Case Study: Happier consultants and better results

How report creation software helps differentiate Include Security

The Client: Include Security

Include Security (IncludeSec) is an application security consulting company founded by industry veterans in 2010 and based in New York City.

When companies need elite security specialists in specific technologies, they call IncludeSec. The firm's consultants have completed more than 180 projects in over 29 programming languages for a roster of very well-known companies.

Erik Cabetas

Managing Director

Include Security

“Creating reports with Dradis Pro saves us up to 4 hours per project compared to using Word manually.

As a smaller boutique security consultancy, we're competing with thousand-person security companies that have armies of salespeople.

We need to differentiate ourselves. For us, our differentiators are: less overhead, a highly-skilled expert team, and more efficient workflow. Dradis Pro contributes to those.”

The Problem: An Inefficient Reporting Process

As is common practice at many InfoSec consultancy companies, IncludeSec had been previously using Microsoft Word documents as report templates.

Erik Cabetas is the founder and managing partner of IncludeSec. He described the problem:

I've worked with six different consulting companies. I've seen how all of them do reporting and it's pretty much all the same.

Everyone uses Word templates; you copy and paste from Word and that's it. That's what everyone does. That is the state-of-the-art.

This causes a number of problems:

  • Versioning issues. There is no easy way to control versions or to ensure that testers are working on the most up-to-date templates.
  • Inefficiency. Relying on Word templates adds unnecessary time to the reporting process that a more centralized system helps eliminate.
  • Technical errors. When testers are copying and pasting from older project reports, it's possible the wrong findings may be accidentally included.
  • Formatting problems. When multiple testers are using different templates, formatting issues (e.g., font and style inconsistencies) can be introduced and can be difficult to spot.

As Erik put it:

"I was looking for a solution to move us past this extremely byzantine process to where we should be."

At IncludeSec, A Focus On Efficiency

Improving workflow efficiency is obviously desirable at every company. But IncludeSec has perhaps more incentive than most for wanting to streamline.

For one thing, IncludeSec is a smaller security consultancy. While they are very successful and highly regarded, they employ less than 20 expert consultants and their clientele originates mainly through word-of-mouth referrals based on their reputation. IncludeSec must compete with very large security consulting companies who have considerably larger sales and marketing budgets as well as market share. This gives IncludeSec an incentive to make their processes as efficient as possible so as to reduce their overhead and increase their profitability.

Also, IncludeSec wants to maintain their "A-Team" status by attracting and retaining the best and brightest consultants in the industry. To help make this happen, IncludeSec has tried to remove as many non-relevant duties as possible from their consultants' shoulders.

"At large consulting companies, testers will spend time doing administrative tasks, and maybe things like upselling at the tail end of an engagement. Those are things that our consultants shouldn't have to worry about. If consultants can come here and spend less time reporting and more time hacking, then they're happier consultants and do a better job."

Enter Dradis Pro

Dradis Professional Edition is a software aimed at improving InfoSec reporting and collaboration. Dradis provides a centralized, standardized platform for creating reports and keeping issue descriptions up-to-date. Its features include:

In early 2015, Erik introduced the Dradis Pro platform to his team. Team members got up to speed by reading and watching Dradis documentation and videos. A few days later, a team of IncludeSec consultants completed their first project using the software.

The Results

"Our ‘guinea-pig' project went well. We had some lessons learned as everyone became familiar with the software. By the time the second team used it, Dradis was getting rave reviews, and everyone felt this was a much better process. From then on, every new project has been a Dradis project."

"One major positive was the access to the issue database. Right out of the box it comes with 60+ issue templates. That was something everyone recognized right off the bat was a great time saver and awesome all around."

"Dradis is a pretty straightforward product. The purpose of the product is to optimize reporting and the feedback I got from my team was: our reporting is now optimized. Instead of worrying about things like the fonts of report titles, our consultants can find more vulnerabilities."

Erik estimates that the time saved using Dradis to create reports, compared to using Word templates, is between one and four hours, depending on the size of the project.

Improved Reporting Helps Attract and Keep Talent

By optimizing IncludeSec's report creation process, Dradis has positive effects on the happiness of IncludeSec's consultants and on their recruiting abilities.

"I see Dradis not just as a way to save time and money for clients, but as a recruiting tool. Consultants are motivated by wanting to hack new and interesting technologies. So if they can come to Include and spend less time reporting and more time hacking, then they're happier consultants."

Will this work for me?

Do you want the same results Erik and his team got?

  • Save 4 hours on every report.
  • A more efficient workflow.
  • Less time reporting and more time hacking.
  • Happier team!

Want to ask us a question about how Dradis Pro can help your project management and report creation?

Reach out to us on our Contact page or go ahead and request a demo.

Try Dradis for 30 Days

We are confident that Dradis Pro will improve your InfoSec workflow as it did for Include Security. If you try Dradis Pro for 30 days and don't believe you've gotten your money's worth, just let us know and we'll give you your money back.

Happiness Report

This is how our users have rated their support interactions with us

We are trusted the world over

Hundreds of InfoSec teams in over 44 countries use Dradis every day

ArgentinaArgentina
AustraliaAustralia
AustriaAustria
BelgiumBelgium
CanadaCanada
ChileChile
DenmarkDenmark
FinlandFinland
FranceFrance
GermanyGermany
Hong KongHong Kong
HungaryHungary
IcelandIceland
IrelandIreland
IsraelIsrael
JordanJordan
MalaysiaMalaysia
MexicoMexico
NetherlandsNetherlands
NorwayNorway
PolandPoland
PortugalPortugal
QatarQatar
United Arab EmiratesUnited Arab Emirates
Saudi ArabiaSaudi Arabia
SingaporeSingapore
SloveniaSlovenia
South AfricaSouth Africa
SpainSpain
SwedenSweden
SwitzerlandSwitzerland
TaiwanTaiwan
ThailandThailand
TurkeyTurkey
UKUK
USUS

We would be more than happy to put you in touch with any of our clients in your industry or country so that you can speak with them directly about their experience with our product. Send us a note at sales@securityroots.com and we’ll get back with you with the details right away.

Streamline InfoSec Project Delivery

Learn practical tips to reduce the overhead that drags down security assessment delivery with this 5-day course. These proven, innovative, and straightforward techniques will optimize all areas of your next engagement including:

  • Scoping
  • Scheduling
  • Project Planning
  • Delivery
  • Intra-team Collaboration
  • Reporting and much more...

Your email is kept private. We don't do the spam thing.