Tooling

Pentest Reporting & Collaboration

SysReptor, Ghostwriter, Dradis, Faraday — the report is the deliverable.

A pentest is judged on its report — clarity, prioritisation, reproducibility, and the executive summary. Reporting tools collapse the LaTeX / Word / Markdown grind into a templated workflow with findings libraries, evidence handling, and team collaboration. For bug-bounty triage see Bug-Bounty Platforms. For compliance-side certificates see Compliance (SOC 2 / ISO).

FOSS / self-hosted

  • SysReptor (Syslifters) — modern Markdown / Vue-based reporting platform; templated; encrypted; collaborative; great PDF output. Community Edition free, Pro paid (very reasonable). The 2024–26 default for FOSS-leaning teams.
  • Ghostwriter (SpecterOps) — engagement / project management + reporting; tracks domains, infra, findings, narrative. Free.
  • Faraday (Infobyte) — collaborative pentest IDE; aggregates results from 80+ tools; Community free, paid Pro. Free OSS.
  • Serpico (legacy) — older OSS report builder.
  • PwnDoc / PwnDoc-ng — community-driven; node-based.
  • WriteHat (Black Hills) — Django-based; FOSS.
  • AttackForge Self-Managed — paid; well-known commercial platform.

Hosted / SaaS commercial

  • PlexTrac — paid; the enterprise reference; rich findings DB and customer-facing portal.
  • AttackForge — paid; long-running.
  • Dradis Professional — paid Pro; Community Edition free OSS.
  • Astra Pentest / Cobalt — paid; pentest-as-a-service with built-in reporting.
  • HackerOne / Bugcrowd Pentest — paid; bug-bounty-platform-style pentest with integrated reporting.

Document templating

  • Pandoc — Markdown → PDF / DOCX with templates; the "roll your own" choice. Free.
  • LaTeX (pentest-report-template) — there are many community templates on GitHub.
  • Typst — modern LaTeX-alternative; great for reports; growing 2024–26.
  • NoodleLatte / pentest-report templates on GitHub.
  • MkDocs / Material for MkDocs — for "report as a website."

Evidence / artifact handling

  • ScreenToGif / ShareX / OBS — screen capture for findings.
  • CherryTree / Obsidian / Joplin — note-taking during the engagement; many testers use Obsidian + Templater.
  • KeepNote / OneNote — older note styles.
  • Chrome / Firefox screenshot tools — quick browser captures.
  • asciinema — record a terminal session; embed in reports.
  • See Design — Screen Recording for screencast tools.

Findings libraries / CVSS

  • OWASP / NIST / SANS Top-25 CWE descriptions — paste-ready text.
  • CVSS calculator (FIRST.org) — official.
  • EPSS (FIRST.org) — exploit-likelihood data.
  • CVE / NVD — base data.
  • Vulnerability Lookup — federated CVE search.
  • HackerOne Hacktivity / Bugcrowd public reports — language inspiration.

Severity / risk frameworks

  • CVSS 3.1 / 4.0 — quantitative scoring; 4.0 is the 2024 standard.
  • OWASP Risk Rating Methodology — qualitative alt.
  • DREAD (Microsoft, legacy).
  • CIA + business impact — for execs.

Specific findings template languages

  • Nuclei templates — see Vulnerability Scanners (Nuclei); finding evidence carries cleanly into reports.
  • SARIF — exchange format; many SAST / DAST tools emit it.

Collaboration / project layer

  • Ghostwriter — engagement-oriented.
  • Trello / Linear / Notion — generic but common.
  • GoVCS / GitLab / Gitea — for findings-as-code workflows.
  • IRis / DFIR-IRIS — IR-oriented; see Incident Response (TheHive).

Customer-facing trust portals

Patterns to adopt

  • Findings library first. Don't rewrite "Reflected XSS" each engagement — keep a vetted base description, severity, and remediation.
  • Reproducible PoC — every finding gets a one-pager: where, what, replay command, screenshot.
  • Executive summary writes itself if findings are templated.
  • Strict separation of evidence vs. narrative — keep raw data files, not pasted text.
  • Date everything in screenshots. Auditors love it.

Pick this if…

  • Default FOSS reporting platform 2026: SysReptor.
  • Engagement-mgmt + reporting: Ghostwriter.
  • Bring-your-own toolchain aggregator: Faraday.
  • Plain Markdown → PDF, zero infra: Pandoc + a community LaTeX/Typst template.
  • Enterprise / customer portal: PlexTrac or AttackForge.
  • Roll-your-own forever: LaTeX or Typst with a maintained template repo.

On this page