AttackForge

AttackForge is a comprehensive pentest management and reporting platform designed for security teams to centralize findings, manage vulnerabilities, generate customized DOCX reports with Jinja templating, and track remediation through retest workflows.

Overview

AttackForge offers both cloud-hosted and self-hosted deployment options with flexible pricing tiers:

Feature	Core	Pro
Projects	Unlimited	Unlimited
Team Members	Limited	Unlimited
Custom Branding	No	Yes
Jinja Templates	Basic	Advanced
API Access	Limited	Full
SAML/SSO	No	Yes
Priority Support	No	Yes
Webhook Integrations	No	Yes

Deployment Options:

Cloud: SaaS hosted solution, automatic updates, no infrastructure management
Self-Hosted: On-premises deployment, full data control, Docker/Kubernetes compatible

Getting Started

Account Setup

Create your AttackForge account and initialize workspace:

# Navigate to AttackForge login
# Click "Sign Up" for new account
# Enter email, create password, verify email
# Complete organization details (name, industry, team size)
# Accept terms and enable two-factor authentication

Initial Configuration:

Set organization branding (logo, colors, company name)
Configure default CVSS scoring methodology
Define custom severity levels and risk ratings
Set up notification preferences (email, Slack, webhooks)

Workspace Configuration

Configure your workspace for team collaboration:

Setting	Purpose
Workspace Name	Identifies your work environment
Default Language	Report generation language
Time Zone	Standardizes timestamps
CVSS Version	CVSS 3.1 or 3.0 for scoring
Risk Rating Scale	Custom or predefined (Critical, High, Medium, Low, Info)

Navigate to Settings > Workspace to configure base settings and establish organizational standards.

Project Management

Creating and Configuring Projects

# Dashboard > New Project
# Enter project name, client name, engagement type
# Set project scope (internal/external/web app/network/mobile)
# Define assessment dates (start, end, retest dates)
# Add project description and reference IDs

Project Types:

Web Application Penetration Test
Network Penetration Test
Mobile Application Security Assessment
Cloud Infrastructure Assessment
Physical Security Assessment
Social Engineering Assessment

Scoping and Asset Management

Define project scope clearly within AttackForge:

Scope Details:
  In-Scope:
    - Specific domains and IP ranges
    - Web endpoints and APIs
    - Application servers
    - Database servers (external facing)
  
  Out-of-Scope:
    - Third-party services
    - Client infrastructure
    - Unrelated applications
    - Physical locations (for web tests)

Add assets individually or import bulk assets:

# Projects > [Project Name] > Assets
# Click "Add Asset" or "Import Assets"
# Enter hostname, IP, URL, or application name
# Assign asset type (Host, Web App, Network, Database)
# Add tags for organization (prod, staging, critical, dmz)
# Set asset status (In Scope, Out of Scope, Excluded)

Team Assignment

Assign team members and define roles:

# Projects > [Project Name] > Team
# Click "Add Team Member"
# Select user from workspace
# Assign role (Owner, Manager, Assessor, Viewer)
# Restrict to specific findings if needed
# Set notification preferences

Role Permissions:

Role	Project Edit	Findings Create	Report Generate	Admin
Owner	Yes	Yes	Yes	Yes
Manager	Yes	Yes	Yes	No
Assessor	No	Yes	No	No
Viewer	No	No	No	No

Vulnerability Management

Finding Library and Creation

Access centralized finding templates:

# Projects > [Project Name] > Findings Library
# Search by CWE, OWASP, category, or custom tags
# Click finding to view details
# Modify title, description, impact for your engagement
# Save as finding or template for reuse

Creating Custom Findings:

# Click "Create New Finding"
# Enter finding title (e.g., "SQL Injection in Login Form")
# Write detailed description with context
# Provide affected assets/URLs
# Add reproduction steps in markdown
# Upload proof-of-concept code or screenshots
# Assign CVSS metrics
# Set remediation guidance
# Click "Save to Project"

CVSS Scoring and Severity Mapping

AttackForge integrates CVSS v3.1 scoring:

# Finding Detail > CVSS Calculator
# Select Attack Vector (Network, Adjacent Network, Local, Physical)
# Set Attack Complexity (Low, High)
# Define Privileges Required (None, Low, High)
# Set User Interaction (None, Required)
# Choose Scope (Unchanged, Changed)
# Set Impact (Confidentiality, Integrity, Availability: None/Low/High)
# Environmental metrics (optional)

Severity Mapping Example:

CVSS Score -> Severity:
  9.0-10.0: Critical
  7.0-8.9:  High
  4.0-6.9:  Medium
  0.1-3.9:  Low
  0.0:      Info

Custom Fields

Extend findings with custom metadata:

# Projects > Settings > Custom Fields
# Click "Add Custom Field"
# Define field name (e.g., "OWASP Category", "CWE ID")
# Set type (Text, Dropdown, Number, Date, Boolean)
# Make field required or optional
# Set default values
# Apply to all findings or specific templates

Example Custom Fields:

OWASP Top 10 Category (A01:2021 - Broken Access Control)
CVSS Environmental Score
Business Impact Rating
Detection Method (Manual/Automated/Hybrid)
Compliance Mapping (PCI-DSS, HIPAA, SOC2)

Evidence and Attachment Upload

Attach supporting documentation:

# Finding Detail > Evidence
# Click "Upload Evidence"
# Attach screenshots, HAR files, logs, POC scripts
# Add captions and descriptions
# Set as "visible in report" or "internal only"
# Tag evidence by type (screenshot, log, code, network traffic)

Supported Formats:

Images: PNG, JPG, GIF, WebP
Documents: PDF, DOCX, XLSX
Code/Logs: TXT, JSON, XML, CSV
Archives: ZIP (max 50MB per file)

Report Generation

DOCX Template System

AttackForge generates customized DOCX reports with Jinja templating:

# Projects > [Project Name] > Reports
# Click "Generate Report"
# Select template (Executive, Technical, Detailed)
# Choose report type (Assessment, Retest, Follow-up)
# Select findings to include (all, critical only, by severity)
# Configure report settings

Jinja Templating for Reports

Access Jinja variables in custom templates:

{# Basic Report Structure #}
<h1>{{ project.name }} - Penetration Test Report</h1>
<p>Assessment Period: {{ project.start_date }} to {{ project.end_date }}</p>

{# Findings Loop #}
{% for finding in findings %}
  <h2>{{ finding.title }}</h2>
  <p>Severity: {{ finding.severity }}</p>
  <p>CVSS Score: {{ finding.cvss_score }}</p>
  <p>{{ finding.description }}</p>
  
  <h3>Affected Assets</h3>
  {% for asset in finding.affected_assets %}
    <li>{{ asset.name }} ({{ asset.type }})</li>
  {% endfor %}
  
  <h3>Remediation</h3>
  <p>{{ finding.remediation }}</p>
{% endfor %}

{# Executive Summary #}
<h2>Executive Summary</h2>
<p>Total Findings: {{ findings | length }}</p>
<p>Critical: {{ findings | selectattr('severity', 'equalto', 'Critical') | list | length }}</p>
<p>High: {{ findings | selectattr('severity', 'equalto', 'High') | list | length }}</p>

Custom Report Types

Define custom report templates:

# Projects > Settings > Report Templates
# Click "Create Template"
# Name template (e.g., "Executive Summary Only")
# Select sections to include:
  - Cover page with client branding
  - Executive summary
  - Methodology
  - Findings (with/without evidence)
  - Remediation guidance
  - Appendices
# Configure footer with disclaimer/confidentiality
# Save as default or project-specific

Branding Configuration

Customize report appearance:

# Organization Settings > Branding
# Upload company logo (primary + secondary)
# Set color scheme (primary, accent, text colors)
# Define fonts (header, body)
# Add custom header/footer text
# Include company contact information
# Add confidentiality disclaimers
# Configure company signature block

Retest Workflows

Scheduling and Managing Retests

Track remediation across retesting cycles:

# Finding Detail > Retest
# Click "Schedule Retest"
# Set retest date and assessor
# Add retest objectives (verify fix, regression testing)
# Link to original finding
# Set expected remediation status (Fixed, Partially Fixed, Not Fixed)

Retest States:

Not Scheduled
Scheduled
In Progress
Completed - Fixed
Completed - Partially Fixed
Completed - Not Fixed

Remediation Tracking

Monitor client remediation progress:

# Projects > Remediation Dashboard
# View findings by remediation status
# Track due dates vs completion dates
# Assign remediation owners
# Set SLA expectations (30/60/90 day targets)
# View historical remediation timeline

Status Updates and Communication

Facilitate client communication:

# Finding > Activity Log
# Add status update (e.g., "Client confirmed fix deployed")
# Attach verification evidence
# @mention stakeholders (client, manager)
# Set remediation confidence level (Low/Medium/High)
# Track multiple remediation attempts

Asset Management

Host and Application Inventory

Maintain comprehensive asset database:

# Projects > Assets
# Add Host: IP address, hostname, OS, criticality level
# Add Web App: URL, technology stack, authentication method
# Add Network: CIDR range, description, network purpose
# Add Database: IP, port, database type, sensitivity level

Tagging and Organization

Organize assets with flexible tagging:

# Asset Detail > Tags
# Add predefined tags (prod, staging, critical, external)
# Create custom tags (client-facing, legacy, deprecated)
# Filter findings by asset tags
# Generate reports by asset classification
# Track asset lifecycle (active, decommissioned, retired)

Asset Status Tracking

Monitor asset state throughout engagement:

Status	Meaning
Active	In-scope, being assessed
Excluded	Out-of-scope per agreement
Testing	Currently under active testing
Remediation	Fix deployed, awaiting verification
Verified	Remediation confirmed fixed

Integration

API Access and Authentication

Configure API credentials for integrations:

# Settings > API Keys
# Click "Generate New API Key"
# Name the key (e.g., "Jira Integration")
# Select permissions (read, write, findings, reports)
# Copy API key and secret
# Use in Authorization header: Authorization: Bearer <API_KEY>

CI/CD Integration

Integrate AttackForge into build pipelines:

# Organization Settings > Integrations > CI/CD
# Select platform (Jenkins, GitLab CI, GitHub Actions, Azure DevOps)
# Configure webhook URL
# Map findings to build failure thresholds:
  - Critical findings: Fail build
  - High findings: Warn build
  - Medium: Log only
# Set SLA requirements (findings must be resolved in N days)

Jira Integration

Sync findings with Jira tickets:

# Projects > Settings > Jira Integration
# Configure Jira URL and API credentials
# Map severity to Jira priority:
  - Critical -> Blocker
  - High -> Critical
  - Medium -> Major
  - Low -> Minor
# Auto-create issues for findings
# Sync status updates bidirectionally
# Link retest completions to issue closure

ServiceNow Integration

Connect with ServiceNow ITSM:

# Organization Settings > ServiceNow
# Configure ServiceNow instance URL
# Set up OAuth or API token authentication
# Map AttackForge findings to ServiceNow incidents
# Auto-create change requests for remediation
# Sync priority and status updates
# Track CMDB asset changes

Webhooks

Set up real-time event notifications:

# Projects > Settings > Webhooks
# Click "Add Webhook"
# Configure endpoint URL
# Select trigger events:
  - Finding created/updated/deleted
  - Retest scheduled/completed
  - Report generated
  - Project status changed
# Map custom headers (authentication)
# Test webhook delivery

Webhook Payload Example:

{
  "event": "finding_created",
  "project_id": "proj-12345",
  "finding": {
    "id": "find-67890",
    "title": "SQL Injection",
    "severity": "Critical",
    "cvss_score": 9.8,
    "affected_assets": ["db-server-01"]
  },
  "timestamp": "2026-04-17T14:30:00Z"
}

Analytics and Dashboards

Vulnerability Trends

Track vulnerability patterns over time:

# Analytics > Vulnerability Trends
# View findings by severity over time
# Analyze remediation velocity
# Compare current vs previous engagements
# Identify recurring vulnerability types
# Track CVSS score trends

Team Metrics and Performance

Monitor team productivity:

# Analytics > Team Metrics
# Findings discovered per assessor
# Average time to remediation
# Report generation statistics
# Retest completion rates
# Peer comparison (assessor performance)

SLA Tracking

Monitor SLA compliance:

# Dashboard > SLA Compliance
# Set SLA targets (Critical: 7 days, High: 14 days, etc.)
# View findings exceeding SLA
# Track remediation timeline
# Generate SLA compliance reports
# Alert on approaching due dates

Dashboard Customization

Build personalized dashboards:

# Create Custom Dashboard
# Add widgets:
  - Open findings by severity
  - Remediation status pie chart
  - Timeline of recent activity
  - Team performance metrics
  - Risk heat map by asset
# Set refresh intervals
# Share dashboard with team

CLI and API

REST API Authentication

Access AttackForge programmatically:

# Generate API key in Settings > API Keys
# Set up authentication header
curl -H "Authorization: Bearer YOUR_API_KEY" \
     https://api.attackforge.com/v1/projects

# Or use API secret for OAuth flow
curl -X POST https://api.attackforge.com/oauth/token \
  -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_SECRET&grant_type=client_credentials"

Common API Endpoints

Projects:

# List projects
GET /v1/projects

# Get project details
GET /v1/projects/{project_id}

# Create project
POST /v1/projects
Content-Type: application/json
{
  "name": "Acme Web App Test",
  "client": "Acme Corp",
  "engagement_type": "web_app_pentest",
  "start_date": "2026-04-17",
  "end_date": "2026-05-01"
}

# Update project
PUT /v1/projects/{project_id}

# Delete project
DELETE /v1/projects/{project_id}

Findings CRUD:

# List findings in project
GET /v1/projects/{project_id}/findings

# Get finding details
GET /v1/findings/{finding_id}

# Create finding
POST /v1/projects/{project_id}/findings
Content-Type: application/json
{
  "title": "SQL Injection in Login",
  "description": "Unvalidated input in login form allows SQL injection",
  "severity": "Critical",
  "cvss_score": 9.8,
  "affected_assets": ["web-app-01"],
  "remediation": "Implement parameterized queries"
}

# Update finding
PATCH /v1/findings/{finding_id}
{
  "severity": "High",
  "status": "remediated"
}

# Delete finding
DELETE /v1/findings/{finding_id}

Assets:

# List project assets
GET /v1/projects/{project_id}/assets

# Add asset
POST /v1/projects/{project_id}/assets
{
  "name": "api.example.com",
  "type": "web_app",
  "url": "https://api.example.com",
  "criticality": "high"
}

Reports:

# Generate report
POST /v1/projects/{project_id}/reports
{
  "template": "technical",
  "findings_filter": "all",
  "include_evidence": true
}

# Get report status
GET /v1/reports/{report_id}

# Download report
GET /v1/reports/{report_id}/download

Automation Examples

Common automation tasks:

import requests
import json

API_KEY = "your_api_key"
BASE_URL = "https://api.attackforge.com/v1"
HEADERS = {"Authorization": f"Bearer {API_KEY}"}

# Create finding programmatically
def create_finding(project_id, title, severity, asset):
    payload = {
        "title": title,
        "severity": severity,
        "affected_assets": [asset],
        "description": "Automated finding creation"
    }
    resp = requests.post(
        f"{BASE_URL}/projects/{project_id}/findings",
        headers=HEADERS,
        json=payload
    )
    return resp.json()

# Bulk update finding status
def update_findings_status(project_id, severity_filter, new_status):
    findings = requests.get(
        f"{BASE_URL}/projects/{project_id}/findings",
        headers=HEADERS,
        params={"severity": severity_filter}
    ).json()
    
    for finding in findings:
        requests.patch(
            f"{BASE_URL}/findings/{finding['id']}",
            headers=HEADERS,
            json={"status": new_status}
        )

Template Customization

Creating Custom DOCX Templates

Build project-specific report templates:

# Projects > Settings > Custom Templates
# Download template starter kit (DOCX with Jinja placeholders)
# Edit in Word or compatible tool
# Add/remove sections as needed
# Insert Jinja variables for dynamic content
# Upload customized template
# Test with sample data

Jinja Filter Examples

Advanced template customization:

{# Filter findings by severity #}
{% set critical_findings = findings | selectattr('severity', 'equalto', 'Critical') | list %}

{# Group findings by asset #}
{% set findings_by_asset = findings | groupby('affected_assets[0]') %}
{% for asset, asset_findings in findings_by_asset %}
  <h2>{{ asset }} - {{ asset_findings | length }} findings</h2>
{% endfor %}

{# Format dates and numbers #}
<p>Report Generated: {{ now | strftime('%Y-%m-%d') }}</p>
<p>Total Risk Score: {{ total_cvss | round(2) }}</p>

{# Conditional rendering #}
{% if findings | length > 0 %}
  <h2>Findings Summary</h2>
{% else %}
  <p>No findings identified.</p>
{% endif %}

{# Calculate statistics #}
{% set avg_cvss = (findings | map(attribute='cvss_score') | sum) / (findings | length) %}
<p>Average CVSS: {{ avg_cvss | round(1) }}</p>

User Roles and Permissions

Role Definitions

Manage team access with granular permissions:

Organization Admin:
  - Create/manage workspaces
  - Manage user accounts
  - Configure SSO and integrations
  - Access billing and usage

Project Owner:
  - Full project control
  - Create/delete findings
  - Manage team members
  - Generate reports
  - Configure retests

Project Manager:
  - Create/edit findings
  - Manage team assignments
  - Generate reports
  - Track remediation
  - Cannot delete projects

Assessor:
  - Create/edit own findings
  - Upload evidence
  - View project details
  - Cannot generate reports
  - Cannot modify team

Viewer:
  - Read-only access
  - View findings
  - View reports
  - Cannot make changes

Permission Matrix

# Projects > [Project Name] > Team
# Edit member row to adjust permissions
# Grant specific capabilities:
  - Can Create Findings
  - Can Edit Findings
  - Can Delete Findings
  - Can View Reports
  - Can Generate Reports
  - Can Manage Team
  - Can Schedule Retests
  - Can View Analytics

Troubleshooting

Common Issues

Report Generation Timeout:

# Issue: Report takes >5 minutes or fails
# Solution:
#   - Reduce number of findings in report (filter by severity)
#   - Split large reports into multiple smaller reports
#   - Check system resource usage
#   - Contact support for large dataset handling

Jinja Template Errors:

# Issue: Report generation fails with template syntax error
# Check:
#   - Variable names match available fields (use {{ findings | debug }})
#   - Syntax highlighting for Jinja (spaces in {%})
#   - No undefined variables (use {% if variable is defined %})
#   - Proper filter chaining (| is required between filters)

API Authentication Fails:

# Issue: 401 Unauthorized on API calls
# Verify:
#   - API key is current (regenerate if needed)
#   - Header format: Authorization: Bearer <KEY>
#   - Key has required permissions
#   - No leading/trailing spaces in API key

Asset Import Issues:

# Issue: Bulk asset import fails or partial import
# Solutions:
#   - Verify CSV format (headers: name, type, url, tags)
#   - Check for duplicate assets (import skips duplicates)
#   - Ensure IP/URL format is valid
#   - Limit import to <5000 assets per batch

Support Resources

Help Center: knowledge base and documentation
Community Forum: peer support and discussions
Email Support: support@attackforge.com
Premium Support: 1-hour response SLA for Pro tier
Slack Community: user group and feature discussions

Best Practices

Engagement Planning

Pre-Engagement:
  - Define clear scope and objectives
  - Document assumptions and constraints
  - Establish communication channels
  - Set remediation SLAs
  - Define approval workflows

Finding Documentation

Use consistent title format: “Vulnerability Type - Location”
Provide step-by-step reproduction in tests
Include business impact alongside technical risk
Reference industry standards (OWASP, CWE, CVE)
Attach evidence for every critical finding

Report Quality

Customize executive summary for stakeholder audience
Use consistent terminology throughout
Verify CVSS scores reflect actual business impact
Include actionable remediation guidance
Set realistic remediation timelines

Team Collaboration

Establish finding review workflow before publishing
Use @mentions to assign ownership
Standardize custom field usage
Document template conventions
Regular sync on naming and classification

Security and Access

Enable two-factor authentication for all users
Use API keys with minimal required permissions
Rotate API keys quarterly
Log API usage and sensitive operations
Restrict dashboard/report access by project
Archive old projects after 90 days

Alternative Pentest Management Platforms:

Ghostwriter: Internal engagement tracker and report generator
PlexTrac: Vulnerability and assessment management with advanced reporting
Dradis: Collaborative pentest framework with flexible reporting
Metasploit Pro: Penetration testing with result aggregation
Burp Suite Enterprise: Web app scanning with centralized management

Complementary Tools:

Jira: Issue tracking and remediation project management
ServiceNow: ITSM integration and incident tracking
Slack: Team notifications and real-time updates
ReportGen: Template-based report generation
Zap/Burp Pro: Web application scanning and vulnerability discovery