What This Article Covers

This article provides a comprehensive guide to the Pentest Details page, explaining its features, available actions, and how to interpret the information to effectively manage your Vulnerability Assessment and Penetration Testing (VAPT) assessments.

Who Should Read This

This article is essential for anyone responsible for overseeing or participating in a pentest, including security managers, development teams, and IT professionals.

Why This Matters

Understanding the Pentest Details page empowers you to track progress, prioritize remediation efforts, and leverage actionable findings to significantly strengthen your organization's security posture. Effective use of this page ensures you can efficiently manage your security assessments and achieve a higher security grade.

Understanding the Pentest Details Page

The Pentest Details page offers a comprehensive view of a specific manual pentest, detailing its progress, discovered vulnerabilities, and key metrics. This page is crucial for gaining insights into your security posture and managing your pentest assessments effectively.

Available Actions on the Pentest Details Page

There are three main actions you can perform directly from the Pentest Details page:

1. Request Re-Scan

To request a re-scan for a pentest, click on the "Request a Re-Scan" button. This will initiate the re-scan flow.

Important Considerations Before Requesting a Re-Scan:

• At least 50% of vulnerabilities are fixed: Ensure you've addressed a significant portion of the identified vulnerabilities to maximize the value of your available re-scans. This allows our security engineers to re-check a greater number of fixes in one go.

• Vulnerabilities are marked as fixed: For each vulnerability you've remediated, ensure you've clicked on the 'Mark Ready for Review' option within the individual vulnerability details.

2. Reports

You can generate a summary report for your pentest by clicking on the "Reports" button. This action will navigate you to the dedicated reports page.

[Insert Screenshot]

3. Get Certificate

Upon successful completion of a pentest, you can generate a certificate for it by clicking on the "Get Certificate" button. The validity of this certificate is 180 days.

[Insert Screenshot]

Key Metrics

On the Pentest Details page, you will also find three crucial metrics that provide a quick overview of your pentest status:

• Vulnerabilities Unsolved: This metric displays the total number of vulnerabilities that are yet to be resolved.

• High Severity Vulnerabilities: This shows the count of vulnerabilities categorized as "High Severity" for the current pentest.

• Potential Loss Saved: This provides an estimated financial loss that has been prevented by addressing the identified vulnerabilities.

Tracking the Progress of the Pentest

To monitor the progress of your pentest, refer to the Progress widget located on the right side of the page. This widget indicates the current stage of the pentest along with an estimated time of arrival (ETA).

The progress bar visually represents the pentest status, covering the following stages:

1. Starting Scan: Initial setup and preparation for the security assessment.

2. Vulnerability Scan: A comprehensive phase involving systematic checks for security weaknesses. This includes several sub-steps:

   • a. Network Scanning: Identifies active hosts, open ports, and services on the network.

   • b. CVEs Scanning: Checks for known Common Vulnerabilities and Exposures (CVEs).

   • c. Test Cases: Executes predefined security scenarios to assess system responses.

   • d. Vulnerability Scanning: Uses automated tools to detect potential security weaknesses.

   • e. Connectivity Check: Verifies the ability to connect with and access the target system.

3. Penetration Testing: Astra's security experts actively attempt to exploit vulnerabilities found in earlier stages. They perform simulated attacks to test the system's defenses and identify weaknesses that automated scans might miss.

4. Vulnerabilities Verified: The team confirms and validates discovered security issues to ensure they are genuine and not false positives.

5. Vulnerabilities Reported: All discovered security issues are compiled into a comprehensive report. This report details each vulnerability, its severity, potential impacts, and remediation recommendations, translating technical findings into actionable information.

6. Re-Scan: After vulnerabilities have been reported and presumably addressed, a follow-up scan is conducted to verify proper implementation of fixes and check for any new issues.

7. Certificate Awarded: The final step involves the issuance of a security certification or attestation, indicating that the system has undergone thorough testing and met specific security standards.

Improving Your Security Posture with Grades

We offer a comprehensive approach to assessing and mitigating security vulnerabilities in your applications. As part of this process, each reported vulnerability is assigned a risk score to help prioritize remediation efforts.

Additionally, we provide a security grade (A through F) to indicate the security level of your target. You can use this grade widget to actively address vulnerabilities and improve your grades for a pentest, which ultimately results in a better security posture. Improving your grades primarily involves promptly addressing high-severity vulnerabilities. More detailed information about grades and their calculation can be found [here].

Understanding the Vulnerability Severity Heatmap

The Vulnerability Severity graph provides a comprehensive overview of the status and severity of vulnerabilities detected during your pentest.

This heatmap-style chart helps you quickly assess the criticality and resolution status of each vulnerability, enabling you to prioritize remediation efforts effectively.

• Each column in the heatmap represents a different status category for vulnerabilities.

• Each row represents a different severity level of vulnerabilities.

You can view the count of vulnerabilities for a specific combination of status and severity by hovering over a cell of the heatmap.

Viewing Reported Vulnerabilities During the Pentest

The Vulnerabilities section allows you to view all reported vulnerabilities for a specific pentest. You can also filter vulnerabilities based on their current status. Clicking on any row will open our newly built Vulnerability details sheet, which provides more in-depth information about a particular vulnerability.

To understand the detailed breakdown of vulnerability statuses and table rows, refer to the documentation [here]. You can also leverage the power of filters and tables to quickly find specific vulnerabilities you're looking for.

Need help? Raise a support ticket anytime from your Astra dashboard.