Skip to main content

Overview

Assessments are the core workflow objects in Faction. This guide walks you through creating a new assessment, configuring team members, setting dates and scope, and managing custom fields.

Creating a New Assessment

1

Navigate to Assessments

From the main dashboard, navigate to the Assessments section and click New Assessment to begin.
2

Enter Basic Information

Provide the following required details:
  • Assessment Name: Descriptive name for the engagement
  • Application ID (App ID): Unique identifier for the target application
  • Assessment Type: Select from configured types (Web App, Mobile, API, etc.)
The assessment type determines available templates, CVSS scoring methods (CVSS 3.1, CVSS 4.0, or custom risk levels), and report formats.
3

Set Assessment Dates

Configure the timeline for your assessment:
  • Start Date: When the assessment begins
  • End Date: Scheduled completion date
These dates help track assessment progress and determine workflow status (Scheduled, In Progress, Past Due, or Completed).
4

Assign Team Members

Faction uses role-based access control with multiple contact types:

Assessors

Users who perform the security testing and document findings. Multiple assessors can be assigned to a single assessment for collaboration.
Assessors must have the Assessor permission enabled in their user profile.

Engagement Contact

The primary stakeholder or point of contact for the assessment. This user:
  • Receives assessment notifications
  • Can view assessment progress (if given appropriate permissions)
  • Is included in report distribution

Remediation Contact

User responsible for coordinating vulnerability fixes and retests. This contact:
  • Manages the remediation queue
  • Schedules verification testing
  • Tracks vulnerability closure status
5

Configure Distribution Lists

Enter email addresses (separated by semicolons) for stakeholders who should receive:
  • Assessment completion notifications
  • Final report distribution
  • Calendar invites for review meetings
Example:
[email protected]; [email protected]; [email protected]
6

Add Custom Fields (Optional)

Custom fields allow you to capture assessment-specific metadata:
  • Business unit or department
  • Compliance framework (PCI-DSS, SOC 2, HIPAA)
  • External vendor information
  • Budget or billing codes
  • Custom report variables
Custom fields can be:
  • Text fields: Free-form input
  • Dropdowns: Predefined options
  • Forms: Structured data collection
  • Variables: Values inserted into report templates
Custom field values can be referenced in report templates using template variables, allowing dynamic content generation.
7

Select Campaign (Optional)

Assign the assessment to a campaign for organizational grouping. Campaigns help:
  • Track related assessments (e.g., quarterly testing program)
  • Generate aggregate metrics across multiple assessments
  • Manage recurring testing initiatives
8

Add Access Notes

Document credentials, VPN access, test accounts, or special instructions for assessors:
  • URLs and testing endpoints
  • Authentication credentials
  • Network access requirements
  • Scope limitations or restrictions
  • Special testing instructions
9

Save and Begin Testing

Click Create Assessment to finalize. The assessment is now ready for:
  • Adding vulnerabilities
  • Collaborative note-taking
  • Real-time updates via the Burp Suite extension
  • Team collaboration

Assessment Workflow States

Once created, assessments progress through several workflow states:
Assessment is created but the start date hasn’t arrived yet.
Current date is between start and end dates. Assessors can add vulnerabilities and collaborate.
End date has passed but assessment isn’t finalized. Indicates the engagement needs attention.
Assessment has been submitted for peer review. Changes are blocked until review completes.
Assessment is finalized, report generated, and vulnerabilities opened in remediation tracking.

Updating Assessment Details

You can modify assessment information at any time before finalization:
  1. Navigate to the assessment from the queue
  2. Update fields as needed (team members, dates, custom fields)
  3. Changes are saved automatically
Assessments cannot be modified while in peer review or after finalization. Accept peer review edits before making additional changes.

Scheduling Review Meetings

Faction can generate calendar invites for stakeholder meetings:
  1. Open the assessment
  2. Click Schedule Meeting
  3. Choose calendar provider (Google Calendar, Outlook, Office 365)
  4. Calendar event includes:
    • Assessment name and App ID
    • All distribution list recipients
    • Assessor team members
    • Link to final report

Best Practices

Use Descriptive Names

Include app name and assessment type in the name for easy identification in queues and reports.

Assign All Contacts

Always designate engagement and remediation contacts to ensure proper notification flow.

Set Realistic Dates

Account for scope, complexity, and assessor availability when scheduling.

Document Access Early

Add access notes during creation to avoid delays when testing begins.

Vulnerability Tracking

Learn how to add and manage findings

Team Management

Configure user roles and permissions

Custom Templates

Create branded report templates

Remediation Workflow

Track fixes and schedule retests

Build docs developers (and LLMs) love

Get started for freeTalk to us