PlexTrac has region-specific deployment and maintenance windows to accommodate international growth and ensure minimal disruption to the global customer base. This approach offers several key benefits:

• Targeted updates: PlexTrac can roll out updates during off-peak hours for each geographic area.

• Reduced downtime: Ensures users experience system improvements outside their primary working hours.

• Improved responsiveness: This allows PlexTrac to be more agile in addressing region-specific needs or issues.

• Better resource allocation: Provides more targeted support and monitoring, ensuring smoother updates.

Deployment Regions and Timeframes

The start date for each deployment is listed in the Release Notes. The process begins in North America, followed by Australia/Eastern Asia and Europe/Western Asia the following day.

To ensure the best experience when using PlexTrac, the following recommendations for applications and utilities are provided below. These recommendations maximize the functionality and efficiency of PlexTrac's capabilities.

Operating Systems

Desktop and Laptop Browsers

Using an updated browser ensures access to the full range of features available. Other browsers or older versions of supported browsers are not guaranteed to keep all features.

Windows

macOS

PlexTrac believes in transparency and open communication regarding security matters. This page is a centralized hub where details about newly discovered security flaws, severity ratings, affected product versions, and instructions on mitigating or fixing those vulnerabilities are published.

PlexTrac strongly encourages all users to regularly review this page and promptly apply the recommended mitigations or updates to safeguard their systems against potential security risks.

Release 2.11.0

11/05/2024

This is not an incident notice or a breach notification. Your data remains safe, and the integrity of our platform remains intact.

Through collaboration with third-party researchers and processing responsible disclosure, the following security issues have been patched/remediated:

Server-side Request Forgery (SSRF)

A vulnerability in the PlexTrac application allowed an attacker to interact with internal application components by utilizing a server-side request forgery variable. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis of in-code references.

CVE-2024-11836

Insecure Deserialization via Runbooks Imports

A vulnerability was identified in a dependency used in our runbooks module to handle the upload/import of custom runbooks. The package maintainer identified a potential vulnerability in their code and proactively patched it; however, static analysis and software composition analysis tools are not currently reporting or detecting the issue.

CVE-2024-11839

Local File Inclusion

An undocumented and unpublished legacy endpoint was identified as having a local file inclusion vulnerability within the PlexTrac platform. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis for in-code references to the endpoint.

CVE-2024-11838

N1QL Injection

An N1QL injection vulnerability was discovered within a legacy part of the application (slated for deprecation and removal). Upon initial report, the issue had already been resolved and was pending a scheduled platform release.

CVE-2024-11837

Denial of Service

Within a dependency of PlexTrac's frontend, a denial of service vulnerability was identified. This allowed an attacker to craft a payload, resulting in a temporary restart of the web server by oversaturating an active websocket connection.

Upon discovery, the package and its uses were evaluated, resulting in the removal of the vulnerable package and the disabling of the use of the affected websocket endpoint within the platform. No patches were available to resolve the underlying vulnerability.

CVE-2024-11835

Insecure YAML Deserialization

An unsafe default within an open-source dependency that handles importing runbooks data into the platform was identified, allowing code execution within the legacy runbooks importer.

After concluding the initial triage, PlexTrac's team resolved the issue within the code to rely upon a safe method for handling parsing runbooks data files.

CVE-2024-12687

Arbitrary File Write via PTRAC Import

Within the PTRAC report import functionality of the PlexTrac platform, an arbitrary file write vulnerability was detected in the mechanism intended to facilitate transferring report artifacts between instances of the platform. This vulnerability is only exploitable when combined with an arbitrary directory write primitive.

After triage, the team was able to patch the issue and apply both validation/sanitization mechanisms to PTRAC files.

CVE-2024-11834

Arbitrary Directory Write via Runbooks Artifact Upload

Within the runbooks module's attachment upload function, a directory traversal vulnerability was detected. This allowed end users to write non-arbitrary files outside their intended destination on the remote system to create arbitrary directories. These directories could then be used as part of other vulnerabilities to gain code execution.

Post triage, the team was able to patch the issue, apply both validation/sanitization mechanisms to the affected endpoints and prevent the directory traversal and arbitrary directory creation.

All findings noted above were identified and reported by the NAT Cyber Security Centre team, including:

• Arnoldas Radisauskas

• Selim Decamps

• Ianis Bernard

To date, PlexTrac has not identified any exploitation of the items outlined within this advisory across privately hosted systems managed by PlexTrac's operations team. All items in this advisory were resolved within hours of the report, and your data/systems remain safe and secure.

CVE-2024-11833

Release 2.9.0

9/10/2024 An information exposure issue was identified within the platform, which would allow users not granted permission VIEW CLIENT ASSETS the ability to see information regarding affected assets within API responses. Permission was enforced in several areas of the application. However, when viewing findings, the affected assets for that finding were inadvertently disclosed in an API response. The issue has been patched to ensure proper asset restriction when viewing reports and findings throughout the platform.

PlexTrac helps cybersecurity teams improve and centralize workflow management processes across the entire lifecycle. The platform streamlines all aspects of the process, from staging offensive engagements and conducting assessments to analyzing data and reporting, prioritizing critical issues, collaborating between teams, and communicating with stakeholders.

PlexTrac Modules

When logging in to PlexTrac, users are greeted by the Dashboard page. Seven modules exist besides the Dashboard: Clients, Assessments, Reports, Priorities, Content Library, Analytics, and Runbooks.

Click a box to learn about a module.

Tenant Management

PlexTrac provides many options for configuring a tenant. Below are links to documentation for administration tasks, configuring user-specific settings, configuring authentication (OATH and SAML), integrating with APIs and parsers, installing and maintaining PlexTrac locally, and much more.

Click a box to learn about a topic.

Greetings! This page guides you in using the PlexTrac Documentation website effectively and efficiently, including navigation, exporting content, leaving feedback, and using search.

Left Navigation Bar

The main navigation menu is on the left sidebar. It features links to various sections and pages of the website. These links act as gateways to specific areas, allowing you to find the information you need quickly. To navigate to the desired section, simply click on the corresponding link.

This site contains four main sections:

🟣 Product Documentation: This includes the home page and general information about PlexTrac that applies to all users, along with the following helpful resources: a quick start guide for new users, a page highlighting new end-user features, and release notes.

🟣 PlexTrac Modules: This includes all the modules in the platform, including those licensed.

🟣 Tenant Management: This guide is for administrators and covers various PlexTrac topics. It includes information on the admin dashboard, authentication configuration, integrations, third-party file imports, supported operating systems and browsers.

🟣 API Documentation: This section provides a comprehensive guide on how to use APIs and webhooks. It includes a "Getting Started" guide, a list of object structures and their attributes, and practical use cases. The documentation also outlines the API Change policy and logs the changes to ensure transparency and inform users of any updates or changes.

Search

This website provides multiple search options: keyword search, phrases in the form of questions, or selecting a query from the pulldown list.

To initiate a search query, click the "Search" box at the top right corner of the page or use the keyboard shortcut Ctrl-k.

Users who type in the search bar will see dynamic search results. The search results will display relevant pages on the site for preview and context, which can be clicked to visit.

Clicking a question provides answers in the search box with relevant information and sourcing listed at the bottom.

Export to PDF

Export to PDF is a function that downloads a digital file of a page or pages in PDF format that can be viewed, printed, and shared offline. To export a page, click Export as PDF, which can be found at the end of the page headings at the top right.

A preview page that can be printed or saved as a PDF appears.

Page Published Date

Each page has a timestamp of when it was last updated.

Page Rating

Each page allows readers to provide feedback on the helpfulness of the content (not a rating of the product functionality discussed on the page). Click one of the three options to provide feedback.

The Dashboard is a centralized hub where users can view relevant information in a single location. It is accessed by clicking Dashboard in the application's main menu.

Overview

The Dashboard provides information regarding reports, assets, and findings based on a user's role, permission settings, and access to published reports.

Information can be filtered by selecting the client from the pulldown menu.

Clicking data points within the graphs and charts will open a side drawer with further information about the findings and assets referenced in the data.

My Work Page

This page displays assignments as users receive them and a list of recently accessed reports.

The My Work page is accessed by clicking the icon found at the top right of the page.

Recent Reports

Once a report is viewed, a box will appear at the top of the page. This box displays the report's title, status, client, and the number of findings and assets. Clicking the box opens the report.

Assignments

Assignments are grouped by type.

• My findings

• My reports

• My assessments

• My priorities

Assignments result from associations made from multiple areas of PlexTrac, such as being identified as a report operator, an assignee of a finding, or a reviewer of an assessment.

Click a tab for more information about each topic assignment, including the assigned role for the report or assessment.

Customizing Table View

The columns displayed in the table view of each assignment tab can be added or removed by clicking the column icon on the right of the page.

Once clicked, a modal appears that lists all fields that exist for that box.

To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column that appears on the far left of the relevant box.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Each topic has its list of fields and must be customized separately.

Notifications

Messages received within PlexTrac are stored on the Notifications page.

This page is accessed by clicking the bell icon at the top of any PlexTrac page next to the user name and then clicking View All.

When new notifications exist, the bell will have a red outline.

Clicking the bell will provide a list of unread notifications. Clicking a notification directly will send the user to the page that prompted it, and the notification will be set to the "Read" status.

In the Clients module, users can group and categorize data as needed. This helps manage confidentiality, integrity, and availability effectively while enhancing collaboration and catering to individual client needs.

Users access the module by clicking Clients in the application's main menu.

Overview

PlexTrac defines a client as a logical grouping utilized to segregate data. The term holds various meanings within different organizations, depending on the context in which it is used.

For teams external to the consulting organization, the term "client" typically refers to the individuals or entities that utilize their services. These clients may include businesses, government agencies, or other organizations that engage the consulting team to assess their cybersecurity posture, conduct vulnerability assessments, or provide related services. For these external teams, the client represents the entity they work for and to whom they deliver their expertise.

For teams operating within the boundaries of an organization or company, a client could refer to a specific project, a business unit, a regional office, or a program within the organization. Defining a client in this manner facilitates segregating data, findings, reports, and assets, ensuring that information is appropriately isolated within the relevant groupings.

By organizing data according to different clients, teams can manage and maintain confidentiality, integrity, and information availability. This approach allows for more collaboration and reporting within specific client-based units, prevents data overlap and ensures that each client's unique requirements and concerns are adequately addressed.

The Clients module home page displays all clients in a tenancy.

The table view is highly customizable, allowing users to select which columns are displayed to suit their specific needs. For a deeper dive into individual client details, clicking "View" under the "Actions" column navigates directly to the "Details" tab of the Client Summary page.

Similarly, clicking "Reports" provides a quick link to all reports related to a specific client. This directs users to the "Reports" tab of the Client Summary page. To review the assets linked to a client, select "View Assets," which takes users to the "Assets" tab. Finally, the interface also allows the deletion of a client.

Configuring Table View

The table view on the Clients home page can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields.

To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal also represents the sequence of fields provided in the table, meaning the bar at the top is the column that appears on the far left of the relevant box.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

The "Create New Client" modal allows users to input essential information, such as the client's name, logo, point of contact, client notes, tags, and custom fields.

Users can create a comprehensive profile for each client, enabling efficient data collection, organization, and management within PlexTrac.

Step 1: From the Clients module home page, click New client.

Step 2: A modal appears with the following fields:

1. Client Logo: To represent the client visually, drag an image or click the designated box to navigate to a picture on the computer.

2. Client Name (required): Enter the client or project name that will identify this data collection throughout PlexTrac.

3. Point of Contact: Enter the resource's name to contact about the data collection.

4. Point of Contact Email: Enter the resource's email address. If the email of a current PlexTrac user is entered, this person is added as a client user with the analyst role. If the person creating the client adds themselves as the point of contact, their default tenancy role (i.e., admin) is assigned. All roles can be adjusted.

5. Client Description/Details: Enter any pertinent information to help provide users context.

6. Tags: Enter any tags associated with the client (new or existing). Any special characters will be removed, and any spaces will be replaced with an underscore (_).

7. Add Custom Field: Enter additional fields and values needed to enhance the client's management.

Step 3: Click Submit.

The new client now appears on the Clients module home page.

Once clients have been added, PlexTrac offers a range of features that facilitate editing and managing information, including contact details, custom fields, logos, and additional notes and details. Users can ensure client information remains accurate and relevant with just a few clicks.

Editing Client Information

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Click Edit Client Information.

Step 4: The "Edit Client Information" modal appears and can be modified as desired. Click Submit when finished.

Deleting a Client

Step 1: From the Clients module home page, click the three dots under the "Actions" column corresponding to the client and click Delete Client.

Step 2: A modal will appear, confirming the action. Type in the client name and click Delete.

PlexTrac offers easy access to detailed client information. By clicking on a client's row from the Clients module home page, the user is directed to a summary page, which includes tabs for Reports, Findings, Assets, Procedures, Details, Statistics, and Priorities.

These tabs offer insights into the client's reports, findings, asset inventory, client-specific details, and finding metrics. PlexTrac ensures a cohesive and organized approach to client management by centralizing all client data in one place.

Reports Tab

This tab lists all the reports associated with a client. It can also be reached by clicking Reports under the "Actions" column from the Client home page.

This tab displays the report title, status, classification, creation date, and finding count. It allows direct access to the Report Readout page and associated findings. Click one of the rows for more information about a specific report.

Bulk Actions

When editing multiple reports, PlexTrac offers bulk action capabilities. Bulk actions provide several advantages, including time-saving and increased efficiency by processing numerous items simultaneously.

Click Actions to see the list of options for reports.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Findings Tab

This tab lists all the findings associated with a client via a report.

Clicking a finding row opens a side drawer and the findings detail view. From this view, a finding status can be edited by clicking the status value, and affected assets can be viewed and edited directly.

Bulk Actions

Bulk action options appear after one or more findings are selected by clicking the checkbox to the far left of the Finding Title field or by clicking the box next to the column header.

Click Actions to see the list of options available.

Configuring Views

The table view can be customized by clicking the column view icon to the right of the search bar.

Assets Tab

This tab lists all the assets associated with a client and the ability to view the asset, edit the asset properties, add any notes, or delete the asset.

Bulk Actions

Bulk action options appear after selecting one or more assets by clicking the checkbox to the far left of the Assets field or by clicking the box next to the column header.

Click Actions to see the options available, such as linking to a priority or adding tags.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Procedures Tab

This tab streamlines the creation and management of procedures within reports, offering a view of all procedures and tactics associated with a client.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Details Tab

This tab provides an overview of the client for all published reports. Its primary purpose is to provide a snapshot of the client's security posture and progress in addressing the identified issues. It is a centralized dashboard where users can quickly assess the client's status at a glance, enabling efficient monitoring and decision-making.

Clicking on Edit Client Information offers options for managing the client's logo, name, point of contact, description, tags, and the ability to add custom fields. It is also where authorized users, roles, and classification levels are managed.

Statistics Tab

This tab offers a snapshot of a client's findings based on severity and status for all published reports.

By organizing findings by severity and status, users can quickly identify the number of open or unresolved findings that require attention and follow-up actions.

Priorities Tab

This tab summarizes all client priorities. The list displayed depends on whether the tenancy enables client-specific or tenant-level priorities.

It can be determined whether a priority applies to all clients or a specific one based on the "Client" column value. If a priority applies to all clients, an "All clients" value is displayed. If it is client-specific, the client's name will appear instead.

The priority can be accessed directly by clicking on its title or row.

Bulk Actions

Bulk action options appear after one or more priorities are selected by clicking the checkbox to the far left of the Priority field or by clicking the box next to the column header.

Once available, click on Actions to see the list of options.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Existing assets in PlexTrac are managed from the Clients module. Assets may be found either from the Assets tab of a client, the Assets tab of a report, or via the Findings>Affected Assets tab when creating or modifying a finding.

Modifying an Asset for a Client

Step 1: Within a client, click the Assets tab.

Step 2: Click Edit under the "Actions" column of the asset to modify.

Step 3: Update desired fields on the "Edit Asset" page.

Step 4: Click Asset Detail.

Step 5: A list of asset metadata and the Associated findings tab are presented. Click Notes/Description.

Step 5: Existing ports, notes, and descriptions are presented. Add information by clicking Add Note.

Step 6: Click the Child assets tab to view any child assets that may exist. The Child assets tab table view can be customized by clicking the column icon to the right of the search bar.

Bulk Actions

Bulk action options appear after selecting one or more assets by clicking the checkbox or the box next to the column header.

Click Actions to see the options available, such as linking to a priority or adding a tag.

Assets within PlexTrac are stored outside of reports at the client level within the platform. An asset can exist as a standalone file in the Clients module or associated with a finding, referred to as an affected asset.

Organizations can efficiently manage and track their cybersecurity resources by organizing and storing assets in PlexTrac. This centralized approach ensures that important files and information are readily accessible when necessary, facilitating collaboration, efficient vulnerability management, and streamlined remediation efforts.

Creating an Asset

Step 1: From the Clients module home page, click the client's row or View under the "Actions" column.

Step 2: Click the Assets tab.

Step 3: Click the Add assets pulldown menu and select Create asset.

Step 4: The "New Asset" modal appears. Enter the desired information into the appropriate fields.

Step 5: Click Save at the bottom of the modal.

The asset now appears in the Assets tab.

Adding Assets via Bulk Paste

Step 1: From the Clients module home page, click the client's row or View under the "Actions" column.

Step 2: Click the Assets tab.

Step 3: Click Add assets, then select Bulk paste assets from the pulldown menu.

Step 4: Paste asset information into the provided box as a return- or comma-separated list. PlexTrac will parse the assets and add them to the finding. URLs with paths (i.e., www.plextrac.com/test/) will be separated into parent and child assets.

Step 5: Click Next.

Step 6: PlexTrac will search for assets in the bulk paste that match existing assets and identify them separately from new assets on the Review tab. This provides the option to deselect any assets before import.

Step 7: Click Next.

Step 8: Add any tags (optional). Click Add X assets.

A message confirming the import and assets are viewable from the Assets tab will appear.

Importing Assets to Clients

PlexTrac supports asset imports using an NMAP file or a CSV template:

• NMAP files: Network Mapper is a free, open-source network discovery and security auditing utility. More information on NMAP can be found on PlexTrac's Integrations section of this site.

• CSV: PlexTrac provides a template for uploading assets to a client. Click the file below to download the template:

CSV Asset Template Rules

The template is prepopulated with all permitted fields and sample values.

Ports

Column G ingests port information imported and found in the asset's Notes/Description tab.

Multiple values for the ports cell are separated by commas, such as:

22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/, 25/open/tcp//smtp///, 53/closed/tcp//domain///, 70/open/tcp//gopher///, 80/open/tcp//http//Apache http 2.2.3 ((CentOS))/, 113/open/tcp//auth///, 31337/open/tcp//Elite///

Each port can have up to eight values, separated by a slash. This means there must be seven slash characters (/) for each port ingested, even if no data exists within the slashes. If the correct number of slashes is not used, an import error will appear, and the file will not be accepted.

Examples of valid data values for the ports field:

• 80///////

• 80/open//////

• 80/open/tcp/////

• 80/closed/tcp/auth////

• 80/open/tcp/auth/ssh///

• 80/open/tcp/auth/ssh/test 6//

• 80/open/tcp/auth/ssh/test 6/Apache http 2.2.3 (CentOS)/

The first value captures the port number. The second value captures the port status (any ports with a status of Closed will not be imported). The third value captures the protocol. The fifth value captures the service, and the seventh value captures the version.

Importing Assets

Step 1: From the Clients module home page, click the report row or View under the "Actions" column.

Step 2: Click the Assets tab.

Step 3: Click Add assets, then select Bulk paste assets from the pulldown menu.

Step 4: Drag a file into the modal or click the box to navigate to the file on the computer.

Step 5: Click Import.

A message will appear confirming import.

The new assets are displayed on the Assets tab. To view imported values, click View of the imported asset.

To view imported port information, click Notes/Descriptions.

Users with permission to approve an engagement will have a "New engagement" button available in the Schedule module.

Step 1: Click New engagement from the Calendar tab of the Schedule module.

Step 2: Enter information about the engagement. Required fields are identified with a red asterisk. Click Continue.

Step 3: Add any relevant files for context. Click Continue.

Step 4: Enter report details. Click Continue.

Step 5: Select the dates to begin and end work on the engagement by inserting the cursor into the "Engagement dates" box and clicking the desired dates.

Step 6: Assign resources to work on the engagement by clicking the checkbox next to the desired resource under the "Operators" column. After selecting an operator, the engagement will appear next to that resource. Any existing resources that the operator is working on will also be displayed. Click Save.

The engagement now appears on the Calendar and List tabs for viewing and modification.

PlexTrac offers role-based access controls (RBAC) at the client level. RBAC allows teams to efficiently manage user privileges and permissions based on specific client requirements, enabling effective collaboration and task accomplishment.

Within PlexTrac, three default levels of access exist that can be assigned to users based on their responsibilities:

1. Administrator: An Administrator has the highest access level within PlexTrac. They possess extensive privileges and can perform various tasks, including creating reports, adding findings, tracking status, managing users, configuring settings, and accessing all areas of the platform related to the client.

2. Standard User: A Standard User plays a crucial role in managing and documenting client activities. They can create reports, add findings, and track the status of ongoing projects. This level of access allows Standard Users to contribute actively, collaborate with other team members, and provide valuable insights throughout the process.

3. Analyst: An Analyst is a user with a more limited role. Their primary responsibility is to track and update the status of identified vulnerabilities. While they may not have the authority to create reports or add findings, their role is essential in ensuring the accurate documentation and timely resolution of identified issues. Analysts can provide real-time updates on the progress of vulnerability mitigation efforts, making it easier for the broader team to stay informed and take necessary actions.

These default access levels ensure each team member has the appropriate privileges and responsibilities aligned with their role and contribution to the client's initiatives. By assigning specific access levels, teams can streamline workflows, maintain data integrity, and improve overall efficiency in managing and securing client environments.

Licensing

An icon will appear at the end of the role title when adding a user to a licensed role, regardless of the number of licenses available.

Any messaging regarding user licenses will appear as a banner on the "Authorize Client Users" modal.

Adding Users to a Client

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll to the "User access" section and click Add/Authorize User.

Step 3: Select the user to add from the "User" field pulldown menu.

Only existing users in the tenancy who are not authorized for the client appear in the pulldown menu.

After adding a user, the "Role" and "Classification" fields will be automatically filled in but can be changed.

Step 4: Click Add User to add additional users (if applicable). Click Save when finished.

Deleting a User

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll down to the "User Access" section and click Revoke under the "Actions" column in the user's row to remove access permissions.

Step 3: A dialog box will appear confirming the action. Click Revoke.

Changing User Roles

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Under the "User Access" section, select the new role from the pulldown menu in the "Role" column for the user.

The change is immediate. A dialog box will appear at the bottom left of the screen confirming the change.

Changing User Classification Level

Step 1: From the Clients module home page, click View under the "Actions" menu for the impacted client.

Step 2: Scroll down to the "User Access" section and click the pulldown menu under the "Classification Level" column of the user impacted.

Step 3: Select the new classification level.

The change is immediate. A dialog box confirming the change will appear at the bottom left of the screen.

In the Schedule module, users can request and view engagements while others can create, approve and allocate resources to work on reports.

Users access the module by clicking Schedule in the application's main menu.

Overview

The Schedule module streamlines scheduling, resource management, and team visibility to enhance pentesting and report efficiency.

For Managed Security Service Providers (MSSPs), the scheduler oversees ongoing projects and facilitates efficient handling of incoming requests. On the client side, the portal experience consolidates all relevant information and provides intuitive tools for requesting new engagements within PlexTrac instead of email. Users can easily document and communicate engagement details to the team, while resource managers receive a holistic view to optimize scheduling.

Any report managed by an engagement will display this information on the Details tab of a report, with a link directly to the engagement.

Users can view and access engagements from the Schedule home page for clients they can access. The view defaults to a calendar. Additional tabs include a list of all engagements and resource availability (depending on permissions).

Calendar Tab

This tab lists all client engagements a user can access, depending on the filtered view chosen (All, Pending, Schedule, In progress, In review, and Complete). The engagements are color-coded to identify their status quickly.

List Tab

This tab displays a list view of all client engagements a user can access, depending on the filtered view chosen (All, Pending, Schedule, In progress, In review, and Complete). Engagements can be viewed or edited from this tab by clicking the task under the "Actions" column of the engagement.

Availability Tab

This tab displays a list view of all users in the tenancy who have permission to view and edit reports. Visible engagements can be filtered by clicking a status value above (i.e., "Pending").

User Permissions

What permissions have been assigned to the user dictate the user experience (what tabs can be viewed and what tasks can be completed) in the Schedule module. In addition, users will only see engagements associated with clients they can access.

This module's permissions list can be viewed and customized for enabled roles on the Role-Based Access page of the Admin Dashboard under "Engagement Scheduler Permissions."

Existing engagements are managed from the List tab of the Schedule module.

Multiple tasks can be performed on existing engagements depending on the user's permissions. If a user has view access but nothing else, a message will appear in the engagement-side drawer when accessed.

Viewing an Engagement

Users with the appropriate permissions can view engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

On the Files tab, a side drawer will appear describing the engagement details and any provided support files. For easy access, a link directly to the report is provided.

Step 2: Click X at the top right of the drawer to exit.

If permissions allow, the user can edit or cancel the engagement from this screen.

Approving an Engagement

Users with the appropriate permissions can approve engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click Schedule & create report.

Step 3: Review the first three tabs of the submitted engagement for accuracy and add any additional information. When finished, click Continue to move on to the next tab.

Step 4: On the fourth tab, Select & assign operators and assign resources to work on the engagement by clicking the checkbox next to the desired resource under the "Operators" column. After selecting an operator, the engagement will appear next to that resource. Any existing resources that the operator is working on will also be displayed. Click Save.

Canceling an Engagement

Users with the appropriate permissions can cancel engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click Cancel request.

Step 3: A modal will appear, asking for confirmation. Click Cancel Request.

Editing an Engagement

Users with the appropriate permissions can edit engagements.

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click Edit.

Step 3: Edit the engagement as desired by changing content until the end and clicking Save.

Downloading Support Files

Step 1: From the List tab of the Schedule module, click the row or View under the "Actions" column of the desired engagement.

Step 2: A side drawer describing the engagement details and any provided support files will appear. Click the Files tab.

Step 3: Click the download icon of the file to access it.

The Questionnaire templates tab is a directory of assessment questionnaires available for a tenant. This tab provides a centralized location where users can perform various actions, such as creating new questionnaires, modifying existing ones, importing questionnaires from external sources, or deleting no longer-needed questionnaires.

The primary objectives of assessment questions are twofold. First, they aim to bolster the effectiveness and thoroughness of the assessment process by providing additional context and relevant information. By including well-crafted questions, the assessment becomes more comprehensive and capable of capturing a broader range of data.

Second, the information collected through these assessment questions is crucial in generating meaningful findings when the assessment is completed and submitted as a report. These findings, derived from the accumulated data, serve as valuable insights and recommendations.

Furthermore, the Questionnaire templates tab also provides the functionality to initiate client assessments. This feature streamlines the assessment workflow by seamlessly integrating the questionnaire creation and initiation steps within the same interface.

Creating a Questionnaire

Step 1: Click New Questionnaire from the Questionnaire templates tab of the Assessments module.

Step 2: Enter a unique title and select the reference framework from the pulldown menu.

The reference framework value tags assessments and questions for future categorization and management.

Step 3: Click Create Questionnaire.

Step 4: Edit this section as needed.

• Questionnaire Title (required): This value entered in Step 3 can be edited here. This value will appear in the expanded section of the questionnaire (reference number one in the question example below).

• Reference Framework: This value was selected in Step 3 and cannot be edited. The reference framework value tags assessments and questions for future categorization and management.

• Require Completion of All Questions: If all questions must be answered before completing the assessment, check the box.

Step 5: Click Save Basic Info.

Create a New Question Section

• Title (required): Question title and value that will appear in the expanded section of the questionnaire (see number 1 in the example below).

• Description (required): Description of the question that will appear as additional context for the user when answering the question (see number 2 in the example below).

• Add Input Field: An additional label can be provided and made mandatory if necessary (see number 4 in the example below). The label will be presented to the user with a box for data entry. Enter as many Input Fields as required.

• Add Custom Field: Provides additional RTF fields with a label, if needed. Repeat as often as needed.

Custom Button Fields

• Default Severity: Pulldown menu list of values to define the default severity of the question. If a question is based on a Framework Control, it may have a predefined severity. This will be the severity of the report finding that this question will become upon submission.

• Default Score: Optional method for providing a default score.

• Default Score Calculation: If required, enter as a plain text string.

• Tags: Additional information to improve search and reporting.

• Recommendations: Recommendations relevant to the question, such as a remediation technique or policy suggestion.

• References: References to questions to assist with implementing or verifying the assertion, such as website links.

Writeups DB Button

Information from a writeup can be linked to a question. This metadata and content from the writeup will not appear in the assessment. Still, after the assessment is submitted and the question becomes a finding, the writeup information is included on the finding detail page.

• Writeup: Pulldown menu list of available writeups to link to the question.

• Tags: Additional information to improve search and reporting. This is the same field found under the "Custom" button.

Step 6: Click Create.

The created question now appears in the "All Questions" column on the left.

This section contains a record of all questions in an assessment and provides the sequence in which they will appear.

Step 7: Create more questions to complete the assessment. This can be done in two ways:

Step 8: Click Create after completing the second question. Create as many questions as needed to complete the assessment.

After multiple questions exist, the ability to sequence each question is provided should the creation of steps be outside the desired final sequence.

Questions can be moved by clicking the "All Questions" question box and dragging it to the desired arrangement on the list. The numbering will dynamically change so that they are ordered as shown on the page (i.e., the question on top is always Question #1).

Importing a Questionnaire

PlexTrac allows imported questionnaires in JSON file format.

Step 1: From the Assessments module, click the Questionnaire templates tab.

Step 2: Click Import.

Step 3: Drag the JSON file to the modal or click to browse the file on the computer. Repeat if necessary. When finished, click Upload.

If the wrong JSON file is used, an error message will appear. If the import is successful, the new file will appear in the list of questionnaires.

Exporting a Questionnaire

A questionnaire can be exported as a JSON file for backup or imported to another instance. Questionnaires can be exported during editing, directly from the Manage Questionnaires page, or when viewing a questionnaire.

Step 1: From the Assessments module, click the Questionnaire templates tab.

Step 2: Click the three dots under the "Actions" menu of the questionnaire and then click Export.

Step 3: Click Export.

The questionnaire is downloaded locally as a JSON file.

Viewing a Questionnaire

Clicking the row of the questionnaire on the Manage Questionnaire tab displays all question titles, descriptions, and tags on one page for easy viewing. The questions are listed in sequence.

The Assessments module offers security consultancies and pentesters a streamlined approach to developing and managing framework-based governance risk and compliance assessments and scoping questionnaires. This functionality promotes consistency across assessments and reduces the time and effort required for their creation and management. An additional benefit of managing assessment questionnaires in PlexTrac is the ability to utilize PlexTrac's Reports and Analytics modules to track and report on the status of the assessment findings.

Users access by clicking Assessments in the application's main menu.

Overview

Assessments are crucial for identifying, evaluating, and prioritizing security weaknesses in systems, networks, or applications. They aim to uncover vulnerabilities that malicious actors could exploit. Organizations can strengthen their security defenses and reduce the likelihood of successful attacks and data breaches by systematically reviewing and analyzing areas prone to risks, such as software bugs, misconfigurations, and other security weaknesses.

Various paradigms concentrate on evaluating security in vulnerability assessments. Network vulnerability assessments focus on scrutinizing network infrastructure, devices, and protocols to identify potential weak points that attackers could exploit. Web application vulnerability assessments specialize in detecting and remedying security flaws specific to web-based applications. Host-based vulnerability assessments concentrate on individual systems or hosts, including servers and workstations, to identify potential vulnerabilities and implement necessary safeguards.

Some of the most commonly used assessment frameworks in PlexTrac include CMMC (Cybersecurity Maturity Model Certification), NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), ISO (International Organization for Standardization), FFIEC (Federal Financial Institutions Examination Council), and NYDFS (New York Department of Financial Services).

Assessment questionnaires are valuable for gathering relevant information and evaluating security practices. They serve many purposes, such as identifying vendor risk management, conducting internal and external audits, or obtaining SOC2 certification. By utilizing well-crafted questionnaires, organizations can systematically gather data regarding their security practices, policies, and procedures, which are then used to assess their effectiveness and compliance with established standards. These questionnaires facilitate a structured approach to evaluating security measures, streamlining the process and ensuring consistent evaluation across different projects and organizations.

The Assessments module has two tabs:

• In Progress/Completed: This option shows all assessments the user can view, including completed and in-progress assessments. Client and status can filter assessments.

• Manage Questionnaires: This displays the list of questionnaires available for assessment purposes in the tenancy. It also allows users to create and manage questionnaires and import questions from a JSON file.

Users who do not have permission to approve an engagement can still request one.

Step 1: From the Calendar tab of the Schedule module, click Request engagement.

Step 2: Enter the engagement details in the provided side drawer. Click Continue.

Step 3: Add any relevant files for context. Click Submit.

A dialog box will appear explaining the next steps. Click Ok.

The engagement is now listed as pending on the Calendar and List tabs.

PlexTrac's assessment module offers a user-friendly interface that enables effective assessment management, progress tracking, data collection, and collaboration. It ultimately facilitates the submission and presentation of comprehensive assessment findings.

4. Results count: This displays the number of questions in the assessment and dynamically updates based on filter and search queries.
8. Reviewers button: Used to assign assessment reviewers (this option disappears for completed assessments).

9. Submit assessment button: Used to submit the assessment and move it to "Completed" status.

Users have two options for beginning an assessment. First, they can navigate to the Questionnaire templates tab. Second, users can start a new assessment from the In progress/completed tab.

Option A: From the Assessments Home Page

Step 1: Click the Start New Assessment tab from the Assessments default home page.

Step 2: Select the client the assessment applies to from the pulldown menu, then select the questionnaire. Click Next.

Step 3: A new page appears, presenting the assessment for modification.

Option B: From a Questionnaire

Step 1: Click the Questionnaire templates tab from the Assessments default home page.

Step 2: Click Begin Assessment under the "Actions" column for the desired questionnaire.

Step 3: Select the associated client/project value from the pulldown menu and click Begin Assessment.

Step 4: A new page appears, presenting the assessment for modification.

Next Steps

If no action is taken after an assessment is created or is not finished, the assessment will receive an "In Progress" status and be accessible from the In progress/completed tab.

An assessment can be completed by clicking Edit under the "Actions" column.

Once an assessment is submitted in PlexTrac, the platform automatically generates a report and directs the user to the Report module readout view, and all questions are turned into findings. This published report contains all the findings from the assessment, making it readily accessible to stakeholders and analyst users. This feature enables quick dissemination of information to relevant parties.

Submitting an Assessment

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click Submit assessment.

Step 3: If all questions have been completed, a message confirming action appears. Click Submit assessment.

A report readout from the Reports tab of the Clients module will be presented, providing assessment details. The answered questions are now findings. Each finding includes the question, description, assigned score, checkbox status, and any accompanying notes and relevant documentation incorporated into the assessment.

If required, users can edit the report before exporting it. This feature ensures that the final report accurately reflects any updates or changes made during the assessment process. Users can review and modify the report as necessary, guaranteeing its accuracy and completeness before sharing it with stakeholders.

The assessment is still listed within the Assessment module, now with a "Completed" status.

Assessment Findings Status

Once an assessment is submitted, all questions, including custom fields, are transformed into findings. PlexTrac then assigns a status to each finding, using business rules corresponding to the answer type and values of the question.

Findings Status Logic

Below are the guidelines used to determine the value given to a finding status. These rules are followed in sequence until the status is resolved and a value is determined.

To ensure the accuracy of the rules listed in the table, the answer type value must match the value in the table, where applicable. For example, an answer type value of Not Compliant will result in a match and a findings status assigned, while a value of Non Compliant will not.

The same logic is applied to custom fields. If, for example, a custom field answer type is "Yes (Pass) / No (Fail)" and the value is "Yes," the finding status assigned is Closed. If the custom field answer type scenario and value are not found below, the finding status assigned is In Process.

Assessments can be started immediately after creation or worked on later by opening one to complete from the In progress/completed tab. If no action is taken after an assessment is created or the assessment is not finished, the assessment will have an "In Progress" status.

To open and complete an "In Progress" assessment, go to the In Progress/Completed tab, select the desired assessment, and click Edit.

Monitoring Progress

The assessment module provides progress tracking for questionnaires. A visual bar indicates the questionnaire's completion status, gradually filling up as more questions are answered until it reaches 100%.

Users can provide answers, observations, notes, and attachments as questions are completed, such as policy documents, screenshots, code samples, and videos. Attachments are facilitated through a modal where files can be dragged, dropped, pasted, or browsed from the computer.

Questions can be marked as complete, and users can continue to another question by clicking the question in the left column, entering the question number in the provided box, clicking the navigation arrow to reach the previous or next question in sequence, or using search/filtering to find a specific question.

The progress bar will update as data is entered, questions are completed, and the user moves to the next question. Completed questions will have a checkmark in the circle next to the question.

Questions that are optional for the assessment will have a circle with a dotted outline next to the question's title, while questions that are required will have a circle with a solid outline. Questions touched but not marked as completed are identified with a shaded purple within the circle. Questions that have not been touched retain a white background until modified.

When an assessment has all questions completed, all questions will have a checkmark, and the questionnaire progress bar will be full and display a green checkmark.

Answering a Question

Questions are answered by selecting the question title in the Questions column, which inserts the question in the main window. The edited question is highlighted with a shaded background in the left column.

A question defaults to the status of "Not Started." When a question receives input in any available field, it updates to "In Progress."

After a question has been answered, click the circle next to "Mark question complete," which will update its status to "Completed" and impact the questionnaire progress bar.

Adding Attachments

Users can gather evidence directly and securely on the platform, eliminating the need to email sensitive documents while completing assessments.

Step 1: Click Add attachment(s).

Step 2: Drag a file onto the modal or browse it from a local computer.

Step 3: Add any additional notes as needed. Repeat the process if more than one file is loaded. Click Save.

The attachment is listed on the question after the "Notes" box. Hover over the attachment filename for icons to download or delete the file.

The Reports module makes generating security reports for penetration tests more efficient and effective. It enhances the value and quality of the reports by presenting the test findings clearly and concisely with relevant context and actionable recommendations. This helps ensure that all vulnerabilities, weaknesses, and potential risks are documented, allowing clients and stakeholders to understand their systems or applications' security posture.

Users access the module by clicking Reports in the application's main menu.

Overview

The Reports module home page displays all reports that a user has permission to view. It provides a list of reports with fields the user selects (instructions on how to customize below), plus an Actions menu that allows quick access to the report readout page, report findings, and the option to delete the report.

Bulk Actions Menu

To access the bulk actions menu, click on any box to the left of a report's name or the box next to the column header to select all reports.

After clicking on a box, an Actions button will appear with options to update one or more reports with various tasks from the pulldown menu.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence.

Click Save when finished.

Individual reports can be accessed from either the Clients or Reports module. Once a report is selected, users can manage and update it using several tabs: Readout, Details, Narrative, Findings, Assets, Procedures, Artifacts, and Attack Path.

Readout Tab

The Readout tab provides access to the Report Narrative, Report Readout column, Findings Overview summary box, and Findings Status box. The Report Readout column has a convenient scrolling feature, making it simple for users to move through the list of findings.

Report narratives can be edited by clicking Edit/Comment or on the Narrative tab.

To view a finding narrative, click the corresponding box in the "Report Readout" column. To edit the finding content, click Edit/Comment.

Click Report Narrative to return to the default report readout view.

Details Tab

Narrative Tab

The Narrative tab provides an interface for viewing and modifying existing rich-text fields (RTFs), adding new custom sections, or importing from NarrativesDB.

The existing narrative sections can be expanded or collapsed using the arrow at the right of the box.

Findings Tab

The Findings tab lists all findings associated with a report. It allows users to view a finding and manage and configure it further.

Clicking a finding row launches the findings details side drawer, which provides a snapshot view of the finding and all associated content, assets, and tags.

Bulk Actions

Bulk action options appear after one or more findings are selected by clicking the checkbox to the far left of the finding row or by clicking the box next to the column header.

Click Actions to see a list of options, such as adding a tag or linking to a priority.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of the columns can be adjusted in this modal by clicking the six dots on the left side of a field's bar and dragging it to the preferred sequence position.

Click Save when finished.

Assets Tab

The Assets tab displays all assets in the report that are linked via a finding. Assets are not added to a report directly; they only exist within a report when they are part of a finding that has been added to the report.

Bulk Actions

Bulk action options appear after selecting one or more assets by clicking the checkbox to the far left of the asset row or by clicking the box next to the column header.

Click Actions to see the options available, such as adding a tag to an asset or linking to a priority.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Procedures Tab

This tab streamlines the creation and management of procedures within reports, offering greater flexibility and efficiency. Users can view and create procedures on the fly directly from a report and add existing procedures from any repository, including their runbooks database.

A side drawer feature also enables quick procedure review, enhancing workflow efficiency.

The Tactics coverage tab allows users to review tactics coverage, providing a more holistic view of security posture.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Artifacts Tab

The Artifacts tab provides a dedicated space to load and associate additional information with a report. This functionality allows for the inclusion of various artifacts, such as registry keys, files, time stamps, and event logs, which can provide context and support the findings and conclusions presented in the report.

Attack Path Tab

The Attack Path tab visually represents the tactics, techniques, and procedures (TTPs) employed in a simulated attack, as discussed in the report. This tab offers a flexible and interactive interface that allows users to manipulate and sequence the attack path as desired.

This visual representation helps stakeholders understand the attack methodology and visualize how an attacker could exploit system vulnerabilities.

More information about a finding can be accessed by clicking the eye icon within a box to pull up the Finding Details page as a side drawer.

Report Logs

The report log documents when a report was last imported and what new findings were added.

Step 1: From the Reports module home page, click the row of the report to view or Readout.

Step 2: From the Findings tab, click Report Logs.

Step 3: A dialog box asks to select the import date and time. Select the desired time recorded in Universal Time (UTC).

Step 4: A list of findings added is displayed.

A finding is a weakness in systems, processes, policies, or procedures that could be exploited. It arises from penetration testing, vulnerability assessments, and compliance audits. These findings reveal potential points of compromise, categorized by severity, and often come with recommended remediation actions.

Organizations can use findings to allocate resources and improve security efficiently.

Findings are the most common object in PlexTrac and can be added to a report in multiple ways:

Accessing Findings

Findings can be accessed either through a report or the Clients module:

Via a Report:

1. Click Reports from the main menu.

2. Select a report.

3. Click the Findings tab.

Via the Clients module:

1. Click Clients from the main menu.

2. Select the client.

3. Click the Findings tab.

A count for the number of findings is displayed at the top of the table to the left of the filter boxes.

Identifying the Finding Source

The source of a finding can be found on the Finding detail side drawer, which appears when clicking the row of a finding seen in the Findings tab of a report or client. If the finding was created in PlexTrac, a value of plextrac exists. If the finding was imported, the source of that file or integration is also recorded.

Finding ID

The finding ID can be found on the Finding detail side drawer, which appears when clicking the row of a finding in the Findings tab of a report or client. The finding ID is generated by importing it from the source tool or dynamically by PlexTrac when the finding is created.

Every finding in a PlexTrac report must have a unique finding title.

When importing findings from two scans into the same report, only additional findings from the second scan and any assets tied to existing findings are imported, even if duplicates exist.

When two findings with the same title are created in two different reports for the same client, they are displayed on the Findings tab in the Clients module, as they each receive a unique finding ID.

Finding Reported Date

The finding reported date is when the finding was added to the report. This value is displayed under the "Date Reported" column from the Findings tab. This value can be modified through the "Actions" button when selecting one or more findings.

Users can generate a report by accessing the Clients module or creating one within the Reports module. The process and experience are identical, except if a report is created from within the Clients module, there is no need to select a client. Assuming the user is currently in the Reports module, they can follow the instructions below.

Step 1: From the Reports home page, click Create Report.

Step 2: Select the client from the pulldown menu. All clients for a tenancy will be available for selection.

Step 3: The modal then expands. Enter the desired data in the fields (required fields are marked with a red asterisk).

1. Report Name: Appears throughout PlexTrac as the report title. It is a required field.

3. Status: Provides the status of the report. By default, the report will be in Draft mode. The user can select other options, such as Ready for Review, In Review, Approved, or Published from the pulldown menu.

6. Operators: This field identifies users who work on the report. Any user with their name in it will see the report listed on their Dashboard under the "Your reports" tab. Enter users by placing the cursor in the field box, selecting a value, or typing a name. This field can be blank or contain multiple users. Once added, an operator can be removed by clicking the "X" to the right of the name.
7. Start Date: Identifies the start date of the report. Place the cursor in the field box to select a date from the calendar.

8. End Date: Identifies the end date of the report. Place the cursor in the field box to select a date from the calendar.

9. Reviewers: This field identifies users who review the report. Any user with their name in it will see the report listed on their dashboard under the "Your reports" tab. Enter users by placing the cursor in the field box, selecting a value, or typing a name. This field can be blank or contain multiple users. Once added, a reviewer can be removed by clicking the "x" at the end of their name.

10. Tags: Provides help when searching for the report elsewhere in the application. Click on the field to add tags and type in your desired value. You can also scroll through the list or type in characters to narrow down your options and make a selection. This field can be blank or contain multiple tags. Once added, a tag can be removed by clicking the "x" at the end of the value.

11. Include Raw Evidence in Export: This option ensures that all raw evidence in the report is included when exported. It is turned off by default but can be toggled on by clicking.

12. Custom Fields: Add any desired custom fields by clicking Add Custom Field or selecting existing custom fields from a template to import via the pulldown menu.

Step 3: Click Submit.

Upon submission, the system creates the report's initial framework, which is ready for further content addition and collaboration. Other tabs can now be accessed to make necessary changes, such as adding findings or assets.

Step 4: Click the Narrative tab and add a report narrative. An existing narrative can be reused by clicking Add from NarrativesDB, or a new one can be added by clicking Custom Section.

Step 1: From the Reports module, select a report and click the Narrative tab.

Step 2: Click Add from NarrativesDB.

Step 3: Search or use the provided pulldown filters to find the desired section(s) to add.

Step 4: Click the box next to the section(s) to add, and the narrative will appear on the right under the "TO BE ADDED TO NARRATIVE" column.

To add all available sections (or start with all sections selected and then uncheck those not desired), click the box next to "Sections" in the table header below the search bar.

Step 5: Click the Add X Section button at the bottom of the page. The new section(s) will now be available for editing in the Narrative tab.

Step 6: Click the three dots to display the option to add tags or delete the section.

Editing from the Readout Tab

Step 1: From the Reports module home page, click Readout under the "Actions" column of the report to edit.

Step 2: From the Readout tab, click Edit/Comment.

Step 3: Modify the content as needed. All changes are autosaved.

Editing from the Narrative Tab

Step 1: From the Reports module home page, click Readout under the "Actions" column of the report to edit.

Step 2: Click the Narrative tab.

Step 3: Edit the text and titles as desired. Additional functionality exists, such as adding from NarratviesDB, creating a custom section, or leaving comments.

Short codes can significantly improve the efficiency of data representation. They can be created to represent specific data fields at the client and report levels.

With pre-defined codes, users can quickly insert data without manually entering lengthy information, saving time and effort during the report creation process. Moreover, standardized placeholders help maintain consistency in data presentation across different reports, ensuring a uniform format and structure that creates a professional and organized image.

Short codes provide flexibility and adaptability. They enable users to customize formats and update information without changing the underlying data. This ensures that reports are presented according to individual preferences and industry standards, minimizing the risk of errors and enhancing accuracy.

Adding Custom Short Codes

Step 1: From the Reports module home page, click Readout under the "Actions" column of the report to edit.

Step 2: Click the Details tab.

Step 2: Click the Add new button at the bottom of the page under "Custom fields."

Step 3: In the first box on the left, add a label value to correspond with the short code, and in the second box on the right, insert the text value that will replace the short code.

This value will replace the short code used in the report's narratives or a finding's text fields.

Repeat the process to add another short code.

The Custom Field label links the short code to the value (text data) that is to replace it. For example:

• Label: Contact Email

• Value (text data): janep@karbo.com

• Short Code: %%Contact_Email%%

Step 4: Use the short code in any report narrative. Changes will be autosaved.

Step 5: To activate the short codes, click Search & Replace at the top right of the page within the Reports module.

Step 6: The Search & Replace modal appears. Click Replace Short Codes to replace all short codes in the report with their corresponding text data.

Step 7: Click Confirm.

A confirmation message will appear.

Step 8: Validate that the change occurred as desired, assuming the short code exists in the tenant settings.

If the fields did not process as expected, kindly request the administrator to confirm their setup in the Admin Dashboard and ensure that the appropriate short code was utilized. Then, proceed to repeat steps 6-8.

Creating a finding within PlexTrac can be initiated either through the Clients module or the Reports module, but either approach involves selecting a report to add the findings. When created within PlexTrac, users can update using five tabs: Finding Details, Affected Assets, Screenshots/Videos, and Code Samples.

Step 1: From the Reports module, click the row of the impacted report.

Step 2: Click the Findings tab.

Step 3: Click Create Finding from the "Add Findings" pulldown menu.

Step 4: Enter a finding name and select the finding severity. Click Create.

Step 5: The edit finding page has four tabs for collecting data about a finding (further details on each tab are provided below).

1. Title (required): All finding titles must be unique within a report. The tool will provide an error message after clicking Save if an existing title is used.

2. Severity (required): Identifies the severity rating for the finding. The values are in ascending order: Informational, Low, Medium, High, and Critical.

3. Score type: Identifies the score associated with a finding. This can be used to record a general score, a CVSS 2.0 score, a CVSS 3.0 score, a CVSS 4.0 score, or dynamically create a CVSS 3.1 score using the provided calculator.

4. Priorities: Associate the finding with a priority in the Priorities module.

5. Status: Defines the status of the finding (Open, Closed, or In Process). It defaults to Open.

6. Sub-Status: Provides further details on the status of a finding if set up by admin. If no sub-status values have been configured, this field will not appear.

7. Assigned to: Identifies the user assigned to a finding. Only one user can be assigned, and an email will be sent once the finding is saved. The list in the pulldown menu is derived from the list of users added to a client.

8. Description (required): An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.

9. Recommendations: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. This field has collaborative editing enabled.

10. References: An RTF field allowing content, images, links, code examples, tables, and lists to be entered as needed. It has collaborative editing enabled.

11. CVE ID: Common Vulnerabilities and Exposures (CVE) identifier(s) assigned to the finding. This field requires a format of CVE prefix + Year + arbitrary digits. There is no limit to the number of random digits.

    • Example ID with four digits: CVE-2014-3127

    • Example ID with five digits: CVE-2018-54321

    • Example ID with six digits: CVE-2019-456132
12. CWE ID: The Common Weakness Enumeration (CWE) identifier(s) assigned to the finding. This field requires a two-to-four-digit number format.

    • Example ID with two digits: 99

    • Example ID with three digits: 243

    • Example ID with four digits: 1423
13. Tags: Stores any tags associated with a finding to help manage and retrieve the finding more easily later.

14. Custom Fields: Click Add custom field to insert more labels and values as needed.

Step 5: Click Save.

The information entered is now displayed in the Findings Details tab and can be modified as needed. More details of a finding can be added by continuing to the other available tabs.

Affected Assets Tab

This tab displays any affected assets associated with a finding. The Affected Assets page provides more information on this topic, such as how to import or create.

Screenshots/Videos Tab

This tab stores screenshots and videos associated with a finding, as videos are not allowed in the Finding Details rich-text fields.

To add a file, drag it onto the box on the page or click to navigate to files on the computer. Repeat as needed.

Code Samples Tab

This tab stores any code samples related to a finding for future reference. Click Add Section to add additional sections. The code will be formatted when the report is published.

PlexTrac understands the importance of simplifying the process of importing findings and other data into the platform, whether for a specific report or multiple reports and assets. To facilitate this, PlexTrac offers CSV templates and scripts that help streamline the import process and make it more efficient.

CSV templates serve as pre-defined structures that align with the required format for importing data. These templates specify the fields and corresponding data types expected when importing findings or other information. Users can leverage these templates to ensure that their data is correctly mapped and formatted for import, minimizing errors and ensuring consistency.

Two CSV options are available to import findings into a report. Consult the table below to determine the most suitable solution for your needs.

*The script can create parsed findings in PlexTrac by sending API calls to create each finding individually (which results in an extended script runtime) or by generating a PTRAC file. Manually importing the generated PTRAC file takes the same time as the PlexTrac Report Finding CSV Template.

Report Findings CSV Template

Please click on the box below to access instructions and a downloadable CSV file that can serve as a template for uploading findings into a report. The CSV file contains fields pre-filled with sample values.

Python General CSV Template

Click on the box below to learn about importing data through the PlexTrac API using a script. The script requires two CSV files: one for importing data and another for field mappings.

This script is designed to help users import data into multiple clients and reports. It works by parsing a CSV file and creating client, report, finding, and asset objects. Once the objects are generated, the script uses the PlexTrac API to import and create them in the user's tenant.

PlexTrac can import findings from third-party tools and a CSV template for centralized data. This provides real-time visibility, holistic analysis, and efficient reporting, simplifying compliance and promoting proactive risk management.

The file-queuing feature allows users to upload multiple files simultaneously, with the ability to view the progress and status of each import. This enhancement significantly improves efficiency by enabling background processing, which lets users continue working while files are being processed. The benefits include reduced wait times, increased productivity, and enhanced visibility into the import process.

Importing From a File

Step 1: Within the Reports module, click the impacted report from the list to bring up the Readout tab.

Step 2: Click the Findings tab.

Step 3: Click Add Findings and select File Imports from the pulldown menu.

Step 4: A side window appears. Drop the file into the provided box or browse it on the computer. Repeat as necessary for up to 10 files (totaling 20GB).

If required, select the source from the pulldown menu.

Step 5: Click Continue.

Step 6: On the second tab, "Select tags & upload," add any desired finding and asset tags (optional). When finished, click Import.

The status of files imported can be viewed by clicking the icon next to the notification bell at the top of the page.

PlexTrac offers collaborative editing to save time and reduce errors when working on reports, writeups, narratives, and findings. Collaborative editing is a process in which multiple individuals work together to create, edit, and refine content in real time, with contributors simultaneously working on the same document.

Collaborative editing exists in rich-text fields (RTFs) within the platform, such as:

• In the Description, Recommendations, and References RTFs of the Findings Details tab of a finding

• In the Value RTF within the Custom Fields tab of a finding

• In the RTF of the Narrative tab for a report

• In the Description, Recommendations, and References RTFs of the Readout tab of a report

• In the Description, Recommendations, and References RTFs of a writeup in WriteupsDB

• In the Section Body RTF in NarrativesDB

Avatar Notification

When a user edits one of the fields listed above, an avatar is displayed at the top right of the content box. Up to six avatars can be displayed.

The user's full name is provided if the cursor hovers over it.

Auto-Save Rules

Messaging at the top right of the section or page where collaborative editing exists indicates when content was last saved.

On pages with multiple content sections, autosave is per section (not page), and the time stamp will update when one of the collaborative editing content blocks is modified.

For example, when one user updates the finding description at the same time another user updates the finding recommendation, both updates are saved, and the time stamp represents the last edit.

Offline Messaging

If the internet or VPN connection is lost, an error notification will indicate the connection has been lost.

or

Users cannot modify any collaborative editing sections until they return online.

Tracking Changes

Track changes record any modifications made to the text, formatting, or other elements. It can be enabled for a particular RTF or at the report level.

When the track changes feature is enabled, any modifications made to the document are highlighted and displayed. These changes can include additions, deletions, formatting adjustments, and comments. The original content remains visible, while the modifications are marked with specific indicators, such as colored text, underlines, or strike-throughs. Additionally, users can leave comments or annotations to provide further context or explanations regarding the changes made.

Collaborators can accept or reject individual changes, and the document owner or editor can review and make final decisions on which modifications to keep. This feature is helpful when multiple individuals must work on a document simultaneously or when documents undergo several revisions.

Tracking Changes at the RTF Level

The toggle to enable track changes in an RTF is located in the RTF toolbar. Click the track changes icon to enable.

Track changes can also be enabled by clicking the icon and toggle on from the pulldown menu.

When enabled, the track changes icon in the RTF toolbar is blue.

Content additions are now shown in green, deletions in red, and a log of changes appears to the right of the RTF.

Changes can be accepted or rejected by clicking the checkmark or X in the audit box.

Once accepted or rejected, the box and markup will disappear, and the content will reflect the choices.

Tracking Changes at the Report Level

Track changes can be controlled at the report level. This toggle applies to all RTFs within a report and appears to the right of the tab headers.

When track changes are enabled at the report level, individual RTFs will indicate that changes are being tracked (the track changes icon in the toolbar will be blue). The toggle bar available from the pulldown menu is now green (indicating track changes are on), but the ability to turn off track changes for an RTF is greyed out.

Adding Comments

Comments are added by highlighting content and clicking the comment icon in the RTF toolbar.

A comment box appears on the right of the RTF to capture any notes. Click Comment when finished.

Unless resolved or deleted, the comment will stay visible with the associated text highlighted in the RTF. Someone must click the checkmark within the text box to resolve a comment.

When resolved, the comment and highlighted text disappear, but a history of the comments can be viewed by clicking the comment archive icon in the toolbar. Comments can be viewed or reopened from the archive.

Bulk Actions

In scenarios where multiple changes were made to an RTF, users can accept or reject them with one click using the options provided in the track changes pulldown menu.

The solutions available depend on the scenario:

• If a user has not specified specific RTF modifications, only "Accept all suggestions" and "Discard all suggestions" will be available.

• If a user has manually highlighted RTF content, additional options are provided, allowing the user to approve only the selected content.

After finishing an assessment, users can easily choose reviewers from a dropdown menu. This feature simplifies the procedure of sharing findings and removes the necessity of sending confidential documents through email.

The assessment is changed to a draft format with an "In Review" status when a reviewer is added. This prevents premature submission and ensures that the assessment cannot be completed or submitted until the review is complete.

The number of current reviewers and remaining approvals needed for an assessment are listed on the In progress/completed tab.

After the reviewers finish evaluating the assessment and find it suitable, they mark it as approved. If all the reviewers approve the assessment but it is not yet submitted, the assessment will be labeled "Approved," and the overall status will be "In Progress."

In the case of a single reviewer, the user can either submit the assessment or continue working on it. However, if there are other pending reviews, the assessment will be marked as "In Review" and cannot be approved until all reviews have been completed.

Adding Reviewers

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click Add Reviewers at the top right of the page.

Step 3: Select the reviewer(s) from the entries in the pulldown menu of users. Typing text into the box will narrow the list. Repeat as needed. No limit exists on how many reviewers can be added. When finished, click Save.

The person assigned as a reviewer will receive an email notifying them of the task. The assessment is now in review mode.

Managing Reviewers

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click the In review button.

A modal appears listing the reviewers and their approval status.

The two values provided are "Approved" and "Pending Approval."

Current reviewers can be removed by clicking the "X" next to their name, while new ones can be added by placing the cursor in the box and selecting a new reviewer. Click Save when finished.

If the user has the necessary permissions, the "Approve" button will appear, provided the reviewer has not yet approved the assessment. If the reviewer has approved the assessment, an option to remove the approval will appear.

Approving an Assessment

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click the In review button.

A modal appears listing the reviewers and their approval status.

Step 3: Click Approve.

After a reviewer clicks Approve, the status changes within the modal to "Approved."

Step 4: Click Save.

The modal disappears. If all reviewers have approved, the status of the assessments changes on the button previously clicked in Step 3.

In addition, the status of the assessments changes on the In progress/completed tab.

Revoking an Approval

A user can revoke the approval of an assessment that has not been submitted (i.e., a status of "In Progress") by opening the assessment, clicking the Approved button at the top right of the screen, and then clicking Remove approval from the modal.

This will return the assessment approval status to "In Review" and display the reviewer as "Pending Approval."

Once a writeup becomes a finding, it is a standalone object that is not impacted if the source writeup or repository is deleted or the same writeup added to another report is edited or deleted.

Importing from WriteupsDB

Step 1: From the Reports module, click the report row or Readout under the "Actions" column.

Step 2: Click the Findings tab.

Step 3: Click Add Findings, then select From WriteupsDB from the pulldown menu.

Step 4: Search or use the provided filters to find the desired writeups to add, then click the box to select them.

Selected writeups to be added are shown in the column on the far right.

Step 5: Click Add X Writeups at the bottom of the page.

A confirmation message will briefly appear, and the writeups are added to the report and listed on the Findings tab.

To download the template, click the file below:

The file has the required fields prepopulated in the CSV file, along with sample values.

Importing the CSV File

Step 1: Download the CSV file above.

When importing the file via the Add Findings button in the Findings tab of a report, select the value "CSV" from the pulldown menu.

Step 4: Select the CSV file to upload and click Continue.

Step 5: Add any optional tags or leave them blank. Click Upload.

A message will appear, validating that the file is uploading.

Step 6: Validate that the information was added to the report. When the data has been imported successfully, the screen will display the information without refreshing the page.

The source of the finding will list "CSV" as the value. Below is how the data is displayed in the Finding Detail window using the sample values in the CSV template.

CSV Finding Field Mappings

All fields below must appear as column headers when importing the CSV file. All field values must follow the rules defined in the table, or the file may be rejected when imported or require further manual editing within PlexTrac.

Custom Fields

The CSV import will accept custom fields, which must be added at the spreadsheet's end after the template's columns.

Row A of the CSV template will be the custom field title, and subsequent row(s) will be the custom field value(s), as entered in the spreadsheet. Add multiple columns and values as needed.

When imported, the custom fields will appear on the Finding Detail page.

The custom fields can be edited or deleted after import via the Custom Fields tab of the finding.

Findings are associated with metadata and labels that provide status and current standing. Visual cues using color in the platform also identify specific finding status states.

Draft or Published State

Findings can be in draft or published mode, and this status is provided visually within the Findings tab.

Findings in draft mode have an orange background row color and a dot next to the title. The published findings have a white background row color with no dot.

Setting to Draft or Published

Step 1: Navigate to the desired finding and click Edit under the "Actions" column.

Step 2: Update the finding status by clicking the toggle button to the desired state. Changes are autosaved.

Bulk Editing Draft or Published

Step 1: From the Findings tab, select one or more findings. An Actions button will appear.

Step 2: Click the Actions button and click Set Published Status.

Step 3: Toggle the publish status and click Save.

Finding Status

A finding can either be Open, In Process, or Closed. That status is displayed on the Findings tab.

Findings may also have a sub-status value. These do not exist unless added by an admin. Once added, they will be available to associate with a finding but are optional.

The Sub Status column is available when viewing findings in a report. It does not exist when viewing findings for a client.

Updating Finding Status

Step 1: From the Findings tab, click the status button of the finding to change.

Step 2: Click Add Update.

Step 3: The "Add Update" model appears with any previously populated values. Use the pulldown menus to update Status, Sub-Status, and Assigned to values. Enter any optional comments to provide context.

Click Save.

The changes are reflected in the log notes of the finding status tracker, which can be viewed at any time by clicking the finding status label.

Bulk Updating Finding Status

Step 1: From the Findings tab, select one or more findings. An Actions button will appear.

Step 2: Click the Actions button and click Assign/Update Status.

Step 3: The "Add Update" modal appears with any previously entered values. Use the pulldown menus to update Status, Sub-Status, and Assigned to. Enter any optional comments to provide context.

Click Save.

The changes are added to the selected findings.

Linking a Finding to a Jira ticket

Step 1: Navigate to the Findings tab of a report.

Step 2: Click the three dots under the "Actions" column of the finding to update.

Step 3: Click Link Jira Ticket.

Step 4: Select the Jira project and issue to associate the finding with. Click Create ticket.

Step 5: The Jira ticket is now listed under "Linked Ticket."

Clicking the linked ticket value will open Jira. If mapped by the Admin, the finding date reported value will appear in Jira as a value for "Start Date."

If set up for two-way data flow in integration mapping, updating the start date in Jira will update PlexTrac the next time synchronization occurs.

Creating a Jira Ticket

Step 1: Navigate to the Findings tab of a report.

Step 2: Click Status under the "Actions" column of the finding used to create a Jira ticket.

Step 3: Click Create Jira Ticket & Link.

Step 4: Select the Jira project and issue to link with. Click Create ticket.

A ticket in Jira is created, and the ticket number is listed under "Linked Ticket" on the Findings tab.

Unlinking a Jira Ticket

Step 1: Navigate to the Findings tab of a report.

Step 2: Click the three dots under the "Actions" column of the finding linked to a Jira ticket.

Step 3: Click Unlink Jira ticket.

Step 3: A modal appears, confirming the action. Click Ok.

Bulk Creating Jira Tickets

Step 1: Navigate to the Findings tab of a report.

Step 2: Select the desired finding(s) by clicking the check box of the finding row.

Step 3: Hover over the "Actions" button to bring up the pulldown menu and click Create Jira Tickets.

Step 4: Select the Jira project and issue type to which the finding(s) should be assigned. Click Create ticket.

Step 5: A message will confirm that ticket(s) were created, and the linked ticket number will now be displayed for finding on the page.

Clicking the linked ticket value will take you directly to Jira for viewing.

The Common Vulnerability Scoring System (CVSS) is an industry benchmark for evaluating the seriousness of identified vulnerabilities. It calculates a CVSS score by considering three metric categories (base, temporal, and environmental) encompassing various aspects of a vulnerability's impact and ability to persist in different contexts.

PlexTrac allows users to input or adjust scores when generating or revising findings, facilitating precise vulnerability assessment.

Entering a Findings Score

Step 1: From the Findings tab, click Edit under the "Actions" column of the finding to modify.

Step 3: Enter values in the provided fields.

The score information for that finding is now displayed on the Finding Detail page.

CVSS v3.1/v4.0 Calculator

PlexTrac has a built-in calculator that generates a CVSS score based on selected input values. It also generates a CVSS vector and assigns severity to a finding based on the information selected and calculated score.

Users can create a value by clicking through the provided calculator, typing in a vector, or combining both actions.

The calculator is available when CVSS v3.1 or CVSS v4.0 is selected from the "Score type" field.

Entering a Score Manually

If the score is already known, it can be entered in the "Score" field, and the finding's severity will update to match the score.

Entering a Vector Manually

If the CVSS vector is known, entering the value in the "Vectore" field will dynamically set the finding severity.

Using the Calculator

Step 1: In the "Score type" field, select CVSS v3.1 or CVSS v4.0, then click Calculate Score.

Step 2: To create a vector, select values by clicking the fields provided. All values must be entered.

After entering a value for all fields, a severity score, severity value, and vector value are populated.

Validation is performed on multiple fields to ensure accurate score and severity using vector string and record, which must be kept in sync.

The calculator updates the vector record string when a field is clicked. However, the string is displayed only when all base values are selected. The option to save will appear afterward.

When the vector string has changed, the string is then validated. If the string is valid, the record and selected values are updated in the calculator modal. If not, a warning message is displayed, and the save button is disabled.

Step 3: For more advanced scoring options, expand "Show temporal and environmental scoring."

Additional fields specific to the score type will be displayed for editing.

Step 5: When finished, scroll to the bottom of the modal and click Save. The severity, score, and vector are populated in the appropriate fields on the Findings Details tab.

CVSS 3.1 scores can also be viewed on the Findings tab of a report or client if that field has been configured to appear in the table.

Findings may be imported into PlexTrac via a licensed API integration and configured by an admin.

Importing from an Integration

Step 1: Within the Reports module, click a report from the list to bring up the Readout tab.

Step 2: Click the Findings tab.

Step 3: Click Add Findings and select Integrations from the pulldown menu.

Step 4: Select the desired integration from the pulldown menu (the values shown in the pulldown menu are entered by the admin when the integration is set up).

Step 5: Click Continue with X at the bottom of the page.

Step 6: The Select Findings tab appears with a list of filters and values that are tool-specific to an integration. Use the filters and facets to select the query parameters to determine which findings appear on the page.

Step 7: Click Search to retrieve the findings query results.

Step 8: Select the findings from the query results to import by clicking the box at the top left of the table header row or by selecting findings individually by clicking the box next to the finding.

At least one finding must be selected to continue.

Step 9: Click Continue with X issues.

Step 10: Insert desired tags associated with each finding and asset when imported (optional). Click Import X Findings.

Notifications will appear confirming that the import was successful.

Users can view and access all priorities related to their tenancy on the Priorities home page. This view provides options for sorting and filtering on multiple fields.

Clicking the priority row or View under a priority's "Actions" column directs users to the priority Details summary, including additional tabs for Findings and Assets.

Details Tab

The Details tab provides the priority description, recommendation, treatment, and any assigned tags. The column on the right provides additional information about the priority.

Findings Tab

This tab displays all findings contained in the priority.

Bulk Actions

Bulk action options appear after one or more findings are selected on the home page. To access them, click the checkbox to the far left of the finding title field or the box next to the column header.

Click Actions to see the list of options, such as adding tags or changing the reported date.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

Assets Tab

This tab displays all assets contained in the priority.

Bulk Actions

Bulk action options appear after one or more findings are selected on the home page. To access them, click the checkbox to the far left of the finding title field or the box next to the column header.

Click Actions to see the list of options.

Configuring Table View

The table view can be customized by clicking the column view icon to the right of the search bar.

Additional Configuration

Admins do additional setup and configuration in the Admin Dashboard.

Tenant Level Settings

Priorities can be set at the tenant or client levels and configured under "Priorities" in the Admin Dashboard.

Risk Scoring

PlexTrac allows admins to leverage a priority score equation instead of the manual approach of setting a score based on likelihood and impact. Equations can be enabled and customized under the "Risk Scoring" section of the Admin Dashboard.

Viewing the Priority Score

The priority score can be viewed under the progress bar on the Details tab of a priority.

The Priorities module gives users an advanced view that provides valuable insights into their security efforts. This module is crucial for effectively managing findings and assets. It offers a collaborative platform that empowers team members to work together and address security challenges efficiently. Additionally, users can customize security measures to meet the unique requirements of individual clients or business groups.

Users access the module by clicking Priorities in the application's main menu.

Overview

The Priorities module offers value to teams seeking to streamline and automate reporting processes while providing a layer of risk assessment to existing manual pentests and offensive security data.

Key benefits include:

1. Automated Workflow Efficiency: Automating workflow processes streamlines reporting cycles, reducing manual efforts and time spent on tasks.

2. Risk Prioritization: Enables custom scoring equations to prioritize identified risks, allowing teams to focus on the most critical issues for immediate remediation.

3. Proactive Risk Management: This tool enables a proactive approach to managing offensive security data by providing an aggregated view of vulnerabilities, allowing for better risk assessment and remediation planning.

4. Continuous Risk Reduction: Through ongoing validation, it demonstrates a continuous risk reduction, ensuring that remediation efforts effectively mitigate future security risks.

Dashboard Visibility

An indicator will be displayed on the My work button if a user owns or authors a priority. Clicking the Your priorities box will display the priority and role assigned, along with other fields specific to the Priorities module.

The following roles will result in a user having a priority box displayed:

• Priority Owner

• Priority Author

• Treatment Owner

Notifications

Depending on the tenancy configuration and user role assignment, an email may be sent to users for the following event changes:

• Priority status

• Priority assignment

• Finding status

• Finding substatus

• Assignment

After creating a priority, findings and assets can be associated with the Priorities module.

Linking Findings

Step 1: From the Priorities module home page, click the row or View under the "Actions" column of the priority to update.

Step 2: Click the Findings tab.

Step 3: Click Link Findings.

Step 4: Use the filters on the left nav bar to reduce the list.

Step 5: Select the findings to link. Click Continue with X findings.

Step 6: Select any affected assets to link. Use the assets filters to narrow the search results. Click Link affected asset or Continue without assets.

The user is returned to the Findings tab page. A notification confirms the action, and the page refreshes with the recently added findings.

Any affected assets added will be displayed on the Assets tab.

Linking Assets

Step 1: From the Priorities module home page, click the row or View under the "Actions" column of the priority to update.

Step 2: Click the Assets tab.

Step 3: Click Link Assets.

Step 4: Use the filters so that the list only shows assets relevant to the priority.

Step 5: Select the assets to link. Click Continue with X assets.

Step 6: Select any associated findings to link. Use the findings filters to narrow the search results. Click Link x associated findings or Continue without findings.

The user is returned to the Assets tab page. A notification will appear confirming the action, and the page will refresh with the recently added assets appearing.

Unliking Findings and Assets

Findings and assets included in a priority can be removed individually or via bulk actions. Any findings or assets removed from a priority will remain in their existing reports and not be deleted from PlexTrac.

Unlinking a Finding

Step 1: Click the Findings tab from the priority details page.

Step 2a: Click the meatballs menu of the priority and click Unlink finding from priority.

Step 2b: Select multiple findings, click the Actions button, and click Unlink findings from priority.

Step 3: A dialog box will appear asking for confirmation. Click Unlink.

Unlinking an Asset

Step 1: Click the Assets tab from the priority details page.

Step 2a: Click the meatballs menu of the priority and click Unlink asset from priority.

Step 2b: Select multiple findings, click the Actions button, and click Unlink assets from priority.

Step 3: A dialog box will appear asking for confirmation. Click Unlink.

PTRAC files (.ptrac) can be imported into PlexTrac for cross-team collaboration. For instance, a red team from one tenant can share with a blue team client with its own PlexTrac instance.

Reports can be imported either in the Client module or the Reports module. The instructions below are specific to the Reports module, assuming the user has an exported report in PTRAC format.

Importing Permissions

Admins can configure the options to import files via the Admin Dashboard on the "Role Based Access" page. To do so, select a custom role and click the "Ability to import reports" button under Reports Permissions. A dialog box will appear with options to turn on/off the ability to import reports.

Importing a Report

Step 1: From the Reports module home page, click Import Report.

Step 2: Select the client the report will be associated with from the pulldown menu on the modal.

Step 3: Drag the .ptrac file to the box provided or click the box and navigate to the file on the computer.

Step 4: Click Submit.

A progress bar will indicate the status; the upload may take a minute or two.

When completed successfully, a confirmation message will appear.

The Metrics tab in the Priorities module provides a comprehensive overview and management system for priorities. It aims to give security teams a centralized place to track priority remediation efforts and related findings and assets.

Users can filter by various criteria, utilize charts for in-depth analysis, and gain insights into top findings, asset tags, and severity breakdowns.

This page is available by clicking Metrics from the Priorities home page.

Overview

The page is divided into multiple sections to help users quickly navigate and access the information. The modular layout ensures that each topic is self-contained, allowing users to find relevant details more efficiently.

Managing Charts

The fields in a graph can be removed or added by clicking the field name above the chart. When removed, the field is shown in grey, and the data for that field is removed from the chart.

Click a field that is greyed out to add it back.

When applicable, a box provides a bar or pie chart of priorities by status and score. In the upper right-hand corner, click the option to toggle between the two views.

Some graphics provide more details by hovering over the image with the cursor.

Clicking results (when available) within a graphic launches a side drawer with more information about the prioritized items.

Filters

This section enables filtering of priority metrics displayed to the client by date range, severity, owner, tags, and status.

Priorities Health Indicator

This section displays key priority metrics.

Click a box to view more detailed information about each metric (all boxes will open a side drawer except the "Percentage of linked findings to priorities" box).

Clicking the priority listed in the side drawer will open the Priority Detail side drawer for further investigation.

Step 1: From the Priorities module home page, click Create Priority.

Step 2: If client-level priorities are enabled, select a client by scrolling through the list or using the search box to filter. When the client is found, click Select.

Step 3: Click Next.

Step 4: Enter a priority name and additional information into the fields on the page.

1. Priority (required): The title of the priority.

2. Status: The status of the overall priority.

3. Severity: The severity of the overall priority.

4. Priority author: This value auto-populates with the user's email who created the priority. Another email can be selected by clicking within the box and choosing from the pulldown menu.

5. Priority owner: The priority owner. Select the priority owner(s) by clicking within the box and choosing from the pulldown menu.

6. Identification date: This is the date that the priority was identified. The priority may have been determined or observed at a prior date.

7. Priority description: An RTF field to enter the description of the priority.

8. Recommendation: An RTF field to enter a recommendation for remediating the priority. A recommendation is the ideal advice or guidance to address a particular issue or concern. It suggests a best practice or a course of action to help prevent or mitigate security risks.

9. Treatment: An RTF field to enter a treatment of the priority. Treatments are the remediation taken, often not the ideal recommendation due to resource and time constraints.

10. Treatment owners: A list of owner(s) who will own the priority treatment.

11. Tags: Enter any tags associated with the client (new or existing). Any special characters will be removed, and any spaces will be replaced with an underscore (_).

12. Target remediation date: Identifies the ideal date on which findings for the priority will be resolved. Place the cursor in the field box to select a date from the calendar.

13. Actual remediation date: Identifies the date that the priority was remediated. Place the cursor in the field box to select a date from the calendar.

14. Likelihood (score): Select a number from one to ten to denote the probability that the findings and assets in this priority will result in malicious actions.

15. Impact (score): Select a number from one to ten to denote the effects of malicious actions on the findings and assets in this priority.

16. Priority score: This value is the product of the two factors (likelihood and impact values) entered previously.

17. Reason for score: This field allows for an explanation for others on the rationale for entering the values used for the priority score.

Step 5: Scroll back to the top of the page and click Save.

The information entered is presented on the priority details page.

This page is the Details tab view, which is reached by clicking View under the "Actions" column in the row of an existing priority on the Priorities module home page.

In the Content Library, three types of repositories exist:

1. Open Repository: Open repositories are available to anyone with repository access. Users with permission can view and edit the content within this repository. Open repositories are created for easy access and collaboration, allowing users to contribute and modify content freely. They serve as a shared space.

2. Managed Repository: Managed repositories are accessible to anyone with repository access, allowing them to view the repository content. Editors must be added manually. Managed repositories are suitable for creating shared spaces where multiple users can access and utilize the content but have limited editing capabilities.

3. Private Repository: Private repositories are the most restricted. Only added users with specific permissions can view and edit the content within private repositories. Private repositories are ideal for in-process documents or content that should only be accessible to select individuals.

Users' level of access and editing permissions should be considered when selecting a repository type.

Managed repositories allow for broader access with limited editing capabilities, private repositories restrict access to authorized individuals, and open repositories provide an open and collaborative environment for content sharing and editing.

Open Repository

Definition: A “Dropbox” to which any user with feature-level access may contribute content.

Default behavior: None

Recommended Use: To enable all users to contribute without restriction.

Managed Repository

Definition: Users can view, but only those added to a given repository as an editor and have an RBAC of MANAGE_{content}_REPOSITORIES under Content Library permissions may add or edit content.

Default behavior: View-only access unless an editor is added to enable modification of content or the user has appropriate RBAC permissions.

Recommended Use: To restrict edit access to qualified individuals (copy editors) within a defined set of narrative sections. This is ideal for teams working on various projects who want to maintain their versions of narrative sections and small to mid-size teams that don’t need to restrict access to use but want to limit curation to leadership.

Private Repository

Definition: A repository to store narrative sections is unavailable unless a user is explicitly given read and edit permissions.

Default behavior: Users may view only (Viewer) or edit (Editor).

Recommended Use: This is a place to copy manually created sections that may contain client-specific data that needs to be sanitized, a place to work on drafts for new narrative sections not ready for general use, or a place to store final narrative sections not available for general use.

The NarrativesDB home page consists of two tabs:

• Repositories: A centralized location where all sections can be stored and managed.

• Sections: A dedicated space to create reusable content for narrative sections within a report.

Repositories Tab

PlexTrac provides a sample narratives repository containing six sample narrative sections to demonstrate how content reuse might exist.

The sample repository is an Open repository that cannot be deleted but can be modified.

Sections Tab

Sections are containers that contain a title, body, and tags. They are reusable in reports and are stored in this tab.

Configuring Views

The table view can be customized by clicking the column view icon to the right of the search bar.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.

When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.

This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.

The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.

Click Save when finished.

NarrativesDB is a repository that houses all of PlexTrac's narrative sections. Its primary purpose is facilitating categorization, association with defined use cases, and reusability.

Users access by clicking Content Library in the application's main menu and then clicking NarrativesDB.

Overview

Reports use narratives to provide context, clarify complex information, and improve comprehension. These narratives also serve as persuasive tools, influencing opinions and motivating action through storytelling. By placing data and facts into real-life contexts, narratives help audiences understand the relevance of information, making them versatile and impactful tools. As a result, narratives are valuable assets in reports and promote effective communication.

NarrativesDB enables users to create and manage this messaging, freeing up time for problem-solving.

For example, instead of initiating each report from scratch and composing a unique narrative every time, organizations have the flexibility to create simple sections that serve as a starting point. These sections can be reused or further enhanced to align with the specific needs of each report, providing a time-saving and efficient solution for report generation.

Affected assets are managed from the finding, as opposed to the client. Affected assets contain information about an affected asset and relational metadata about the finding it is tied to.

An affected asset object on a finding will have a subset of fields compared to the client asset with the same ID. Some additional fields make sense when the finding and client asset are viewed together, such as the date the finding started affecting the client asset, the affected ports, location access to vulnerability, vulnerable parameters, and evidence of the affection.

Viewing Affected Assets

Step 1: From the Reports module, click the row of the impacted report.

Step 2: Click the Findings tab.

Step 3: Click the row of a finding.

Step 4: If an affected asset(s) exist for this finding, they are listed on the Finding Detail modal.

A parent asset can be accessed directly by clicking the provided link within the table.

Step 5: Click View under the "Actions" column of the affected asset to see more information.

The Asset Detail modal appears with information about the affected asset and a link to any parent, if applicable.

Configuring Views

The table view can be customized by clicking the column view icon to the right of the Add assets button.

Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.