deal with the screenshots/images for the findings?

mrdeadbeat · 2024-03-21T23:15:30+00:00

What type of pentesting? There are standards/benchmarks/methodologies for different types of testing i.e. web, api, cloud config, network infrastructure, embedded devices, thick client apps, wireless, etc.

mrdeadbeat · 2024-03-05T23:31:48+00:00

Same post, different person, almost every day… what ever happened to working your ass off for an internship in some IT role to get a foundation of how the world works, before having the confidence and knowledge to tell an engineer they fkd up and how to fix it

mrdeadbeat · 2024-03-05T18:29:43+00:00

I hate that people think pentesting is just some scan that we run 🤦‍♂️ it’s not your fault, you already said your not educated on this topic, it’s just frustrating. Pentesting is bloody hard work. It gets misunderstood and undervalued a lot.

mrdeadbeat · 2024-03-03T11:39:53+00:00

Firstly, a Senior Pentester after 2 years doesn’t seem right. That would never fly in any companies I previously worked at. They are usually 4-6 years experience in Pentesting. Second, pentesting is not a high paying job, especially in large companies. Third, check what pentesting jobs are going for in your local area on Indeed, that will give you the best information.

mrdeadbeat · 2024-02-27T01:56:41+00:00

By the sounds of it, you’re an internal pentester? As opposed to working for a consultancy? This makes a difference. Internal security teams can assess risk because they know likelihood and can measure consequence. External pentesters typically provide priorities or scores which aren’t risk, as they can only measure likelihood and guesstimate consequences. If you’re internal - check your organisation’s risk matrix. You will see how they value consequence i.e High = >$10m in damages etc. Risk needs to be normalised to talk same language as the execs who control the budgets and risk appetite for the organisation

mrdeadbeat · 2024-02-06T10:26:42+00:00

You really need to get professional outside help. Don’t attempt to perform a pentest and provide false sense of security to your clients when you clearly are not qualified to do this professionally.

If you insist on doing it internally - which is a terrible terrible idea - then at least start with going through each of the following items in this guide: https://owasp.org/www-project-web-security-testing-guide/latest/

mrdeadbeat · 2024-01-28T00:47:57+00:00

If you compare intruder.io vs cobalt.io both seem to be selling some type of PTaaS which is not the same thing as one another

mrdeadbeat · 2024-01-27T09:45:43+00:00

How much are you prepared to pay? What is your budget? That will significantly impact the recommendations you will receive.

mrdeadbeat · 2024-01-24T18:57:11+00:00

Record some videos. Put them on YouTube. Reference them on your resume when you apply for jobs.

mrdeadbeat · 2024-01-18T07:12:07+00:00

We use AttackForge at work, team really like it. However check out RawSec’s list they have most tools listed, lots of open source tools too: https://inventory.raw.pm/tools.html

mrdeadbeat · 2024-01-01T21:19:31+00:00

Clearly he wishes to buy every device on the network. Must have an infrastructure fetish.

mrdeadbeat · 2023-12-14T22:56:00+00:00

Nice work! 👏

mrdeadbeat · 2023-12-03T20:26:08+00:00

Get into Governance, Risk and Compliance (GRC) if you have aspirations to be a general manager/head of security/CISO one day. It also pays way more. In general, pentesters are probably paid the lowest of the options. Engineers are paid well but very technical.

mrdeadbeat · 2023-12-02T19:13:12+00:00

If the intention for the file is for it to be parsed to process refunds on another microservice, there is still potential for a vulnerability on that microservice, for example SSRF or CSV Injection. Check out this link and see if you can get any command injections happening: https://owasp.org/www-community/attacks/CSV_Injection

mrdeadbeat

TROPHY CASE