PlexTrac has region-specific deployment and maintenance windows to accommodate international growth and ensure minimal disruption to the global customer base. This approach offers several key benefits:

• Targeted updates: PlexTrac can roll out updates during off-peak hours for each geographic area.

• Reduced downtime: Ensures users experience system improvements outside their primary working hours.

• Improved responsiveness: This allows PlexTrac to be more agile in addressing region-specific needs or issues.

• Better resource allocation: Provides more targeted support and monitoring, ensuring smoother updates.

Deployment Regions and Timeframes

The start date for each deployment is listed in the Release Notes. The process begins in North America, followed by Australia/Eastern Asia and Europe/Western Asia the following day.

PlexTrac believes in maintaining transparency and open communication regarding security matters. This page is a centralized hub where details about newly discovered security flaws are published, along with their severity ratings, affected product versions, and instructions on mitigating or fixing those vulnerabilities.

PlexTrac strongly encourages all users to regularly review this page and promptly apply the recommended mitigations or updates to safeguard their systems against potential security risks.

Release 2.11.0

11/05/2024

This is not an incident notice or a breach notification. Your data remains safe, and the integrity of our platform remains intact.

Through collaboration with third-party researchers and processing responsible disclosure, the following security issues have been patched/remediated:

Insecure Deserialization via Runbooks Imports

A vulnerability was identified within a dependency used in our runbooks module for handling the upload/import of custom runbooks. The maintainer of the package identified a potential vulnerability within their code and proactively patched it; however, static analysis and software composition analysis tools are not currently reporting or detecting the issue.

Local File Inclusion

An undocumented and unpublished legacy endpoint was identified as having a local file inclusion vulnerability within the PlexTrac platform. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis for in-code references to the endpoint.

N1QL Injection

An N1QL injection vulnerability was discovered within a legacy part of the application (slated for deprecation and removal). Upon initial report, the issue had already been resolved and was pending a scheduled platform release.

Denial of Service

Within a dependency of PlexTrac's frontend, a denial of service vulnerability was identified. This allowed an attacker to craft a payload resulting in a temporary restart of the web server by oversaturating an active websocket connection.

Upon discovery, the package and its uses were evaluated, resulting in the removal of the vulnerable package and the disabling of the use of the affected websocket endpoint within the platform. No patches were available to resolve the underlying vulnerability.

Insecure YAML Deserialization

An unsafe default within an open-source dependency that handles importing runbooks data into the platform was identified, allowing code execution within the legacy runbooks importer.

After concluding the initial triage, PlexTrac's team resolved the issue within the code to rely upon a safe method for handling parsing runbooks data files.

Arbitrary File Write via PTRAC Import

Within the PTRAC report import functionality of the PlexTrac platform, an arbitrary file write vulnerability was detected in the mechanism intended to facilitate transferring report artifacts between instances of the platform. This vulnerability is only exploitable when combined with an arbitrary directory write primitive.

After triage, the team was able to patch the issue and apply both validation/sanitization mechanisms to PTRAC files.

Arbitrary Directory Write via Runbooks Artifact Upload

Within the runbooks module's attachment upload function, a directory traversal vulnerability was detected. This allowed end users to write non-arbitrary files outside their intended destination on the remote system to create arbitrary directories. These directories could then be used as part of other vulnerabilities to gain code execution.

Post triage, the team was able to patch the issue, apply both validation/sanitization mechanisms to the affected endpoints and prevent the directory traversal and arbitrary directory creation.

All findings noted above were identified and reported by the NAT Cyber Security Centre team, including:

• Arnoldas Radisauskas

• Selim Decamps

• Ianis Bernard

To date, PlexTrac has not identified any exploitation of the items outlined within this advisory across privately hosted systems managed by PlexTrac's operations team. All items in this advisory were resolved within hours of the report, and your data/systems remain safe and secure.

Release 2.9.0

9/10/2024 An information exposure issue was identified within the platform, which would allow users not granted permission VIEW CLIENT ASSETS the ability to see information regarding affected assets within API responses. Permission was enforced in several areas of the application. However, when viewing findings, the affected assets for that finding were inadvertently disclosed in an API response. The issue has been patched to ensure proper asset restriction when viewing reports and findings throughout the platform.

PlexTrac helps cybersecurity teams improve and centralize workflow management processes across the entire lifecycle. The platform streamlines all aspects of the process, from staging offensive engagements and conducting assessments to analyzing data and reporting, prioritizing critical issues, collaborating between teams, and communicating with stakeholders.

PlexTrac Modules

When logging in to PlexTrac, users are greeted by the Dashboard page. Seven modules exist besides the Dashboard: Clients, Assessments, Reports, Priorities, Content Library, Analytics, and Runbooks.

Click a box to learn about a module.

Tenant Management

PlexTrac provides many options for configuring a tenant. Below are links to documentation for administration tasks, configuring user-specific settings, configuring authentication (OATH and SAML), integrating with APIs and parsers, installing and maintaining PlexTrac locally, and much more.

Click a box to learn about a topic.

The Dashboard is a centralized hub offering a single location for users to view relevant information. Users access by clicking Dashboard in the application's main menu.

Overview

The Dashboard provides information regarding reports, assets, and findings based on a user's role, permission settings, and access to published reports.

Information can be filtered by selecting the client from the pulldown menu.

Clicking data points within the graphs and charts will open a side drawer with further information about the findings and assets referenced in the data.

My Work Page

This page displays assignments as users receive them and a list of recently accessed reports.

The My Work page is accessed by clicking the icon found at the top right of the page.

Recent Reports

Once a report is viewed, a box will appear at the top of the page. This box displays the report's title, status, client, and the number of findings and assets. The report can be accessed by clicking the box.

Assignments

Assignments are grouped by type.

• My findings

• My reports

• My assessments

• My priorities

Assignments result from associations made from multiple areas of PlexTrac, such as being identified as a report operator, an assignee of a finding, or a reviewer of an assessment.

Click a tab for more information about each topic assignment, including the assigned role for the report or assessment.

Customizing Table View

The columns displayed in the table view of each assignment tab can be added or removed by clicking the column icon on the right of the page.

Once clicked, a modal appears that lists all fields that exist for that box.

To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column that appears on the far left of the relevant box.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Each topic has its list of fields and must be customized separately.

Notifications

Messages received within PlexTrac are stored on the Notifications page.

This page is accessed by clicking the bell icon at the top of any PlexTrac page next to the user name and then clicking View All.

When new notifications exist, the bell will have a red outline.

Clicking a new notification directly will send the user to the page that prompted it, and the notification will be set to the "Read" status.

Greetings! This page guides the effective and efficient use of the PlexTrac Documentation website, including navigation, exporting content, leaving feedback, and using search.

Left Navigation Bar

The main navigation menu is on the left sidebar, and it features links to various sections and pages of the website. These links act as gateways to specific areas, allowing you to find the information you need quickly. To navigate to the desired section, simply click on the corresponding link.

This site contains four main sections:

🟣 Product Documentation: This includes the home page and general information about PlexTrac that applies to all users, along with the following helpful resources: a quick start guide for new users, a page highlighting new end-user features, and release notes.

🟣 PlexTrac Modules: This includes all the modules in the platform, including those licensed.

🟣 Tenant Management: This guide is for administrators and covers various PlexTrac topics. It includes information on the admin dashboard, authentication configuration, integrations, third-party file imports, supported operating systems and browsers.

🟣 API Documentation: This section provides a comprehensive guide on how to use our API. It includes a "Getting Started" guide, a list of object structures and their attributes, and practical use cases. The documentation also outlines the API Change policy and logs the changes to ensure transparency and inform users of any updates or changes.

Search

This website provides multiple search options: keyword search, phrases in the form of a question, or selecting a query provided in the pulldown list.

To initiate a search query, click the "Search" box at the top right corner of the page or use the keyboard shortcut Ctrl-k.

Users who type in the search bar will see dynamic search results. The search results will display relevant pages on the site for preview and context, which can be clicked to visit.

Clicking a question provides answers in the search box with relevant information and sourcing listed at the bottom.

Export to PDF

Export to PDF is a function that downloads a digital file of a page or pages in PDF format that can be viewed, printed, and shared offline. To export a page, click Export as PDF, which can be found at the end of the page headings at the top right.

A preview page that can be printed or saved as a PDF appears.

Page Published Date

Each page has a timestamp of when it was last updated.

Page Rating

Each page allows reader feedback on the helpfulness of the content (not a rating of the product functionality discussed on the page). Provide feedback by clicking one of the three options.

In the Clients module, users can group and categorize data as needed. This helps manage confidentiality, integrity, and availability effectively while enhancing collaboration and catering to individual client needs.

Users access the module by clicking Clients in the application's main menu.

Overview

PlexTrac defines a client as a logical grouping utilized to segregate data. The term holds various meanings within different organizations, depending on the context in which it is used.

In the case of teams external to the consulting organization, the term "client" typically refers to those individuals or entities who utilize their services. These clients may include businesses, government agencies, or other organizations that engage the consulting team to assess their cybersecurity posture, conduct vulnerability assessments, or provide related services. For these external teams, the client represents the entity they work for and to whom they deliver their expertise.

For teams operating within the boundaries of an organization or company, a client could refer to a specific project, a business unit, a regional office, or a program within the organization. The purpose of defining a client in this manner is to facilitate the segregation of data, findings, reports, and assets, ensuring that information is appropriately isolated within the relevant groupings.

By organizing data according to different clients, teams can effectively manage and maintain confidentiality, integrity, and availability of information. This approach allows for more collaboration and reporting within specific client-based units, preventing data overlap and ensuring that each client's unique requirements and concerns are adequately addressed.

The Clients module home page displays all clients in a tenancy and provides access to the following:

1. Adding a new client: Clicking the New Client button launches a modal to enter information for a new client.

2. A count of how many clients exist for the tenancy.

3. Customizing the table view: Clicking the icon allows the configuration of the columns on this page.

4. Viewing a client dashboard: Clicking View under the "Actions" column goes directly to the Details tab of the Client Summary page.

5. Viewing all reports associated with a client: Clicking Reports under the "Actions" tab goes directly to the Reports tab of the Client Summary page.

6. Viewing all assets associated with a client: Clicking View Assets under the "Actions" tab goes directly to the Assets tab of the Client Summary page.

7. Deleting a client: Clicking View Assets under the "Actions" tab goes directly to the Assets tab of the Client Summary page.

Configuring Table View

The table view on the Clients home page can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields.

To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal also represents the sequence of fields provided in the table, meaning the bar on top will be the column that appears on the far left of the relevant box.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

PlexTrac offers easy access to detailed client information. By clicking on a client's row from the Clients module home page, the user is directed to the Client Summary page, which includes tabs for Reports, Findings, Assets, Details, Statistics, and Priorities.

These tabs offer insights into the client's reports, findings, asset inventory, client-specific details, and finding metrics. PlexTrac ensures a cohesive and organized approach to client management by centralizing all client data in one place.

Reports Tab

This tab lists all the reports associated with a client. It can also be reached by clicking Reports under the "Actions" column from the Client home page.

This tab displays the report title, status, classification, creation date, and finding count. It allows direct access to the Report Readout page and associated findings. Click one of the rows for more information about a specific report.

Bulk Actions

When editing multiple reports, PlexTrac offers bulk action capabilities. Bulk actions provide several advantages, including time-saving and increased efficiency by processing numerous items simultaneously.

Click Actions to see the list of options for reports.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Findings Tab

This tab lists all the findings associated with a client via a report.

Clicking a finding row pulls up a side-drawer and the findings detail view. From this view, a finding status can be edited by clicking the status value, and affected assets can be viewed and accessed directly for editing.

Bulk Actions

Bulk action options appear after one or more findings are selected by clicking the checkbox to the far left of the Finding Title field or by clicking the box next to the column header.

Click Actions to see the list of options available.

Configuring Views

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Assets Tab

This tab lists all the assets associated with a client and the ability to view the asset, edit the asset properties, add any notes, or delete the asset.

Bulk Actions

Bulk action options appear after selecting one or more assets by clicking the checkbox to the far left of the Assets field or by clicking the box next to the column header.

Click Actions to see the list of options available.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Details Tab

This tab provides an overview of the client for all published reports. The primary purpose of this overview is to provide a snapshot of the client's security posture and the progress made in addressing the identified issues. It is a centralized dashboard where users can quickly assess the client's status at a glance, enabling efficient monitoring and decision-making.

In addition to the status overview, this tab also provides various functionalities and options to manage the client's information and related activities.

1. Edit the client's contact information and logo

2. Import assets associated with a client

3. Create a report

4. Manage authorized users

If relevant, banner messaging for user license status appears in the "User Access" section on the Details tab. Visit the RBAC section for more information on licensing users.

Statistics Tab

This tab offers a snapshot of a client's findings based on severity and status for all published reports.

By organizing findings by severity and status, users can quickly identify the number of open or unresolved findings that require attention and follow-up actions.

Priorities Tab

This tab provides a summary of all priorities associated with the client. The list displayed is based on whether the tenancy enables client-specific or tenant-level priorities.

It can be determined whether a priority applies to all clients or a specific one based on the "Client" column value. If a priority applies to all clients, an "All clients" value is displayed. If it is client-specific, the client's name will appear instead.

The priority can be accessed directly by clicking on its title or row.

Bulk Actions

Bulk action options appear after one or more priorities are selected by clicking the checkbox to the far left of the Priority field or by clicking the box next to the column header.

Once available, click on Actions to see the list of options.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal also represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

PlexTrac offers role-based access controls (RBAC) at the client level. RBAC allows teams to efficiently manage user privileges and permissions based on specific client requirements, enabling effective collaboration and task accomplishment.

Within PlexTrac, three default levels of access exist that can be assigned to users based on their responsibilities:

1. Administrator: An Administrator has the highest access level within PlexTrac. They possess extensive privileges and can perform various tasks, including creating reports, adding findings, tracking status, managing users, configuring settings, and accessing all areas of the platform related to the client.

2. Standard User: A Standard User plays a crucial role in managing and documenting activities for a client. They can create reports, add findings, and track the status of ongoing projects. This level of access allows Standard Users to contribute actively, collaborate with other team members, and provide valuable insights throughout the process.

3. Analyst: An Analyst is a user with a more limited role. Their primary responsibility is to track and update the status of identified vulnerabilities. While they may not have the authority to create reports or add findings, their role is essential in ensuring the accurate documentation and timely resolution of identified issues. Analysts can provide real-time updates on the progress of vulnerability mitigation efforts, making it easier for the broader team to stay informed and take necessary actions.

These default access levels ensure each team member has the appropriate privileges and responsibilities aligned with their role and contribution to the client's initiatives. By assigning specific access levels, teams can streamline workflows, maintain data integrity, and improve overall efficiency in managing and securing client environments.

Licensing

When adding a user to a role that is licensed, an icon will appear at the end of the role title, regardless of the number of licenses available.

Any messaging regarding user licenses will appear as a banner on the "Authorize Client Users" modal.

Adding Users to a Client

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll to the User Access section and click Add/Authorize User.

Step 3: Select the user to add from the "User" field pulldown menu.

Only existing users in the tenancy who are not authorized for the client appear in the pulldown menu.

After adding a user, the "Role" and "Classification" fields will be automatically filled in but can be changed.

Step 4: Click Add User to add additional users (if applicable). Click Save when finished.

Deleting a User

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll down to the "User Access" section and click Revoke under the "Actions" column in the user's row to remove access permissions.

Step 3: A dialog box will appear confirming the action. Click Revoke.

Changing User Roles

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Under the "User Access" section, select the new role from the pulldown menu in the "Role" column for the user.

The change is immediate. A dialog box will appear at the bottom left of the screen confirming the change.

Changing User Classification Level

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll down to the "User Access" section and click the pulldown menu under the "Classification Level" column of the user impacted.

Step 3: Select the new classification level.

The change is immediate. A dialog box confirming the change will appear at the bottom left of the screen.

Once clients have been added, PlexTrac offers a range of features that facilitate editing and managing information, including contact details, custom fields, logos, and additional notes and details. With just a few clicks, users can ensure client information remains accurate and relevant.

Editing Client Information

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client to reach the Details tab.

Step 2: Click the Details tab.

Step 3: Click Edit Client Information.

Step 4: The "Edit Client Information" modal appears and can be modified as desired. Click Submit when finished.

Deleting a Client

Step 1: From the Clients module home page, click the three dots under the "Actions" column corresponding to the client and click Delete Client.

A modal will appear, confirming the action. Click Delete.

In the Schedule module, users can request and view engagements while others can create, approve and allocate resources to work on reports.

Users access the module by clicking Schedule in the application's main menu.

Overview

The Schedule module streamlines scheduling, resource management, and team visibility to enhance pentesting and report efficiency.

For Managed Security Service Providers (MSSPs), the scheduler offers comprehensive oversight of ongoing projects and facilitates efficient handling of incoming requests. On the client side, the portal experience consolidates all relevant information and provides intuitive tools for requesting new engagements within PlexTrac instead of email. Users can easily document and communicate engagement details to the team, while resource managers receive a holistic view to optimize scheduling.

Any report managed by an engagement will display this information on the Details tab of a report, with a link directly to the engagement.

Users who do not have permission to approve an engagement can still request one.

Step 1: From the Calendar tab of the Schedule module, click Request engagement.

Step 2: Enter the engagement details in the provided side drawer. Click Continue.

Step 3: Add any relevant files for context. Click Submit.

A dialog box will appear explaining the next steps. Click Ok.

The engagement is now listed as pending on the Calendar and List tabs.

This page provides information about the changes, updates, enhancements, fixes, and new features introduced when a new deployment is released. The date provided is when the deployment started worldwide in Region 1.

Release 2.11

11-5-24

Improved

• Added ability to create contextual equations to rank findings based on risk

• Introduced webhooks to receive real-time, event-driven communication for specific events (cloud only)

• Added a comment archive feature allowing users to view a historical list of accepted or rejected comments and associated metadata

• Added import support for Veracode’s DAST and SCA files

• Real-Time Collaboration enabled for findings, narratives, writeups, and the content library

• New process for customizing the login page logo (now uses the same process as in-app logo and icon management in the Admin Dashboard)

Updated

• PlexTrac is updating its Jira integration to support multiple client-based integrations. This update has implications for those using the API in an unsupported workflow to add Jira ticket links to PlexTrac findings. Click here to learn more.

Release 2.10

10-8-24

Improved

• Calendar invites from approved engagements are included as attachments in emails to the report operator

• Admins can configure Plex AI access by user and client

• Admins can configure report export options for users

• Improved the autosave messaging across the application

• Added the client name and a link to the report in the report status email template

• Findings from Nessus file imports now include an exploit field

Release 2.9.0

9-10-24

Improved

• New dashboard experience (available for on-prem instances in 2.10.0)

• Improvements in performance and notifications when importing findings (Burp, Nessus, Veracode)

• Support for Google OAuth email configuration (available for on-prem instances in 2.10.0)

• New admin experience for managing users

• AI responses now stream as generated

Fixed

• Resolved a vulnerability that allowed unauthorized users to view client asset details in API responses when accessing findings

• Fixed responsiveness issues with the export report button (ZD 7972)

• Fixed 404 errors on the email templates manager page

Release 2.8.0

8-13-24

Improved

• UTF-8 support for the writeups CSV template (special characters are no longer stripped)

• Support for drop-down custom fields in Jira integrations

• Enhancements to Nessus parser import (support for larger files, new fields progress bar)

• Bulk action options for severity updates added to findings tables

• Auto-save functionality added to the report details page

Fixed

• Fixed issue of the CVE/CWE ID filter not working in the client findings tab

• Fixed RBAC permission issue in which the Schedule module was appearing incorrectly after being disabled (ZD 7771)

• Fixed alignment issues that existed between calendar and availability tabs for the Schedule module (ZD 7729, 7806)

• Fixed issue with operators pulldown not containing values when creating a report within the client module (ZD 7657, 7769, 7780, 7803, 7908, 8136)

• Fixed the issue of the start date value for a report disappearing as data was entered into the end date field

• Fixed numbering format issue in report narratives shown on the report readout tab (ZD 6995)

• Fixed issue in which users in the report reviewer pulldown menu did not appear if pages were refreshed (ZD 6492)

• Fixed issue in which client description information was not appearing upon export (ZD 6501, 7650)

• Fixed inconsistencies related to case sensitivity in the search functionality (ZD 6749, 6868, 7191, 7674, 8006)

Release 2.7.0

7-16-24

Improved

• New table experience for managing users in the Admin Dashboard, along with a side drawer for additional options without leaving the page

• New experience for admins when adding users that provides more configuration and options on one page

• Finding custom fields now available for use as a variable in an equation for contextual scoring in the Priorities module

• Likelihood x Impact is now a scoring option on findings via a sliding scale

• Enhancements to Burp parser imports

• Provide the ability to direct users to a unique landing URL after SSO for SAML

• Writeups CSV import allows duplicate writeup titles to be created upon import

Fixed

• Fixed issue that may occur during a Nessus file import (ZD 7613)

• After an engagement is canceled in the Schedule module, associated reports are deleted (ZD 7491, 7718)

• Fixed issue with Cobalt imports with the ‘declined’ field not being mapped to a severity value of ‘Informational’ (ZD 7270)

• Fixed error message that occurred when exporting a report containing a procedure (ZD 7014)

• Fixed an issue that occurred when exporting a report to CVS that contained multiple custom fields and CVSS scores (ZD 5568, 7646)

• Fixed the issue with changing the sequence of writeups in the WriteupsDB module when editing (ZD 5590,6285,7318)

• Fixed issue with code markup in rich-text fields not exporting correctly (ZD 6601,7576,7830)

• Sorting of report templates within report details is now in alphabetical order to match the report creation modal

• Fixed an issue in which a file imported a second time to the same report was not retaining history and comments from the first upload (ZD 7359)

Release 2.6.0

6-17-24

Improved

• OWASP parser improvements with a new file mappings page

• Added notifications for the Schedule module

• Known Hostname and Detailed Results fields added to asset evidence in Nexpose integration (mappings page updated)

• New metrics tab added for the Priorities module

• Added auto-format functionality within rich-text fields

• Enabled the Code Samples tab for findings to be a rich-text field (ZD 6883)

Fixed

• Fixed the issue of execution steps within an engagement not printing from a report (ZD 6425)

• Fixed issue with the finding severity order being displayed incorrectly (ZD 5704, 6254)

• Fixed issue with the window size increasing after pasting a large code block into the rich-text field of a finding narrative (ZD 6038)

• Fixed the issue of image IDs breaking when exporting to XML (ZD 3773, 5100)

Release 2.5.0

5-21-24

Improved

• New Schedule module that allows users to create and manage engagements

• Implementation of AI that can generate findings descriptions and remediation steps

• CVSS 4 field added to Writeups CSV import file

• Improvements to the Tenable scan date selector

• Updated the Tenable Vulnerability Management integration to improve sorting data by tag

• Runbooks now support OWASP test plans

Fixed

• Fixed the 400 error message that occurred when a user added a narrative section from a report to NarrativesDB (ZD ID6753, 6839, 7001, 7260, 7266)

• Fixed a border issue occurring when exporting to a Word template (ZD ID6652)

• Fixed header issue on the “edit priority page” where the client name was not being displayed properly

• Fixed issue that occurred after copying a finding to WriteupsDB with a CVSS v3.1 vector containing lower-case letters

• Updated Pentera file import integration to support accurate port data

• Updated OpenVas file import integration to support accurate port data.

Release 2.4.0

4-23-24

Improved

• Updated functionality for editing and tracking changes in rich-text fields

• Introduced licensed users and permissions, which impacts user management and RBAC

• Added support within the application to configure CVSS 4.0 (integration support with third-party tools coming later)

• Updated field mappings for Nessus

• Updated field mappings for Acunetix

• Updated field mappings for Veracode

• Created field mappings page for importing assets into the Clients module via Nmap

• Updated APIs to support side-drawer component

• Updated contextual scoring permissions for the Priorities module to enable wider access to other users with relevant permissions

• Ability to see a priority linked to an asset and edit within asset details

• Ability to link a priority while creating/editing a finding

• Ability to have real-time collaboration in rich-text fields that have auto-save enabled (this will be released in phases, with cloud-hosted customers gaining access by May 1 and on-prem customers gaining access beginning May 2)

Fixed

• Fixed issue with audit log not searching by user name

• Fixed issue with the Target Remediate Date field not appearing in a custom column in the Priorities module (ZD ID6426)

• Updated notification emails with the correct Priorities documentation link

• Fixed issue of an analyst being unable to update the status of a published finding until the report is published (ZD ID6100)

• Fixed issue in which custom RBAC roles with the ability to edit assets could not update the status without additional unnecessary permissions (ZD ID5490, 5528, 5791, 6247)

Release 2.3.0

3-25-24

Improved

• Enhanced Tenable TVM and SC integration options and documentation for field mappings (PlexTrac is now an approved Tenable Technology Partner)

• Updated Mitre methodology in the default repository and Runbook test plan to include the techniques and tactics of MITRE v14.1 accompanied by procedure updates to Atomic Red Team atomics

• Ability for administrators to view tenant activity via the new audit log button in the Admin Dashboard

• Ability to view a finding’s details more easily via a side drawer for the Clients and Reports module (a side drawer also exists for the attack path tab and associated findings on assets)

• Analyst users are now redirected back to the assessment view after an assessment is submitted

• Nessus parser performance improvements that enable support for ingesting larger files

Fixed

• Fixed issue with the report readout card default sort order (critical now on top)

• Fixed issue with date filters when formats other than MM/DD/YYYY are used (ZD ID6534)

• Fixed issue of a tenant logo resizing incorrectly on some pages

• Fixed issue of the client logo not displaying on the client profile page

• Fixed issue with adding multiple entries of the same affected port for different services (ZD ID5135)

• Fixed issue of a report not being created when an analyst user submitted an assessment (ZD ID6218)

Release 2.2.0

3-6-24

Improved

• New and improved Nexpose integration, including CVSS scores, new custom fields, added port data, and updated documentation of field mappings

• API updates to support new Priorities module

• Changes to the finding substatus field will initiate autosave

• When parser actions are bypassed, the prompt in the file upload modal dynamically updates

Fixed

• Fixed issue of repositories built via API or CSV not displaying the number of writeups

• Fixed issue of linebreaks for some text fields not being honored when exporting a CSV file (ZD ID5566)

• Fixed issue of a custom RBAC role with the ability to edit assets is unable to update the asset status without additional unnecessary permissions (ZD ID5490,5528,5791,6247)

• Fixed issue of ports not being saved as distinct items when adding multiple entries of the same affected port for different services (ZD ID5135)

• Fixed issue that a disabled parser action did not remove the parser actions prompt from the file upload modal

Release 2.1.0

1-30-24

Improved

• New Priorities module with custom equations launched

• Support for JIRA Data Center (in place of JIRA server) beginning on February 15th

• Updated CKEditor to version 37.0.1

• Added a table column in the parser actions page of the Admin Dashboard to display “Original Severity”

• Added ability for the user to bypass parser actions when importing a file into a report

• Report narrative sections no longer automatically expand when the user creates a new section or starts typing in an existing section

Fixed

• Fixed issue of tenant logo resizing inconsistently

• Fixed data discrepancy issue on the "Asset findings overview" table in the Analytics module

• Fixed filtering issues occurring on the Asset tab of the Analytics module

• Fixed sorting of columns issues occurring on the Asset tab of the Analytics module

• Fixed filtering issues occurring on the Findings tab of the Analytics module

• Fixed the issue of an empty “Findings by clients” box in the Findings tab of the Analytics module

• Fixed the issue of an empty "Most critical findings" box in the Findings tab of the Analytics module

• Fixed issue in “Breakdown by client” graph of Findings tab in Analytics module displaying Client ID instead of name when filtering by tags

• Fixed issue of the client logo not displaying

• Fixed issue of default fields being removed from tables

• Fixed issue in which the user is unable to delete some comments in RTF fields

• Fixed issue in which a custom RBAC role with the ability to edit assets cannot update the status without having to edit the report’s findings permission

• Fixed issue with malformed tables upon report export to Word

• Fixed issue of soft returns (shift+enter) not working on lists within a report export template

• Fixed the issue of white labeling not working in some scenarios

Release 2.0.0

1-2-24

Improved

• Added affected asset port data to the CSV findings export

• Added ability for user to opt out of warning modal when a findings layout is applied to a report

• Findings will autosave after all required fields have been set

• Added capability to customize the table columns for SLAs in the Admin Dashboard

• Added field in Admin Dashboard for Cobalt URL when configuring the integration

• Improvements to the Snyk integration

• Improvements to how runbook procedures are ordered upon edit and creation

• General platform performance improvements

Fixed

• Fixed issue with exported Word reports being impacted by styles even though no style guide was associated

• Fixed issue of analytics not displaying filter data in the Analytics module

• Fixed issue in which some users cannot copy/move writeups from their default repository to another repository

• Fixed issue in which the user was unable to scroll through all findings for a report in the right column of the report Readout tab

• Fixed issue in which published findings may not be visible to approved users if the report is not published

• Fixed issue with the “Trend of findings opened vs. closed by month” table displayed on the Details tab for a client in the Clients module

• Fixed issue with sorting of columns not working for the table on the Assets tab of the Analytics module

• Fixed issue of assets not showing for selected reports in the Assets tab of the Analytics module

• Fixed issue where clicking on the parent asset link in the Assets detail modal of a finding on the Findings tab of the Analytics module resulted in an error message

• Fixed issue in which sort behavior changed the user navigated between pages on the Findings tab of a report when more than ten findings exist

• Fixed issue with one-column tables not formatting correctly when exported

Release 1.61.1

11-8-23

Improved

• Added a new tab and messaging on the Dashboard for when a user has no assignments

• Better handling of scoring when using the Acunetix parser

• Added support of rich-text formatting to an assessment's description field

• Added the ability to add captions to code blocks within a rich-text field

• Improved experience when creating an asset and adding a new operating system or IP address

• Improvements to Jira Server/Data Center integration

• Added ability to customize the table columns on the Sections tab of NarrativesDB

• Added ability to customize the table columns inside a repository of NarrativesDB

• Added ability to customize the table columns on the Repositories tab of WriteupsDB

• Added ability to customize the table columns on the Reports module home page

• Added the ability to customize the table columns on the Assets tab of the Clients module

• Made the description field of a question a rich-text field in the Assessments module

• Added ability for admins to enable email notifications for finding substatus changes and when a report reviewer has been added

• Deprecated endpoint Import Client Assets v1

Fixed

• Fixed issue of evidence sometimes not appearing for an affected asset on its details modal

• Fixed issue where bulk delete of affected assets was not working

• Fixed issue where bulk select of assets for a report was not matching bulk select behavior in other areas of the platform

• Fixed issue where findings layout reverted to default layout instead of the custom one assigned

• Fixed issue in which not all findings were displayed in the Findings overview box on the Readout tab in reports with more than 50 findings

• Fixed export to Word error after importing a finding and adding an affected asset to it

• Fixed format issue upon export to Word with Runbooks procedure logs

Release 1.60.0

deploy to cloud-hosted instances on 10-10-23

Improved

• Added the ability for admins to configure and customize the experience of creating a finding via configurable layouts (Admin Dashboard>Layouts)

• Streamlined the process of creating a finding by putting custom fields on the Finding Details tab (Custom Field tab going away)

• Improved the experience of creating a writeup to match that with the process of creating findings

• Added Proof of Concept field in Cobalt integration

• Added a link within the platform to download the writeups CSV template (available by clicking the Import Writeups button)

• Added ability to customize the table columns on the Affected Assets tab of a finding

• Added ability to customize the table columns on the Assets tab of a report

• Added messaging to alert when exporting a report if a layout template is associated so users are aware that required fields exist

• Added error notification when a user attempts to update the published status of a finding that doesn't have all required fields

Fixed

• Fixed issue when larger images in reports with a style guide associated with them were not exporting as expected

• Fixed issue with line breaks when pasting into CKEditor fields

• Fixed issue with CKEditor window increasing in size when a large image is inserted and resized

• Fixed issue of a blank screen after loading a finding from Acunetix and attempting to edit

Release 1.59.0

deploy to cloud-hosted instances on 9-13-23

Improved

• Added ability to create and customize style guides for exported reports to Word (.doc) using a Jinja template

• Improved report experience when selecting sections from NarrativesDB or writeups from WriteupsDB by truncating long sections of text, tables, code blocks, and hiding images

• Improved Writeups CSV import to support soft returns within the file

• Added additional fields Clients module home page table (Client POC Email and Description)

• Added ability to configure and customize the table column experience for associated findings of an asset within the Clients module

• Improved modal experience when importing a finding (no longer defaults to Nessus in the pulldown menu)

• Improved usability on the Readout tab of a report by highlighting the box of the finding being viewed on the Report readout column

• Users with write access to reports can delete comments created by other users

• Updated BURP parser field mapping documentation

• Uploaded a new version of the WriteupsDB CSV import template in the documentation

Fixed

• Fixed the issue of a CVSSv3.1 risk score not showing on the findings detail page

• Fixed the issue that occurred when creating a custom role in the Admin Dashboard and disabling the “Ability to View the Administration Panel”

Release 1.58.0

deploy to cloud-hosted instances on 8-21-23

Improved

• Ability to bulk associate findings to ServiceNow (if integration is configured)

• Ability to unlink a finding from ServiceNow (new option under "Actions" column (if integration is configured)

• Updated references of “Tenable.io” to “Tenable Vulnerability Management”

• For BURP HTML file imports, enhanced the usability of finding and viewing data by moving the HTTP request and response fields out of the findings details page (continues to be listed as evidence in the affected asset)

• Better error messages to users and handling of data when importing large BURP files; now a notification is sent about the finding that did not get imported, and all other findings are loaded without impacting the entire file and instance stability

• For users importing files with evidence-heavy data, significantly decreased loading time, an increase in the number of findings and assets that can be imported before performance is impacted, and improvements in any error messaging to provide helpful details to resolve any issues

• Added count totals of rows in the table headers for Assessments and Runbooks modules

• Added a red asterisk to the Client Name field to denote it is required

• Arranged theme color options in Admin Dashboard>Theme so they are now displayed by severity impact instead of alphabetically

• Added bulk actions button and options in the Assets tab for a report

• Updated legacy color palette values in tooltips, icons, etc., throughout the platform for consistent user experience

• Breaking change implemented for APIs using roleID variable in endpoints; legacy support will continue through 1.59

Fixed

• Fixed issue with erratic scrolling of page for comments left when tracking changes

• Fixed issue with ServiceNow integration: now work notes, comments, and status

• Fixed issue with CSV exporter that occurred in MS Word reports containing imported findings from API integrations

• Added error handling to resolve asset names with over 10k characters that would previously cause a system error; names are now truncated to ensure the files load properly

• Fixed the issue of the default parser action not filtering correctly

• Fixed the issue of table sort order not being preserved when a questionnaire is deleted in the Assessments module

• Fixed issue in parser actions in which placeholder field titles were in pulldown menus

• Fixed issue in which the deduplication process for asset names was overwriting child asset names; child assets can now have the same name for different parents

• Fixed issue with Help Center link in the profile pulldown menu being a different color than other items in the list; also added an icon next to the link informing users that clicking Help Center will open a new tab/window and take the user outside of the platform

• Fixed the issue of a blank page appearing when clicking the Edit/Comment button on the Readout tab of a report if no narrative has been added; now, no button appears on that tab until the content has been created

• Fixed issue with bulk selecting all assets in the Clients module in which some manually deselected assets were still being deleted

Release 1.57.0

deploy to cloud-hosted instances on 7-18-23

New Capability

• Ability to manage and track changes within rich-text fields at the report level

• Performance enhancements when importing findings from an integration for import into a report

• Changed the term “scan output” to “evidence” throughout the platform for consistency

• Improved experience when creating a writeup to better align with the process of creating a new finding

• Better messaging to admins when deleting users to provide more detail, so if the action failed, admin can take action to remedy (i.e., the user is assigned a task)

• Performance improvements when importing large amounts of affected assets with a finding via an integration

• Improved messaging within the modal that appears when adding a writeup to a report with a findings layout assigned

• Added count totals of rows in the table header for the Assessments module tab

• Added count totals of rows in the table header for Admin Dashboard>Security>Authorization page

Bug Fixes

• Fixed issue with Jira server (not cloud) integration not working as expected

• Fixed issue with exporter failing for Parser and API integrations

• Fixed issue in Edgescan integration that occurred when closed vulnerabilities for the past three years was selected in the pulldown menu during setup (the configuration would reset to default state)

Release 1.56.0

deploy to cloud-hosted instances on 6-21-23

New Capability

• New design improving usability for admins when adding authorized users to a client

• Added a total count of clients, reports, findings, and assets in the Clients module that is displayed as each tab is clicked

• Overhaul of CSV export for reports that fixed known limitations and issues that occurred when exporting large data sets into cells

Bug Fixes

• Fixed an issue in which a finding severity was not being adjusted from manual changes in the CVSSv3.1 calculator

• Fixed an issue in which a writeup form would occasionally disappear after loading when trying to edit

• Fixed an issue in which an analyst user was incorrectly able to add or remove reviewers from an assessment

Release 1.55.0

deploy to cloud-hosted instances on 6-7-23

New Capability

• Enhanced Snyk integration with a new product (Snyk Code) plus documented field mappings and deduplication logic for all Snyk products

• Changed bulk actions menu so actions are only visible to users with the correct permissions

• Added better messaging and UX experience when integration synchronizations are taking longer than expected

• Optimized affect asset retrieval for findings that had hundreds of affected assets

Bug Fixes

• Fixed an issue in which available repositories were not appearing after typing into the box within WriteupsDB when trying to move or copy writeups

• Fixed an issue in which assets imported from a Nmap.xml file were displaying a random “last seen” date in the Notes/Description tab for the affected asset

Release 1.54.0

deploy to cloud-hosted instances on 5-30-23

New Capability

• Improved user experience and transparency with behavior regarding parser actions seen in Admin Dashboard>Parser Actions

• Adding messaging to inform the user when an import takes longer than 100 seconds, explaining operation is taking longer than expected and to try importing later

• Changed label of “Runbooks V2” to “Runbooks” (Runbooks V2 replaced legacy Runbooks module in 1.53)

• Added messaging to inform users that a finding or assessment has been deleted if accessing from a notification link

• New graph in the Analytics module in the Trends & SLAs tab to display the percentage of findings exceeding SLA

• Sunsetted multiple API endpoints

Bug Fixes

• Fixed issue with saving when creating a new writeup and user not being directed to WriteupsDB homepage when finished

• Fixed an issue in which tags for a previously created SLA were auto-populating on new SLAs

Release 1.53.7

• Fixed issue in which users not assigned to any clients were able to view reports

Release 1.53.3

• Removed the 2000 character limit for the rich-text field in the Custom Fields tab of a finding

Release 1.53.2

• Fixed an issue with the Tenable integration

Release 1.53.0

deployed to cloud-hosted instances on 5-8-23

New Capability

• Sunsetted an API endpoint

• Added a documentation link to First CVSS at the bottom of CVSS calculator when creating a finding

• Enhanced the user experience within the graph for the Trends & SLAs tab in the Analytics module

• Added better visibility that an asset name is required through improved error messages and asterisk to denote it is a required field

• Changes made to a finding status within the most critical findings box inside the Findings tab of the Analytics module are reflected immediately

• Ability to view child assets (when applicable) from the parent affected asset

• Added visible error messaging when editing the Evidence tab of an affected asset that changes were not saved when attempting to exit

• The parent asset value within the table of the Assets tab of a report now links to the parent asset details page

• Removed legacy Runbooks module from main menu

Bug Fixes

• Fixed issue in which validation for duplicate assets was not catching an asset just created

• Fixed issue during creation of a new asset that occurred with a field screen not disappearing after selecting a provided value

• Fixed bug in which the number of findings listed in the Readout tab of a report was not accurately reflecting the number of findings in the report

• Fixed issue of importing findings from an integration that findings created on the end date chosen in the filter was not appearing

• Added logic so that after using filters in reports, leaving page, and then returning, the filter select boxes would contain previously selected values rather than be blank

• Fixed issue in which findings with closed status were triggering SLA emails

Release 1.52.0

deployed to cloud-hosted instances on 4-21-23

New Capability

• Added a field for URL available when setting up or editing an Edgescan integration

• Improved refresh of data used to build graphs when loading Analytics module pages

Bug Fixes

• Fixed issue with Edgescan findings import in which only one filter could be used

• Fixing a bug that allowed duplicate asset names for a client

• Moved tooltip about findings and assets on Dashboard module to the Finding metrics tab

• Fixed issue that a report was displaying the default template instead of the properly assigned template

• Fixed issue of empty asset when importing same assets to different reports within a client

• Fixed issue of finding updates email notifications not sent correctly when using the status tracker/bulk update modal

Release 1.51.0

deployed to cloud-hosted instances on 4-6-23

New Capability

• Sunsetted four API endpoints

• Enhanced user experience when adding findings from an integration to a report

• Added ability to retain customized columns (where applicable)

• Added refresh of page after using ‘search and replace’ functionality in reports to better indicate changes were implemented

• Added ability to bulk paste email addresses when adding assets to a client

• Improved platform performance when creating clients

Bug Fixes

• Fixed data refresh issue that occurred after a bulk delete in WriteupsDB

• Fixed issue in which the short codes section of Admin Dashboard was not appearing for some non-admin roles after given access via Administration Permissions in RBAC

• Fixed error message that resulted after adding evidence for an affected asset and then deleting evidence before saving

• Fixed bug that occurred with risk score when exporting to CVS and some finding fields were null

• Fixed an issue in which the date to and date values from search filter were not filtering correctly for the Most Critical Findings box across all tenant clients

Release 1.50.0

deployed to cloud-hosted instances on 3-27-23

Bug Fixes

• Fixed issue that occurs when an authorized analyst attempts to update the status of the finding in a published report and receives an unauthorized error message

• Icon changed in the Parent Asset box of the Create Affected Asset modal to accurately reflect that this field is a search box and not a pre-populated pulldown menu

• Fixed issue of the modal not disappearing when clicking the ellipses of an asset under the “Action” column of the Assets tab in the Clients module

• Fixed issue of a blank page appearing when an admin attempts to edit a template (Account Admin>Templates) of the Admin Dashboard

• Fixed issue of a linked template not being used when exporting a report as assigned by admin in the Export templates tab (Account Admin>Templates) of the Admin Dashboard

• Fixed issue with CSV Asset Upload template in which some fields were not importing

• Fixed issue with Tenable integration that could cause integration to fail

• Fixed issue in which a parent asset was not successfully removed when deleted as parent from the child asset on the Edit Asset page

Release 1.49.0

deployed to cloud-hosted instances on 3-8-23

New Capability

• Usability enhancements in Admin Dashboard>Templates with the addition of tool tips, easier to read tables, and updated modal designs

• Platform-wide enhancements to messaging in modals for better consistency and experience

Bug Fixes

• Fixed issue in which Analytics pages might crash when refreshing the page or redirecting after logging out

• Fixed issue that occurs if import source is changed in the middle of the process of adding a finding via an integration

• Fixed issue of an existing asset’s ports, services, and protocols being added by default when the asset is added as an affected asset to a new finding

Release 1.48.0

deployed to cloud-hosted instances on 2-24-23

New Capability

• Ability to sort (via table column), filter, and search by a parent asset in the Affected Assets tab of a finding

• Ability to view and navigate to the parent asset from the asset detail modal of an affected asset, and from the findings detail modal under Affected Assets

• New button and user options for adding a new asset to a client (now have option for a bulk paste)

• Added a notification banner for admins and users belonging to the default group if an error occurs that prevents a page from being saved (a link to PlexTrac support is provided in the banner)

• Platform-wide updates to presentation of messages and button labels for improved consistency and usability

• Enhanced authoring and viewing of narrative content sections by continuously displaying editor toolbar (previously toolbar would disappear if additional required scrolling down)

• Enhanced integration experience when importing from Findings tab

Bug Fixes

• Fixed issue when deleting a repository in WriteupsDB in which user had to click the same button twice to complete task

• Fixed bug of asset description not being saved on creation

• Fixed 400 error that occurred when adding a note to a child asset

• Fixed issue in which some users were experiencing issues with logo updates

• Fixed spelling errors on Edgescan field mappings page

• Fixed bug in which an analyst could see draft findings on a report's Assets tab

Release 1.47.0

deployed to cloud-hosted instances on 2-10-23

New Capability

• Enhanced modal usability for WriteupsDB

• Unified the asset import experience within Affected Assets and Client Assets, including file type verification, better styling, and improved notifications

• Added a “Parent Asset” column to the report asset list table

• Bulk paste for affected assets now dynamically parses out asset name, parent asset name, and port to its relative columns in the table (before all information would be retained in asset name)

• Added a “View” link in the Affected Assets list of the Finding Detail modal to allow users quick access to the details of an asset without having to redirect to the client asset page

• Updated daily Jira synchronization (if a Jira integration is set by admin to update daily) to 4:45 UTC (9:45 PM Mountain Time)

Bug Fixes

• Removed “PlexTrac” as a file type to import for admins in pulldown menu when setting up parser actions to avoid confusion, as a .ptrac file is not tied to imported actions (still supported elsewhere in platform)

• Fixed bug that could cause the overall CVSS score to not reflect what was calculated using First CVSS calculator

Release 1.46.0

deployed to cloud-hosted instances on 1-26-23

Bug Fixes

• Fixed issue of assets in a report not loading correctly on the Assets tab

• Usability improvements with labeling in Dashboard

• Autosave performance improvements in NarrativesDB module

• Fixed issue in which a new assessment might not display a 0% completion value as was incorrectly reflecting a previously edited assessment completion percentage

• Fixed issue in which large Nessus files were not loading

• Fixed issue in which CVE values were not loading correctly in some imports

Release 1.45.0

deployed to cloud-hosted instances on 1-17-23

New Capability

• Ability to bulk update affected asset ports, services, protocols, versions and URLs for a finding

• Added version and fix version fields for Jira integration mapping

• Ability to filter by report name when adding findings from Cobalt

• Jira synchronization optimizations

• Added a check to see if an asset already exists within a client, and if so, use that asset ID to reduce duplication

• Created new endpoint to get findings older than 30 days that are not closed and in a published report

• Added filter ability to filter by tags during import of Edgescan findings

• Help Center link updated to direct users to new Zendesk solution

Bug Fixes

• Fixed Jira syncing issue in which the created date from Jira was displaying incorrectly on the findings table

• Fixed issues with Edgescan integration field mappings

• Fixed issue when new users to tenants in which MFA is required and enabled were not required to set up MFA until second login

• Fixed issue that was preventing admin user from changing password from profile screen (existing instances not affected)

• Fixed issue in which instance could crash when importing a scan file and parser actions are disabled

• Fixed issue in which Jira status change for a finding linked to a Jira ticket was not reflected in displayed status of finding table

Release 1.43.0

deployed to cloud-hosted instances on 12-17-22

New Capability

• Additional Jira integration field (data type) added for mapping options

• Enhanced Jira integration error messaging

Bug Fixes

• Fixed issue in which all CKEditor sections on a page were being saved at same time instead of just the section being edited

• Fixed issue preventing custom field on findings from being updated

• Fixed issue when editing a writeup that caused a 404 error and prevented writeup from being updated

• Fixed issue in which whitespace affected the parsing of parent/child assets when using bulk paste functionality to add affected assets to a finding

• Fixed issue in which a page could crash in some scenarios after clicking the finding status button on the Findings tab of a report and then clicking “Add Update”

• Fixed intermittent issue of image disappearing once loaded within a CKEditor field

• Fixed latency when page is loading findings for a report

• Fixed issue of finding titles not updating when edited on Findings tab of a report

• Fixed issue for tenants that had Classification Tiers enabled; users with appropriate permissions could not modify the classification after report was created

• Fixed multiple mapping issues with Edgescan integration (specifically description, recommendation, and severity mappings)

• Fixed issue of title search not working for findings in Client module

• Fixed issue in which a .ptrac import fails because an asset has a reference to a parent asset ID not in PlexTrac

Release 1.42.0

deployed to cloud-hosted instances on 11-30-22

New Capability

• Enhanced Jira integration features and functionality

• Ability to search and filter findings by tag(s)

• Ability to search and filter findings that do not have an assigned tag

• Added a loading indicator to provide status for users using standard (non-MFA) login

• Added a tally of report findings to the header of the table on the Findings tab of a report

• Ability to sort users by the last time log in occurred in the Admin Dashboard via “Last Login” column

• Added a modal to provide users more useful and relevant messaging when an export fails

Bug Fixes

• Fixed issue of tags being created after a search query

• Fixed issue in which an edited finding title may continue to display in browser cache

• Fixed issue with parent asset value not displaying in “Parent Asset” field when editing the child affected asset

• Fixed issue in which the “Change End Date” button was appearing when finding status was open or in progress instead of only appearing when status is closed

Release 1.41.0

deployed to cloud-hosted instances on 11-17-22

New Capability

• Ability to bulk paste assets associated with a finding

• Enhanced collaborative editing capabilities

• New Assigned To column displayed on the Asset Findings table for report assets

• New modal and ability to select templates when creating a new findings layout in Admin Dashboard

• Ability to add and sort by finding sub status on the Findings tab for a report

• Added messaging to confirm successful deletion of an engagement and test plan

• Updated Cobalt integration description messaging

• Added validation and error message when importing findings to ensure selected file type and source match if either is changed by user

• Improved browser caching to reduce data transfer for viewing assets

Bug Fixes

• Fixed API issue with frontend acceptance of new password with MFA enabled

• Improved handling of Boolean fields

• Fixed an issue when exporting a report in Word (.docx)

Release 1.40.0

deployed to cloud-hosted instances on 11-4-22

New Capability

• Ability to add custom fields to CSV import template

• Runbooks V2 and RunbooksDB available to those currently licensed for Runbooks and cloud-hosted

• New API endpoint for retrieving all assets on a tenant (api/v2/tenant/assets)

• Ability to move multiple sections from one NarrativesDB repository to another in a single action

• Ability to filter reports by status on Reports module home page

• Ability to do bulk edits to associated findings under an asset

• Caching improvements after finding, report and client deletions

• Completed assessments and closed findings removed from items count on Dashboard module

• Ability to filter for findings that have no tags within the existing “Select Findings Tags” filter box that appears on the Findings tab of a report

• Loading improvements for the Dashboard module

• CSS improvements for text alignment on long custom answers and questions for assessments

Bug Fixes

• Fixed issue with status field when importing a Nessus file

• Fixed issue with ServiceNow OAuth credentials not being passed correctly when checking connection status during admin setup

• Fixed issue in which SLAs enabled in Admin Dashboard were missing from the findings when a questionnaire was submitted from the Assessments module and a reported created

• Fixed issue of notifications sometimes not behaving as expected in UI (bell should stay red until notification is marked as read)

• Fixed issue of artifacts sometimes not uploading to answers when starting an assessment

Release 1.39.0

New Capability

• Ability to download a CSV template, enter finding information offline, and import into PlexTrac

• New “Layouts” button in Admin Dashboard under “Customizations” for managing findings templates

• Dynamic sizing/horizontal scrolling for recently viewed report cards on the dashboard page

• Ability to select all available sections via a checkbox at top of page when adding narratives to a report

• Ability to select all available findings writeups via a checkbox at top of page when adding writeups from WriteupsDB to a report

• Increased field validation for illegal characters entered in CVE ID field for a finding

• Added OAUTH configuration options for ServiceNow integration

• Default short codes now listed in the Admin Dashboard under “Tenant Settings/Short Codes” for visibility with a link to the online product documentation

• Added loading spinners to signify page is loading on dashboard to give users notice

Bug Fixes

• Fixed bug in which multiple comments/changes in the same location could not be selected or viewed

Release 1.38.0

New Capability

• Actionable dashboard that lists all user assignments and recently viewed reports in additional to findings data and information

• Added confirmation modals and additional information for admins when managing users and enabling/disabling default group in the Admin Dashboard

• Improved the usability of dialog box and added search capabilities when importing a PlexTrac Report (.ptrac)

• Tooltip added to the tags inside repository cards for RunbooksDB module

Bug Fixes

• Fixed incompatibility issues with dark mode theme on pages

• Fixed issue that caused all table rows to load when clicking sync button for an integration

• Improved method that CWE IDs display for values parsed from Invicti/Nodeware

Release 1.37.0

New Capability

• Integration with Cobalt platform

• Added notes to the asset GET method

• Additional confirmation modals added to notify user of potential data loss when editing/updating content

• Updated default theme colors

• Updated logic for sorting of engagements within the Runbooks module

• Ability to add tags via bulk actions for sections in NarrativesDB module

• Ability to bulk delete sections within NarrativesDB module

• Ability to bulk delete affected assets for a finding in a report

Bug Fixes

• Fixed formatting table issues and image support in exports to Word

• Fixed error that may occur when copying a finding from a scan to WriteupsDB

• WriteupsDB autosave bug fixes

• Fixed finding sort issues that occurred when specific optional fields were selected

• Changed default background color for dark mode from white to black/gray

• Fixed issue with “Sync Now” button not showing for Tenable integration in Admin Dashboard

Release 1.36.0

New Capability

• New Assessments module workflow and design

• New CVSS v3.1 calculator for use when creating and editing findings

• Added auto-save capabilities when creating and updating in WriteupsDB module

• Added ability to see the allowed file types when uploading parser files

• Ability to copy Content Library repositories from the card for both NarrativesDB and WriteupsDB modules

• Updated Veracode export to use the new risk_score and common_identifer fields

• Implement In Progress status for engagements

• Caching improvements in Analytics module

Bug Fixes

• Fixed issue of some selected filters not being deleted for findings in Analytics module

• Fixed issue of some users with proper permissions unable to view Customizations section of Admin Dashboard

• Fixed error that may occur when trying to update a new writeup immediately after creation

• Fixed issue with Nessus scans with empty CVSS scores failing to import

• Fixed issue with related findings not showing when importing findings into a report from a Nessus file

• Misc. dark mode fixes

Release 1.35.0

New Capability

• New integrated experience for admins to manage third-party integrations; all integrations with PlexTrac are now managed under the “Integrations” button in Admin Dashboard under "Tools & Integrations"

• CKEditor update providing new functionality throughout the platform when entering content, such as indentation of lists, modification of color within code blocks, background text color options, etc.

• When creating a new report, dropdown menu values are alphabetical and dynamically filtered by value typed in box by user

• Added front-end validation to CVSS scoring to ensure user cannot submit a score that will fail backend validation

• Added ability to add a Success Criteria step under “Execution Steps” when editing a procedure in the Runbooks module

• Added CVE/CWE ID Relational Filtering to Finding and Trends/SLAs analytics pages

• Ability to search the file type when importing a report

• Added CVSS 3.1 to the Report Findings and Client Findings table

• Narrative sections now reflect changes made from short code search/replace tasks

• Removed tenant point of contact and address fields (populated from another source)

• Misc. UX improvements in modals and dropdown menus

Bug Fixes

• Dark Mode display enhancements

• Fixed issue of CVE and CWE IDs not displaying in correct format in client findings list

• General CSS enhancements to modals

Release 1.34.0

New Capability

• Improvements with the storage of values when dynamic scoring for findings (CVSS, CVSS2, etc.) is used

• UX improvements when editing email templates in Admin Dashboard

• Platform-wide consistency on autosave functionality for performance and usability

• Platform-wide consistency on labels and text for usability

• Improved caching and performance

Bug Fixes

• Fixed issue of scores for some findings being out of sync when imported

• Fixed issue of CVSS score not appearing when editing a finding imported from WriteupsDB

• Fixed issue of some associated assets not showing in the Analytics module Assets tab graphic and table

Release 1.33.0

New Capability

• New user experience for setting up and configuring two-factor authentication (Profile/Personal Settings)

• New sortable/configurable columns in the client module

• Updated all modals to confirm before closing work that any discard of changes by user is intentional

• Ability to select all findings for mass edit and import during an integration upload

• Ability to customize table columns and order on Findings tab in Reports module

• Ability to customize table columns and order on Writeups tab in WriteupsDB module

• Added CVE and CWE IDs to findings detail; tool will check to see if ID is valid based on CVE standards and link to documentation if valid

• Added a CVSS 3.1 calculator to allow users to obtain scores within PlexTrac

• Ability to select all findings for mass edit in the Report module

• Added user notifications for tasks related to changing a score or using new calculator

• Ability to view a finding score in the findings detail modal (between the description and recommendation)

• General usability and design improvements

Bug Fixes

• Fixed issue of not being able to add IPv6 address when creating a new asset

• Fixed bugs when importing a file from Tenable

• Improved response time when adding large amount of writeups to WriteupsDB module

• Fixed issue of some filters not populating values for asset analytics

• Fixed a bug where client ids were showing instead of names for preset filters

Release 1.32.0

New Capability

• OAuth general-purpose authentication provider option added for admins (OpenID Connect)

• Added ability to filter by assignee on the Findings tab in the Analytics module

• Updated user experience for importing and configuring parser actions with new descriptions, progress status, and links to documentation

• Added column in Writeups tab of WriteupsDB module to track item’s parent repository

• Ability to copy a writeup from one repository to another (click “Copy to” under Actions column of the writeup in WriteupsDB)

Bug Fixes

• Fixed issue of HTML syntax appearing in exported reports with a finding or narrative

• Fixed formatting issue of bullet lists in RTF table cell

• Fixed error message that appeared when uploading a Jinja template file to create an export template

• Resolved issue when importing a Nessus file

Release 1.31.0

New Capability

• Integration support for Pentera

• New modal design for importing parser files that includes a progression bar

Bug Fixes

• Fixed issue of a .csv asset not populating fields properly when being imported

• Fixed issue of default WriteupsDB Default Repository not populating correctly with new installation

• Fixed “Client Users Error” 400 incorrectly appearing in some instances when navigating to Client module

• Fixed bug in the applications image upload functionality that prevented users from uploading images within the runbooks edit procedure workflow

• Fixed mapping issues when importing Veracode xml files

• Fixed report logs error when importing a findings file

• Fixed issue with save not working and incorrect permissions generated after creating a new custom role based on the Analyst role template

• Fixed issue with a blank screen on Narratives tab after creating a new report using a report template that had a narratives section

• Fixed issue of search not working in the “Link Writeup” pulldown menu in Admin Dashboard>Tools & Integrations>Parser Actions

Release 1.30.0

New Capability

• Analytics module pages more printer-friendly

• Performance improvements on Dashboard page load

• Ability to search and filter a list of sections by tags on the Sections tab within NarrativesDB

• Table presentation and caching improvements in Analytics>Trends & SLAs

• SLA information presented on the finding table and finding detail sidebar

• Updates to Inviciti parser integration mappings and support

• Latency improvements when entering data in reports

• Ability to configure date format in Personal Settings to one of the following options: YYYY-MM-DD, DD-MM-YYYY, or MM-DD-YYYY

• Customizable columns for the client findings page

Bug Fixes

• Improvements for admins to change settings for existing repositories within NarrativesDB and be seen immediately by users with access

• Unicode copy/paste support for umlauts

• Fixed 400 error when adding findings to WriteupsDB via csv upload or from a report

• Fixed Date format of Start Time for Runbook Engagements

• Fixed user access issue in WriteupsDB repository

• Fixed issue of Assessment module not appearing in menu for some customers

• Improved copy/paste formatting from external source to a report

Release 1.28.0

New Capability

• New Content Library container in main menu

  • Contains existing WriteupsDB and new NarrativesDB features

• New Narratives Database (DB) feature

  • NarrativesDB allows for the organization, categorization, and management of content to be shared by multiple users and groups for producing reports

• Search enhancements in Content Library

  • Search results for repositories and writeups refined based on text entered in search box

• Capability to sort by title field in Content Library repositories

• User management updates across Content Library and Runbooks

  • Access to content repositories is governed globally for each repository type by RBAC

  • The ACCESS permission enables users to see and use content within content repositories

  • The MANAGE permission enables users to manage settings and users of content repositories (who is allowed to view/edit a repo)

  • Ability for users with proper RBAC permissions to delete repositories

• Ability to identify the source of a Finding via the Finding Detail modal view (includes manual imports and data from integrations)

• Support of audit tracking when users are added/removed from PlexTrac

Bug Fixes

• Fixed issue in which some Unicode values were not appearing correctly from source when copy/paste was used

Release 1.20.0

New Capability

• Communicating age of data within analytics

• Added manual refresh of data for analytics page

• Added ability to create reviewers by state on reports

• Added functionality to sort filters alphabetically

• Changed account lockout behavior to be default, vs opt-in

Bug Fixes

• Various fixes for log syntax

Release 1.19.0

New Capability

• Enable account lockouts

• Allow setting createdAt during finding creation

• As a report creator, I can set a report state & assign reviewers

• Writeups Do Not Require a Recommendation

• Reorganized Admin Panel

• Added CKEditor field to findings field template

Bug Fixes

• Ampersands in Report Custom Fields missing in Word export

• Fixed OWASP Zap Parser Descriptions and Recommendations Fields

• Fixed Jinja Export Error missing type_of_piece

• Fixed import Nipper XML

• Fixed Hyperlink CKEditor formatting export error

• Fixed front end user issue where the user appeared to be part of the default group, but was not. This disallowed ability to give authorize user for client access

• Fixed intermittent Tenant Integration licensing error toast

• CKEditor Code blocks - new lines are now getting created in Word export

• SNOW - resolved issue with hardcoded URL suffix

Release 1.17.3

New Capability

• Ability to add ports and services to affected assets

• Added notes section to affected assets

• Added evidence section to affected assets

• URL/URI parsing for affected assets Update default table styling for exported Word documents

• Allow use of field templates when creating Writeups in WriteupsDB

• Option to auto-save work when editing narratives

• Ability to set a report state and assign reviewers in report details

• RBAC - separated out commenting and status changes permissions

• Added ability to custom sort findings

Bug Fixes

• Fixed ability to create Writeup from scratch

• Fixed issue where some SNOW suffix URL’s could not be specified

• Fixed caching issues when editing questionnaires

Version Digests

plextrac/plextracnginx:1.17.3 DIGEST: plextrac/plextracnginx@sha256:49bcd0e6d2793fa4aa06051f91c2cfaac2e60bb288e0213f1ab3c42b54ad8c62

plextrac/plextracapi:1.17.2 DIGEST: plextrac/plextracapi@sha256:00f147ca7b015497da6d78fc90ead9e0f39f4dcc290f6b02e1787e8b59fe97b3

Release 1.16.0

New Capability

• Released tenable.io, tenable.sc integration

• Enhancements to Affected Assets

• Added ability to edit Affected Assets

• Implemented new design for adding an Affected Asset

• New evidence section URL/URI parsing Notes section

• Added new RBAC permission splitting out comment vs status change in findings

• Added auto-save custom fields, exhibits, code samples when editing a finding

• Added ability to custom sort findings

Bug Fixes

• Fixed styled text & nested HTML in image captions

• Fixed Auto Numbered captions in CKEditor

• Fixed scenario where missing data in a finding would result in a SDK error

• Fixed MITRE and SCYTHE name consistency in Runbooks

• Fixed contrast for code block text in Dark Mode

• Fixed informational finding parsing in Checkmarx parser

• Fixed issue where custom field search would fail on periods

Version Digests

plextrac/plextracnginx:1.16.10 DIGEST:sha256:c308d650fdd6ff7e7cec566b722fd19ca292ac7807ca4c8d8a42aed05c176156

plextrac/plextracapi:1.16.11 DIGEST:sha256:06eb3b62c075b2f875a05b15ba20ca978245f948182b45f3791118a20bfddfa2

Release 1.14.0

New Capability

• Added hover to display dashboard trendline on Dashboard

• Several design updates and fixes in analytics pages

• New designs for edit finding page, edit narratives page

• Preset Filters for analytics SAML IDP

• User Provisioning

• WriteupsDB Bulk Actions (Delete and TAGS)

Bug Fixes

• Fixed error message when uploading license key

• Affected asset scan data can now discretely reference scan evidence by affected asset

• Export crashes with symbols in affected asset title

Release 1.13.1

New Capability

• CKEditor Field Template

• New Report navigation

• Report Details Tab added to report navigation

• CSV writeup importer updates

• Filter analytics by assets

• User Management Wizard for seeing what roles a user has for which clients

Bug Fixes

• Role is now removed when done through User Permissions Wizard Qualys imports

• Able to change affected assets status

• Text Style in Tables Exports Correctly

• Jira sync process now assigns valid statuses

• Images can now be captions using CKEditor

• OWASP ZAP Parser now parsing IP addresses to known_ips field for affected assets

• Newlines are no longer removed from scanner output during export

• Writeups created in WriteupsDB no longer requires references to save Report

• Fixed Raw Evidence toggle switch

Release 1.12.0

New Capability

• Ability to reference raw scan evidence as a callable field via Jinja Add hover display to dashboard trendline on security debt dashboard

• Design updates for Runbooks analytics page

• Use improved helping type for Asset Analytics Choose "Unspecified" option in the filter dropdown for Asset Types

• Filter Open/Closed Issues on Date Range Improvements in Trend Analytics Parse port data from ZAP

Bug Fixes

• Fixed OOM issue that caused API Crashes on Nessus Import with large number of scanner documents

• Resolved bug where unable to change user auth after enabling two-factor authentication

• Fixed problem where some users were unable to export report due to Non-Ascii characters in report

• Resolved issue where adding assets with ports to a Finding crashes API

• Resolved a UI bug where the details tab shows buttons in wrong places

August 31, 2021

New Capability

• The new Asset Analytics functionality provides you with an at-a-glance overview of every asset in your (or your clients’) company, by level of criticality, to help you better understand where you’re most vulnerable

• With PlexTrac’s new integration with Tenable, you can import findings and assets tied to a Tenable tag directly into the Purple Teaming Platform

• PlexTrac is also happy to announce the addition of security scanner tool parsers and imports for Horizon3 NodeZero, OWASP Zap, HCL AppScan, and Checkmarx

• PlexTrac now supports IDP (Identity Provider) initiated SAML SSO

• PlexTrac’s new Attack Path Visualization feature makes it as easy as drag-and-drop to create a visual representation of the tactics, techniques, and procedures (TTPs) used in a simulated attack.

• Short codes are a powerful new time-saver in PlexTrac that provides a simpler way for users to search and replace text at the report or client level

• Some assets are more important than others — and with our new Report Assets view, PlexTrac allows you to instantly see all the findings associated with those assets most important to you.

• Additional bug fixes

June 28, 2021

New Capability

• Ability to collapse the left-hand panel, change the Logo, background text, and text highlight colors of the left panel. The update also includes the much-demanded Dark Mode!

• When viewing Affected Assets under the preview modal, you can now Bulk Update the Status of Assets!

• The Analytics module has been updated in many ways, including a new Findings by Client section, Preset Filters, and an all-new Runbooks Analytics Module which includes a MITRE type heatmap

• You can now import SCYTHE Campaigns and MITRE Threat Emulations Plans as a Runbooks into PlexTrac

• We have added the ability to assign procedures with a severity level while still working the Engagement

• You can now copy a completed engagement and include all data. This feature can be used to pick up an accidentally closed Engagement or to add new information

• You can now also view the Finding ID in the Preview modal.

• Additional bug fixes

June 11, 2021

New Capability

• Comments: Added the ability to add comments to an ckeditor instance, beginning with report narratives.

• Mitre ATT&CK v9.0 methodology added to runbooks

• Backend scaffolding for audit logging (login, failed login, two-factor enable/disable, password reset/change)

• Runbooks engagement procedures can now be assigned a severity level that will be used when creating a report finding

• Runbook analytics can be filtered by engagement tags

• Engagements which are imported and do not inherit tactics from the parent runbook can still be associated with tactics, if they are tagged

• Runbook Analytics and Preset Filters are now available in production.

Bug Fixes

• PTrac import bug was fixed

• Newly uploaded artifacts now show a Creation Date

• Date Reported on the Report Overview screen now shows in a proper format

• Introduction, Methodology, and Summary Report Narratives now can be moved, deleted, and overwritten

• Replaced placeholder text on the Service Now Integration screen

• Removed HTML tags in .csv exports

• Fixed casing for the WriteupsDB sidebar navigation

April 9, 2021

New Capability

• We have now added Custom Fields for both Client and Report Details! This can be incredibly useful in expanding the current functionality of Jinja Templates and reducing polish time after export.

• Assessments — added a feature to require completion of specific steps in a questionnaire before submitting. This takes the form of check boxes beside the Overall Questionnaire (requiring ALL questions to be marked ‘completed’ before being able to be submitted), For Individual Questions, and for Individual answer type

Bug Fixes

• Addressed issue with pasting tables into PlexTrac

• FIxed Search bar for Runbooks Procedure Tags

February 11, 2021

New Capability

• PlexTrac has moved to a Continuous Integration/Continuous Deployment (CI/CD) development model.

• You can now define tables in the Rich Text Boxes inside PlexTrac and export them to your report.

• You can now add Custom Narratives from as many Report Template sources as desired.

• We've added the Custom Answer Sets in the Assessments module, allowing you to define a set of custom answers into your question, instead of picking from the predefined Answer Sets

• You can now copy a well-built question and duplicate it into another question in the Assessments Module.

• Our Integration with Jira now supports generation of child tickets for assets.

• We have added a Rich Text editor to the fields in the WriteupsDB

October 1, 2020

New Capability

• The addition of custom "Finding Sub-Statuses." Before this release it was possible to label findings as Open, In Progress, or Closed. Now you can define your own custom sub-statuses on the platform.

• Enhancements to the Assessment module editing workflow. We've made many additions to the Assessments module recently, and now we've improved the editing process with two new features.

  • Sticky save bar, so the save button is always within view

  • Unsaved work notifications, so you know if your updated work has not been saved

• The addition of preview for Tactics, Techniques, and Procedures in the Runbooks module. Now you can expand these out and view their description.

• The ability to mark a run as "Completed" in Runbooks. Sometimes the Blue Team is able to thwart an attack straight away, not allowing you to complete your execution steps. Now you may mark these as completed.

Bug Fixes

• Addressing an issue where the "Description" field contents were truncated when submitting an assessment

• Fixed the inability to remove parent/child relationship from an asset

September 2, 2020

Bug Fixes

• Fixed issue where notes entered into one question in an assessment would populate into other questions

• Fixed issue where files attached to one question in an assessment would populate into other questions.

• Fixed issue with certain special characters resulting in an extraneous escape character when exporting Nessus scan results

August 19, 2020

New Capability

• Addition of the much-requested ability to attach evidence to a question. When performing assessments there is often the need to attach supporting evidence to a specific question, and now you can do that in PlexTrac.

• The ability to add custom input field in the assessments module. When administering an assessment there is often the need to include discrete information you wish to segregate from the generic.

• The addition of static custom fields in the assessments module. The true value of assessments lies in the ability to pre-populate field that are "hidden" during the administration of the assessment, but pass through to findings afterwards. You may now create custom fields when entering a question natively instead of through the WriteupsDB.

• We have also included the addition of a scroll feature on the questions list when editing a questionnaire. You may now keep the editing field in your field of view when sifting through the question list.

Bug Fixes

• Fixing issue where some users experienced significant lag when typing in a search field.

• Fixing issue where in-line images in Custom Narratives would drop from the editor field after saving and/or not be included in the exported report.

• Fixing issue where capitalized characters in an image file extension would result in corruption of the finding.

• Fixed several bugs relating to sorting of findings within a report.

August 6, 2020

New Capability

• The ability to import and export Assessments as ISON files. This has many use cases, including the sharing of standardized question sets for both popular and highly specific assessment frameworks.

• Additionally, the feature enables users to have File-based archiving of important Assessments to ensure rapid restoration in the event of Interruption and availability.

• Lastly, this feature helps with versioning / tailoring of question sets.

• This update brings a re-design of the UI in the Edit Finding page that is easier on the eyes.

Bug Fixes

• Fixed issue where sort-by-severity was not working when viewing findings in a report

• Fixed issue where inclusion of capital characters in an image extension prevented the upload of images to the Findings Screenshots section

• Fixed issue where some users experienced significant lag when entering characters when performing a search bar search

• Fixed issue preventing the importation of assets from an Nmap XML discovery scan into Client Assets

July 15th, 2020

New Capability

• The addition of Filters in Client Assets. We are pleased to announce this much-asked-for addition to the Client Assets page. Simply begin typing a portion of the asset you are looking for, and the list is narrowed to those assets which include your search string.

• The addition of the ability to filter by tags in Reports. Tags are an amazing way of organizing and sorting your data in Analytics and in your document exports. We are pleased to now provide the ability to sort on your findings by tags.

Bug Fixes

• Fixed an issue where in certain cases, creation of a parent/child relationship between assets could result in corruption of the asset data structure.

• Fixed several issues related to the use of the mailer module with email servers that only support SSL or which do not allow credentialed authentication.

• Fixed issue preventing non-global administrators from disabling users

• Fixed issue preventing exporting of scan data from Burp and Accunetix for those clients who have enabled scan data export in their config.txt file.

• Fixed UI issue where the last tags added when using bulk actions were retained in the UI for subsequent actions.

June 15th, 2020

New Capability

• The addition of "Trend Analytics" One of the most powerful new graphics is also one of the simplest – “Trend of Issues Opened vs Closed”. By simply looking at the relative position of the two lines, you can determine whether you are adding or removing security debt.

• We are also excited to introduce an entirely new graphic – “Average Time from Creation to Closed.” This chart shows both the total historical and monthly trends for the amount of time taken to remediate findings based on severity.

• A redesigned of the "Administration Panel". Over the last year we have added a lot of new features for tenancy administration, and the vertical listing of these had grown quite lengthy. Features are now logically grouped, and once selected the dashboard is minimized to provide maximum workspace.

• The “Users” administration panel has received a facelift, providing much larger and easy-to-read displays of user settings.

Bug Fixes

• Issue that prevented some users from creating Jira tickets resolved.

• Tags that are included for findings are now retained when those findings are exported and re-imported from a .ptrac file.

• Users who navigate to a link to a specific page in PlexTrac are now directed to that page immediately after login.

May 15, 2020

New Capability

• An analytics revamp! In our first iteration of the Analytics revamp we have focused on providing enhanced flexibility for filtering along with better graphics to help your team track an analyze your engagements. These include both enhanced filtering and updating graphics, with many more features coming in the near future!

• The addition of the ability to apply bulk tagging for findings in a report. Our last update included the ability to apply bulk tags at the time of import, and this update now allows bulk tagging for the findings already in the report.

• You now have the ability to completely customize the email notifications within PlexTrac to match your branding. You may now customize the "From name", "From address", "Email subject", and "Email body".

• We have built out the CMMC function and it is now available in the platform for every customer. This addition also includes the references and authoritative guidance from appendix B of the CMMC, giving you all the information at your fingertips.

• We have leveraged our tags around CMMC to make analyzing the results very easy right out of the box.

April 24, 2020

New Capability

• The introduction of the "Draft/Published" flag, which provides you the ability to control which findings are reports are visible to users assigned the Analyst role. This feature is optional. Unless you enable this feature, Analysts will continue to have access to all findings in all reports for any clients they have been authorized to view.

• The ability to change the date reported on findings. This ensures accurate tracking and analytics on historical data brought into PlexTrac. To update the created date on a finding, navigate to a report and use the bulk selection tools to “Change Reported Date”

• PlexTrac now allows the use of any SAML Identity Provider to log into the application. Multiple providers can be configured for each tenant and are managed on a per user basis.

• Enhanced user experience when enabling or resetting the multi-factor authentication token. This new functionality prevents a user from locking themselves out without capturing the QR code.

April 3, 2020

New Capability

• Added support for Okta, Google, and Azure AD Authentication - support for all the leading single-sign on methods.

• The ability to apply tags in bulk to both findings and associated assets when importing scanner results into your PlexTrac reports.

• An overall revamp of the analyst experience. Those assigned with the analyst role have a simplified interface that eliminates UI hooks.

• The addition of Jinja2 hook for expanded asset data. PlexTrac's asset section provides users with a consolidated view of all vulnerabilities from all reports for any given asset. But we're also a powerful asset management tool, providing a way to organize important metadata such as asset criticality, owner, data owner, and physical location. All of this information can now be referenced in your custom templates.

• A brand new user interface for building assessments. This interface includes pagination and a widget to allow rapid navigation through long questionnaires. And of course, it's styled with purple throughout!

• Administrators now have the ability to permanently delete users from their tenancy.

• The multi-factor authentication feature now has an autofocus to ease entry of the 6-digit code.

• Tags can now be added when building questions for an Assessment, which will pass through to the associated findings after submission.

March 10, 2020

New Capability

• Our latest release begins the rollout of our new skin, incorporating modern UI design and demonstrating our love for all things purple!

• The UI when taking an assessment has been streamlined, incorporating both pagination and collapsible questions

• Ability to view (and even resubmit) previously submitted questionnaires

• We have now added the ability to parse Core Impact exports! With their recent acquisition of Cobalt Strike, Core Security continues to advance their capabilities and we are excited to offer this new integration

• Nmap is the standard for a lightweight discovery tool, and PlexTrac now supports import of and display of open ports and services. Because Nmap doesn’t produce true findings, we took a different approach than with our other parsers. In the Assets view for a Client, there is a new “Import Assets” button. Using this enables you to import your .nmap file. All assets present in the file are added to the Client’s asset list. Open one of these assets, and navigate to the Notes/Description tab to view the data

• Dramatic performance improvements when performing bulk deletion of findings, when deleting a report and when deleting a client

• Additional supported file types in the Artifacts file manager

• Modification of the CMMC framework in the Assessments Module to reflect the addition of Maturity Level

• Prevention of overwriting the initial Date Reported when importing subsequent scan data that has identical findings.

Existing engagements are managed from the List tab of the Schedule module.

Multiple tasks can be performed on existing engagements depending on the user's permissions. If a user has view access but nothing else, a message will appear on the engagement side drawer when accessed.

Viewing an Engagement

Users with the appropriate permissions can view engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

On the Files tab, a side drawer will appear describing the details of the engagement and any provided support files. For easy access, a link directly to the report is provided.

Step 2: Click X at the top right of the drawer to exit.

If permissions allow, the user can edit or cancel the engagement from this screen.

Approving an Engagement

Users with the appropriate permissions can approve engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer will appear describing the details of the engagement and any provided support files. Click Schedule & create report.

Step 3: Review the first three tabs of the submitted engagement for accuracy and add any additional information. When finished, click Continue to move on to the next tab.

Step 4: On the fourth tab, Select & assign operators and assign resources to work on the engagement by clicking the checkbox next to the desired resource under the "Operators" column. After selecting an operator, the engagement will appear next to that resource. Any existing resources that the operator is working on will also be displayed. Click Save.

Canceling an Engagement

Users with the appropriate permissions can cancel engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer will appear describing the details of the engagement and any provided support files. Click Cancel request.

Step 3: A modal will appear, asking for confirmation. Click Cancel Request.

Editing an Engagement

Users with the appropriate permissions can edit engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click Edit.

Step 3: Edit the engagement as desired by changing content until the end and clicking Save.

Downloading Support Files

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click the Files tab.

Step 3: Click the download icon of the file to access it.

The engagement status reflects the lifecycle stage and comprises six values labeled with color coding throughout the module.

Status Mappings

Below are the different status states for a report and engagement, the relationship mapping, and any additional notes. Some of the engagement status values are tied to the status of the associated report.

The Assessments module offers security consultancies and pentesters a streamlined approach to developing and managing framework-based governance risk and compliance assessments and scoping questionnaires. This functionality promotes consistency across assessments and reduces the time and effort required for their creation and management. An additional benefit of managing assessment questionnaires in PlexTrac is the ability to utilize PlexTrac's Reports and Analytics modules to track and report on the status of the assessment findings.

Users access by clicking Assessments in the application's main menu.

Overview

Assessments are crucial for identifying, evaluating, and prioritizing security weaknesses in systems, networks, or applications. They aim to uncover vulnerabilities that malicious actors could exploit. Organizations can strengthen their security defenses and reduce the likelihood of successful attacks and data breaches by systematically reviewing and analyzing areas prone to risks, such as software bugs, misconfigurations, and other security weaknesses.

Various paradigms concentrate on evaluating security in vulnerability assessments. Network vulnerability assessments focus on scrutinizing network infrastructure, devices, and protocols to identify potential weak points that attackers could exploit. Web application vulnerability assessments specialize in detecting and remedying security flaws specific to web-based applications. Host-based vulnerability assessments concentrate on individual systems or hosts, including servers and workstations, to identify potential vulnerabilities and implement necessary safeguards.

Some of the most commonly used assessment frameworks in PlexTrac include CMMC (Cybersecurity Maturity Model Certification), NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), ISO (International Organization for Standardization), FFIEC (Federal Financial Institutions Examination Council), and NYDFS (New York Department of Financial Services).

Assessment questionnaires are valuable for gathering relevant information and evaluating security practices. These questionnaires serve many purposes, such as identifying vendor risk management, conducting internal and external audits, or obtaining SOC2 certification. By utilizing well-crafted questionnaires, organizations can systematically gather data regarding their security practices, policies, and procedures, which are then used to assess the effectiveness and compliance with established standards. These questionnaires facilitate a structured approach to evaluating security measures, streamlining the process, and ensuring consistent evaluation across different projects and organizations.

The Assessments module has two tabs:

• In Progress/Completed: This shows all assessments the user can view, including assessments that have been completed and are in progress. Client and status can filter assessments.

• Manage Questionnaires: This displays the list of questionnaires available in the tenancy for assessment purposes. It also allows users to create and manage questionnaires and import questions from a JSON file.

Once an assessment is submitted in PlexTrac, the platform automatically generates a report and directs the user to the Report module readout view, and all questions are turned into findings. This published report contains all the findings from the assessment, making it readily accessible to stakeholders and analyst users. This feature enables quick dissemination of information to relevant parties.

Submitting an Assessment

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click Submit assessment.

Step 3: If all questions have been completed, a message confirming action appears. Click Submit assessment.

A report readout from the Reports tab of the Clients module will be presented, providing assessment details. The answered questions are now findings. Each finding includes the question, description, assigned score, checkbox status, and any accompanying notes and relevant documentation incorporated into the assessment.

If required, users can make edits to the report before exporting it. This feature ensures that the final report accurately reflects any updates or changes made during the assessment process. Users can review and modify the report as necessary, guaranteeing its accuracy and completeness before sharing it with stakeholders.

The assessment is still listed within the Assessment module, now with a "Completed" status.

Assessment Findings Status

Once an assessment is submitted, all questions, including custom fields, are transformed into findings. PlexTrac then assigns a status to each finding, using business rules corresponding to the answer type and values of the question.

Findings Status Logic

Below are the guidelines used to determine the value given to a finding status. These rules are followed in sequence until the status is resolved and a value is determined.

To ensure the accuracy of the rules listed in the table, the answer type value must match the value in the table, where applicable. For example, an answer type value of Not Compliant will result in a match and a findings status assigned, while a value of Non Compliant will not.

The same logic is applied to custom fields. If, for example, a custom field answer type is "Yes (Pass) / No (Fail)" and the value is "Yes," the finding status assigned is Closed. If the custom field answer type scenario and value are not found below, the finding status assigned is In Process.

Assessments can be started immediately after creation or worked on later by opening one to complete from the In Progress/Completed tab. If no action is taken after an assessment is created or the assessment is not finished, the assessment will have an "In Progress" status.

To open and complete an "In Progress" assessment, go to the In Progress/Completed tab, select the desired assessment, and click Edit.

Monitoring Progress

The assessment module provides progress tracking for questionnaires. A visual bar indicates the questionnaire's completion status, gradually filling up as more questions are answered until it reaches 100%.

Users can provide answers, observations, notes, and attachments as questions are completed, such as policy documents, screenshots, code samples, and videos. Attachments are facilitated through a modal where files can be dragged, dropped, pasted, or browsed from the computer.

Questions can be marked as complete, and users can continue to another question by clicking the question in the left column, entering the question number in the provided box, clicking the navigation arrow to reach the previous or next question in sequence, or using search/filtering to find a specific question.

The progress bar will update as data is entered, questions are completed, and the user moves to the next question. Completed questions will have a checkmark in the circle next to the question.

Questions that are optional for the assessment will have a circle with a dotted outline next to the question's title, while questions that are required will have a circle with a solid outline. Questions touched but not marked as completed are identified with a shaded purple within the circle. Questions that have not been touched retain a white background until modified.

When an assessment has all questions completed, all questions will have a checkmark, and the questionnaire progress bar will be full and display a green checkmark.

Answering a Question

Questions are answered by selecting the question title in the Questions column, which inserts the question in the main window. The edited question is highlighted with a shaded background in the left column.

A question defaults to the status of "Not Started." When a question receives input in any available field, it updates to "In Progress."

After a question has been answered, click the circle next to "Mark question complete," which will update its status to "Completed" and impact the questionnaire progress bar.

Adding Attachments

Users can gather evidence directly and securely on the platform, eliminating the need to email sensitive documents while completing assessments.

Step 1: Click Add attachment(s).

Step 2: Drag a file onto the modal or browse it from a local computer.

Step 3: Add any additional notes as needed. Repeat the process if more than one file is loaded. Click Save.

The attachment is listed on the question after the "Notes" box. Hover over the attachment filename for icons to download or delete the file.

Editing from the Readout Tab

Step 1: From the Reports module home page, click Readout under the "Actions" column of the report to edit.

Step 2: From the Readout tab, click Edit/Comment.

Step 3: Modify the content as needed. All changes are autosaved.

Editing from the Narrative Tab

Step 1: From the Reports module home page, click Readout under the "Actions" column of the report to edit.

Step 2: Click the Narrative tab.

Step 3: Edit the text and titles as desired.

Step 1: From the Reports module, select a report and click the Narrative tab.

Step 2: Scroll to the bottom of existing narratives and click Add From NarrativesDB.

Step 3: Search or use the provided pulldown filters to find the desired section(s) to add.

Step 4: Click the box next to the section(s) to add, and the narrative will appear on the right under the "TO BE ADDED TO NARRATIVE" column.

To add all available sections (or start with all sections selected and then uncheck those not desired), click the box next to "Sections" in the table header below the search bar.

Step 5: Click the Add X Section button at the bottom of the page. The new section(s) now exists in the Narrative tab for editing.

Step 6: Click the three dots to display the option to add tags or delete the section.

Individual reports can be accessed from either the Clients or Reports module. Once a report is selected, users can manage and update it using seven tabs: Readout, Details, Narrative, Findings, Assets, Artifacts, and Attack Path.

Readout Tab

In the Readout tab, you can access the Report Narrative, Report Readout column, Findings Overview summary box, and Findings Status box. The Report Readout column has a convenient scrolling feature, making it simple for users to move through the list of findings.

Report narratives can be edited from this tab (by clicking Edit/Comment) or on the Narrative tab.

To view a finding narrative, click the corresponding box in the "Report Readout" column. To edit this content, click Edit/Comment.

Click Report Narrative to return to the default report readout view.

Hovering the cursor over the pie chart in Finding Status can provide more information about the findings.

Details Tab

The Details tab offers an interface to view and modify the information entered when the report was created. For more detailed guidance on each field and its significance, refer to the Creating a Report page.

Narrative Tab

The Narrative tab offers an interface to view and modify existing rich-text fields (RTFs) or add new ones manually or from NarrativesDB. The existing narrative sections can be expanded or collapsed using the arrow at the right of the box.

Narrative sections can be added to a report from this page in two ways:

• A new section can be created by clicking the Custom Section button.

• An existing section can be added from the NarrativesDB module by clicking the Add from NarrativesDB button.

Findings Tab

The Findings tab lists all findings associated with a report and provides the ability to view a finding and conduct additional finding management and configuration.

Clicking a finding row will launch the findings details side drawer, which is a snapshot view of the finding and all associated content, assets, and tags.

Bulk Actions

Bulk action options appear after one or more findings are selected by clicking the checkbox to the far left of the row of the finding or by clicking the box next to the column header.

Click Actions to see the list of options available.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Assets Tab

The Assets tab displays all assets in the report that are linked via a finding. Assets are not added to a report directly; they only exist within a report when they are part of a finding that has been added to the report.

Visit Adding Assets for more information.

Bulk Actions