// tool · report

Pentest Report Generator with CVSS 4.0

Turn a finding into a standardized Markdown report, with calculated CVSS 4.0, reproduction steps and remediation — ready to paste into your pentest report.

Runs 100% in your browser · nothing is sent

Pick a class to pre-fill the fields — then edit freely.

Finding
Steps to reproduce
Severity (CVSS 4.0)
0.0
CVSS:4.0
Attack Vector (AV)
Attack Complexity (AC)
Attack Requirements (AT)
Privileges Required (PR)
User Interaction (UI)
Confidentiality — vulnerable system (VC)
Integrity — vulnerable system (VI)
Availability — vulnerable system (VA)
Confidentiality — subsequent system (SC)
Integrity — subsequent system (SI)
Availability — subsequent system (SA)
Exploit Maturity (E)
Environmental metrics (advanced)
Confidentiality Requirement (CR)
Integrity Requirement (IR)
Availability Requirement (AR)
Modified: Attack Vector (AV)
Modified: Attack Complexity (AC)
Modified: Attack Requirements (AT)
Modified: Privileges Required (PR)
Modified: User Interaction (UI)
Modified: Confidentiality — vulnerable system (VC)
Modified: Integrity — vulnerable system (VI)
Modified: Availability — vulnerable system (VA)
Modified: Confidentiality — subsequent system (SC)
Modified: Integrity — subsequent system (SI)
Modified: Availability — subsequent system (SA)
Preview (Markdown)
Download .md

For authorized testing, research and education. The report is assembled 100% in your browser — nothing is sent anywhere.

// reference

How to structure a pentest report

A vulnerability report communicates the finding to whoever will fix it and whoever decides priority. The more standardized the sections, the faster the team understands, reproduces and closes the flaw. The tool above assembles all of them in Markdown, with the CVSS 4.0 already calculated.

Finding title

An objective sentence stating what and where (e.g. "IDOR in GET /api/v1/orders/{id}"). Avoid vague jargon: the reader should grasp the risk from the title alone.

Preconditions

What must be true to exploit it: privilege level, configuration, network position. It defines how reachable the flaw is and anchors the CVSS privileges metric.

Steps to reproduce

The minimal, numbered sequence to reproduce the finding deterministically — requests, payloads and the exact point where the insecure behavior appears.

Evidence

The concrete proof: request and response, screenshot, payload and what confirms exploitation. It's what separates a real finding from a suspicion.

Impact

What an attacker achieves with the flaw — reading other users' data, RCE, authentication bypass. It translates the technical issue into business risk.

Remediation

How to fix it, actionably: the code or configuration change, with an example where possible. Good remediations target the root cause, not just the symptom.

Severity (CVSS 4.0)

The score and vector that calibrate priority. The CVSS Calculator builds the vector from the metrics and the report embeds it, keeping the rationale auditable.

Frequently asked questions

What goes into a good pentest report?

Finding title, preconditions, reproduction steps, evidence, impact, severity (CVSS) and remediation. The Report Generator structures all of these and already embeds the calculated CVSS 4.0 vector.

Is the report bilingual?

Yes. The generated content comes out in Portuguese or English depending on the tool's language, ready to paste into your report.

Can I edit the pre-filled fields?

Yes. Pick a vulnerability class to pre-fill the fields from a preset, then edit everything freely before copying the Markdown.

Is the finding data sent to any server?

No. The report is assembled 100% in your browser — nothing is sent anywhere.

Need a pentest that delivers reports like this?

IntruderLabs runs offensive security under your brand, with white-label reporting and calibrated CVSS — you resell, we execute.

Talk to us →