// tool · report
Pentest Report Generator with CVSS 4.0
Turn a finding into a standardized Markdown report, with calculated CVSS 4.0, reproduction steps and remediation — ready to paste into your pentest report.
Runs 100% in your browser · nothing is sent
Environmental metrics (advanced)
For authorized testing, research and education. The report is assembled 100% in your browser — nothing is sent anywhere.
// reference
How to structure a pentest report
A vulnerability report communicates the finding to whoever will fix it and whoever decides priority. The more standardized the sections, the faster the team understands, reproduces and closes the flaw. The tool above assembles all of them in Markdown, with the CVSS 4.0 already calculated.
Finding title
An objective sentence stating what and where (e.g. "IDOR in GET /api/v1/orders/{id}"). Avoid vague jargon: the reader should grasp the risk from the title alone.
Preconditions
What must be true to exploit it: privilege level, configuration, network position. It defines how reachable the flaw is and anchors the CVSS privileges metric.
Steps to reproduce
The minimal, numbered sequence to reproduce the finding deterministically — requests, payloads and the exact point where the insecure behavior appears.
Evidence
The concrete proof: request and response, screenshot, payload and what confirms exploitation. It's what separates a real finding from a suspicion.
Impact
What an attacker achieves with the flaw — reading other users' data, RCE, authentication bypass. It translates the technical issue into business risk.
Remediation
How to fix it, actionably: the code or configuration change, with an example where possible. Good remediations target the root cause, not just the symptom.
Severity (CVSS 4.0)
The score and vector that calibrate priority. The CVSS Calculator builds the vector from the metrics and the report embeds it, keeping the rationale auditable.
Frequently asked questions
What goes into a good pentest report?
Finding title, preconditions, reproduction steps, evidence, impact, severity (CVSS) and remediation. The Report Generator structures all of these and already embeds the calculated CVSS 4.0 vector.
Is the report bilingual?
Yes. The generated content comes out in Portuguese or English depending on the tool's language, ready to paste into your report.
Can I edit the pre-filled fields?
Yes. Pick a vulnerability class to pre-fill the fields from a preset, then edit everything freely before copying the Markdown.
Is the finding data sent to any server?
No. The report is assembled 100% in your browser — nothing is sent anywhere.
Need a pentest that delivers reports like this?
IntruderLabs runs offensive security under your brand, with white-label reporting and calibrated CVSS — you resell, we execute.
Talk to us →