Structured pentest report builder with CVSS 3.1 scoring, MITRE ATT&CK mapping, executive summary auto-generation, and remediation tracking. Synthetic data only, browser-only, no backend.
No findings yet. Add your first finding or use a template to get started.
Add findings in the Finding Builder tab, then generate the executive summary.
Add findings and engagement details first, then generate the full technical report.
No findings to track. Add findings in the Finding Builder tab first.
No findings yet. Add your first finding or use a template to get started.
| # | Finding | CVSS | Severity | Status |
|---|---|---|---|---|
| ' + (t + 1) + ' | ' + top5[t].title + ' | ' + '' + top5[t].cvssScore.toFixed(1) + ' | ' + '' + top5[t].severity + ' | ' + '' + top5[t].status + ' |
| Client | ' + (eng.client || 'Not specified') + ' |
| Test Type | ' + (eng.testType || 'Not specified') + ' |
| Methodology | ' + (eng.methodology || 'Not specified') + ' |
| Testing Period | ' + (eng.startDate || '?') + ' to ' + (eng.endDate || '?') + ' |
| Lead Tester | ' + (eng.leadTester || 'Not specified') + ' |
| Open Findings | ' + openCount + ' of ' + findings.length + ' |
| Client: | ' + (eng.client || 'Not specified') + ' |
| Engagement ID: | ' + (eng.engagementId || 'N/A') + ' |
| Classification: | ' + (eng.classification || 'CONFIDENTIAL') + ' |
| Version: | ' + (eng.version || '1.0') + ' |
| Report Date: | ' + (eng.reportDate || new Date().toISOString().split('T')[0]) + ' |
| Lead Tester: | ' + (eng.leadTester || 'Not specified') + ' |
| Team: | ' + (eng.teamMembers || 'Not specified') + ' |
1. Executive Summary
2. Methodology
3. Scope
4. Rules of Engagement
5. Findings Summary
';
for (var t = 0; t < findings.length; t++) {
html += ' 5.' + (t + 1) + ' ' + findings[t].title + '
';
}
html += '6. Conclusion
7. Appendices
' + (eng.client || 'The client') + ' engaged the security assessment team to perform a ' + (eng.testType || 'penetration test') + ' of their environment. Testing was conducted between ' + (eng.startDate || '[start date]') + ' and ' + (eng.endDate || '[end date]') + ' using the ' + (eng.methodology || 'PTES') + ' methodology.
'; html += 'A total of ' + findings.length + ' findings were identified: ' + counts.CRITICAL + ' Critical, ' + counts.HIGH + ' High, ' + counts.MEDIUM + ' Medium, and ' + counts.LOW + ' Low severity. '; if (counts.CRITICAL > 0) { html += 'The presence of critical-severity findings indicates that immediate remediation action is required to prevent potential compromise.
'; } else if (counts.HIGH > 0) { html += 'High-severity findings should be addressed within the defined SLA to reduce organizational risk.'; } else { html += 'The overall security posture is reasonable, though identified findings should still be addressed in a timely manner.'; } // Section 2: Methodology html += 'The assessment followed the ' + (eng.methodology || 'PTES') + ' framework and included the following phases:
'; html += 'Phase 1 -- Reconnaissance: Passive and active information gathering to identify the target attack surface, including DNS enumeration, port scanning, service fingerprinting, and OSINT collection.
'; html += 'Phase 2 -- Vulnerability Analysis: Systematic identification of vulnerabilities through automated scanning (Nessus, Burp Suite) and manual testing. Each potential vulnerability was verified to eliminate false positives.
'; html += 'Phase 3 -- Exploitation: Controlled exploitation of confirmed vulnerabilities to demonstrate business impact. All exploitation was conducted within the agreed rules of engagement.
'; html += 'Phase 4 -- Post-Exploitation: Assessment of the potential impact following successful exploitation, including lateral movement possibilities, privilege escalation paths, and data access.
'; html += 'Phase 5 -- Reporting: Documentation of all findings with evidence, risk ratings, and actionable remediation recommendations.
'; // Section 3: Scope html += '' + (eng.scopeIn || 'Not defined').replace(/'; html += '
' + (eng.scopeOut || 'Not defined').replace(/'; // Section 4: Rules of Engagement html += '
' + (eng.roe || 'Standard rules of engagement apply.').replace(/'; // Section 5: Findings html += '
| ID | Title | CVSS | Severity | Status |
|---|---|---|---|---|
| ' + findings[s].id + ' | ' + findings[s].title + ' | ' + findings[s].cvssScore.toFixed(1) + ' | ' + findings[s].severity + ' | ' + findings[s].status + ' |
| Finding ID: | ' + fi.id + ' |
| Severity: | ' + fi.severity + ' (CVSS ' + fi.cvssScore.toFixed(1) + ') |
| CVSS Vector: | ' + fi.cvssVector + ' |
| Affected Systems: | ' + fi.affected + ' |
| Component: | ' + fi.component + ' |
| CWE: | ' + fi.cwe + ' |
| MITRE ATT&CK: | ' + fi.mitre + ' |
| Status: | ' + fi.status + ' |
' + fi.description.replace(/\n/g, '
') + '
' + fi.steps.replace(/'; if (fi.evidence) html += '
' + fi.evidence.replace(/'; if (fi.screenshot) html += '
' + fi.screenshot + '
'; html += '' + fi.remediation.replace(/'; } // Section 6: Conclusion html += '
This penetration test identified ' + findings.length + ' security findings across the in-scope environment. '; if (counts.CRITICAL > 0) { html += 'The discovery of ' + counts.CRITICAL + ' critical-severity vulnerabilities indicates significant security gaps that require immediate attention. '; } html += 'It is recommended that all findings be remediated according to the priority levels outlined in this report, followed by a verification retest to confirm successful remediation.
'; html += 'The assessment team is available to provide additional context, answer questions, and support the remediation process as needed.
'; // Section 7: Appendices html += 'The following tools were used during this engagement:
'; html += '| Tool | Purpose | Version |
|---|---|---|
| Nmap | Port scanning and service enumeration | 7.94 |
| Burp Suite Professional | Web application testing | 2024.1 |
| Nessus Professional | Vulnerability scanning | 10.7 |
| sqlmap | SQL injection testing | 1.8 |
| Hydra | Authentication testing | 9.5 |
| Metasploit Framework | Exploitation framework | 6.4 |
| Nikto | Web server scanning | 2.5 |
| CrackMapExec | Active Directory assessment | 5.4 |
| Score Range | Severity | Recommended SLA |
|---|---|---|
| 9.0 - 10.0 | Critical | 24-48 hours |
| 7.0 - 8.9 | High | 7 days |
| 4.0 - 6.9 | Medium | 30 days |
| 0.1 - 3.9 | Low | 90 days |
| 0.0 | Informational | Best effort |
| ID | Finding | Severity | Status | Owner | Due Date | Actions |
|---|---|---|---|---|---|---|
| ' + fi.id + ' | ' + '' + fi.title + ' | ' + '' + fi.severity + ' | ' + '' + fi.status + ' | ' + '' + (fi.owner || '--') + ' | ' + '' + (fi.dueDate || '--') + ' | ' + '' + '' + ' | ' + '