Josh Summitt, the creator of Faction, has always disliked the process of writing reports, preferring to focus on uncovering bugs. A key frustration for him was the redundant step of using a separate note-taking app for storing screenshots and findings before compiling the final report.
He envisioned an integrated solution where the report generation tool would serve as the note-taking platform, incorporating all the standard templates typically used in reports. He hopes Faction will help others save time, reduce stress, and improve their information security workflow.
“I built Faction to be extendable in ways like you would extend BurpSuite. It’s designed to be flexible and extended to fit seamlessly in any environment. It is easy for internal teams to build and support their small modules versus a large code base. In addition, I hope the project will get a growing list of prebuilt modules developed by the community to expand capabilities without requiring internal development,” Summitt told Help Net Security.
Faction features
With Faction, you can:
- Streamline penetration testing and security assessment reporting through automation.
- Facilitate peer review and monitor modifications in reports.
- Design docx templates for various assessments and follow-up retests.
- Collaborate in real-time with assessors using the web application and extensions for Burp Suite.
- Utilize adaptable vulnerability templates featuring 75 pre-filled options.
- Oversee assessment teams and monitor organizational progress.
- Monitor the remediation of vulnerabilities with tailored SLA warnings and notifications.
- Leverage a comprehensive Rest API for seamless integration with other tools.
Other features:
- LDAP, OAuth 2.0 and SMTP Integration.
- Extendable with Custom Plugins similar to Burp Extender.
- Custom Report Variables.
Future plans
The developer is currently working on enhancing the extendability of Faction by introducing a full app store, reminiscent of those found in platforms like Slack and Burp. This expansion will allow for the inclusion of additional features such as custom UI elements.
“Faction has had a strong focus on penetration testing from an application security mindset. I want to expand that to be more Red and Blue Team inclusive. Not that it won’t work for these teams out of the box but it could be more flexible,” Summitt added.
Faction is available for free on GitHub.
More open-source tools to consider:
- Adalanche:Â Open-source Active Directory ACL visualizer, explorer
- AuthLogParser:Â Open-source tool for analyzing Linux authentication logs
- DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA:Â Open-source security analyzer for embedded devices
- Nemesis:Â Open-source offensive data enrichment and analytic pipeline
- SessionProbe:Â Open-source multi-threaded pentesting tool
- Mosint:Â Open-source automated email OSINT tool
- Vigil:Â Open-source LLM security scanner
- AWS Kill Switch:Â Open-source incident response tool
- PolarDNS:Â Open-source DNS server tailored for security evaluations
- k0smotron:Â Open-source Kubernetes cluster management
- Kubescape 3.0Â elevates open-source Kubernetes security
- Logging Made Easy:Â Free log management solution from CISA
- GOAD:Â Vulnerable Active Directory environment for practicing attack techniques
- Wazuh:Â Free and open-source XDR and SIEM
- Yeti:Â Open, distributed, threat intelligence repository
- BinDiff:Â Open-source comparison tool for binary files
- LLM Guard:Â Open-source toolkit for securing Large Language Models
- Velociraptor:Â Open-source digital forensics and incident response
Burp Suite Cookbook: Web application security made easy with Burp Suite
To explore Pen Testing
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
