sysreptor icon indicating copy to clipboard operation
sysreptor copied to clipboard
verified publisher icon Syslifters

[Feature Request] KPIs section

Open ArielGanem opened this issue 11 months ago • 3 comments

Hello, I would like to propose the addition of several Key Performance Indicators (KPIs) to the SysReptor tool. These KPIs would provide valuable insights into penetration testing activities and help users track their performance over time. Below are the KPIs I believe would be beneficial:

  • Ranking of Vulnerabilities Encountered by Title: Display the number of occurrences for each vulnerability type (e.g., 10 CORS, 8 XSS, 5 SQLI, etc.).
  • Total Vulnerabilities Detected: Show the total number of vulnerabilities detected per month and per year, along with a breakdown by category (Critical, High, Medium, Low, Informational).
  • CVSS Score Ranking: Provide a ranking of vulnerabilities based on their CVSS scores (e.g., 15 Low, 10 Medium, 5 High, etc.).
  • Number of Reports Generated: Display the total number of reports generated per month and per year.
  • Vulnerability Trends Over Time: Visualize the evolution of the number of vulnerabilities detected over time.
  • Comparative Analysis: Allow comparison of results across different periods (quarterly, annually).
  • Export/Download Capability: Enable users to export or download these KPIs for further analysis and reporting.

Additionally, if there are other KPIs that the tool could provide which I haven't mentioned. Implementing these features would be beneficial for all users of SysReptor, particularly in professional settings, as it would enhance their ability to analyze performance and improve overall penetration testing efforts.

Thank you for considering this request! Best regards

ArielGanem avatar Jan 24 '25 14:01 ArielGanem

Hi, thanks for the suggestion. I think KPIs would best fit into a plugin that needs to be explicitely enable when needed/desired.

There are some technical challenges that need to be considered when implementing:

  • database encryption: Collecting KPIs and statistics from many projects is inefficient, because every finding of every project need to be decrypted to retrieve data (e.g. CVSS, title, etc.). Depending on the number of projects and findings, the KPI request might take some seconds to finish.
  • handling deleted/archived projects: The total number of projects does not only increase, but might also decrease because old projects might get archived or deleted. Once a project is archived (and encrypted with 4-eye principle), SysReptor can no longer access its contents. When an archived project is restored, a new project gets created, which is not actually new and might also interfere with KPI calculations.
  • time series data: In order to visualize trends over time, periodic snapshots of KPIs need to saved to the database (e.g. daily).
  • global vs. per-user KPIs: Depends on the use-case what you want to use KPIs for. Global KPIs might leak finding information when they are accessible by unprivileged users that do not have access to all projects included in KPI calculations.

MWedl avatar Jan 27 '25 06:01 MWedl

We have a prospect Pro customer who is interested in a similar functionality.
They import want to have a cronjob to move all findings to a data lake. They then want to make sure, they exported all available data by getting statistics from the SysReptor API, such as:

  • Number of projects
  • Number of findings (maybe per "active" and "finished" projects, and/or in total)
  • Number of findings per project

They are not so much interested in a beautiful front end.

aronmolnar avatar Feb 25 '25 09:02 aronmolnar

Hello @MWedl,

Thanks again for your thoughtful feedback. I’ve taken another look at the KPIs and, after digging into the SysReptor API, I believe we can keep things much simpler:

Scope of Data
– Only use data from finished and in-progress reports.
– Ignore archived or deleted projects entirely, since their KPIs aren’t relevant to day-to-day performance.
– Access Control: KPIs are displayed according to each user’s permissions—so a user with full rights will see the complete set of KPI data, while others will only see metrics for projects they’re authorized to view.

Data Availability
All of the fields we need (titles, CVSS scores, categories, report-dates, etc.) are already exposed by the existing  API. We simply need to aggregate and display them in the frontend.

Proposed KPIs was :

    Vulnerability Ranking by Title: Count of each type (e.g. 10 CORS, 8 XSS, 5 SQLi)

    Total Vulnerabilities Detected: Monthly/yearly totals with breakdown by severity (Critical, High, Medium, Low, Info)

    CVSS Score Distribution: Number of findings per CVSS band (e.g. 15 Low, 10 Medium, 5 High)

    Reports Generated: Total reports per month and per year

    Trends Over Time: Line chart of vulnerabilities detected over time

    Comparative Analysis: Compare any two periods (quarter vs. quarter, year vs. year)

    Export/Download: CSV/Excel export of any KPI dashboard

Early Prototype
I’ve started a simple plugin to pull the data and render a proof-of-concept dashboard. Here’s a quick screenshot:

Image

Next Steps Although I’m not a developer (so it would take a looot of time to develop myself), I believe this type of plugin is technically straightforward for the SysReptor team to implement. It would be especially compelling for large enterprises like mine, and could be offered as a Pro-only feature.

Please let me know your thoughts!

Best regards, Ariel Ganem

ArielGanem avatar May 24 '25 19:05 ArielGanem