Pentest Reporting & Collaboration
SysReptor, Ghostwriter, Dradis, Faraday — the report is the deliverable.
A pentest is judged on its report — clarity, prioritisation, reproducibility, and the executive summary. Reporting tools collapse the LaTeX / Word / Markdown grind into a templated workflow with findings libraries, evidence handling, and team collaboration. For bug-bounty triage see Bug-Bounty Platforms. For compliance-side certificates see Compliance (SOC 2 / ISO).
FOSS / self-hosted
- ★ SysReptor (Syslifters) — modern Markdown / Vue-based reporting platform; templated; encrypted; collaborative; great PDF output. Community Edition free, Pro paid (very reasonable). The 2024–26 default for FOSS-leaning teams.
- ★ Ghostwriter (SpecterOps) — engagement / project management + reporting; tracks domains, infra, findings, narrative. Free.
- Faraday (Infobyte) — collaborative pentest IDE; aggregates results from 80+ tools; Community free, paid Pro. Free OSS.
- Serpico (legacy) — older OSS report builder.
- PwnDoc / PwnDoc-ng — community-driven; node-based.
- WriteHat (Black Hills) — Django-based; FOSS.
- AttackForge Self-Managed — paid; well-known commercial platform.
Hosted / SaaS commercial
- PlexTrac — paid; the enterprise reference; rich findings DB and customer-facing portal.
- AttackForge — paid; long-running.
- Dradis Professional — paid Pro; Community Edition free OSS.
- Astra Pentest / Cobalt — paid; pentest-as-a-service with built-in reporting.
- HackerOne / Bugcrowd Pentest — paid; bug-bounty-platform-style pentest with integrated reporting.
Document templating
- Pandoc — Markdown → PDF / DOCX with templates; the "roll your own" choice. Free.
- LaTeX (pentest-report-template) — there are many community templates on GitHub.
- Typst — modern LaTeX-alternative; great for reports; growing 2024–26.
- NoodleLatte / pentest-report templates on GitHub.
- MkDocs / Material for MkDocs — for "report as a website."
Evidence / artifact handling
- ★ ScreenToGif / ShareX / OBS — screen capture for findings.
- CherryTree / Obsidian / Joplin — note-taking during the engagement; many testers use Obsidian + Templater.
- KeepNote / OneNote — older note styles.
- Chrome / Firefox screenshot tools — quick browser captures.
- asciinema — record a terminal session; embed in reports.
- See Design — Screen Recording for screencast tools.
Findings libraries / CVSS
- OWASP / NIST / SANS Top-25 CWE descriptions — paste-ready text.
- CVSS calculator (FIRST.org) — official.
- EPSS (FIRST.org) — exploit-likelihood data.
- CVE / NVD — base data.
- Vulnerability Lookup — federated CVE search.
- HackerOne Hacktivity / Bugcrowd public reports — language inspiration.
Severity / risk frameworks
- CVSS 3.1 / 4.0 — quantitative scoring; 4.0 is the 2024 standard.
- OWASP Risk Rating Methodology — qualitative alt.
- DREAD (Microsoft, legacy).
- CIA + business impact — for execs.
Specific findings template languages
- Nuclei templates — see Vulnerability Scanners (Nuclei); finding evidence carries cleanly into reports.
- SARIF — exchange format; many SAST / DAST tools emit it.
Collaboration / project layer
- Ghostwriter — engagement-oriented.
- Trello / Linear / Notion — generic but common.
- GoVCS / GitLab / Gitea — for findings-as-code workflows.
- IRis / DFIR-IRIS — IR-oriented; see Incident Response (TheHive).
Customer-facing trust portals
- SafeBase / Conveyor — trust portals; share pentest reports with prospects.
- See Compliance (SOC 2 / ISO).
Patterns to adopt
- ★ Findings library first. Don't rewrite "Reflected XSS" each engagement — keep a vetted base description, severity, and remediation.
- Reproducible PoC — every finding gets a one-pager: where, what, replay command, screenshot.
- Executive summary writes itself if findings are templated.
- Strict separation of evidence vs. narrative — keep raw data files, not pasted text.
- Date everything in screenshots. Auditors love it.
Pick this if…
- Default FOSS reporting platform 2026: SysReptor.
- Engagement-mgmt + reporting: Ghostwriter.
- Bring-your-own toolchain aggregator: Faraday.
- Plain Markdown → PDF, zero infra: Pandoc + a community LaTeX/Typst template.
- Enterprise / customer portal: PlexTrac or AttackForge.
- Roll-your-own forever: LaTeX or Typst with a maintained template repo.