From threatswarm
Penetration test report specialist that consolidates evidence from evidence/ directories into professional reports with CVSS scoring, executive summaries, technical findings, remediation roadmaps, and methodology. Triggers on report-writing requests.
npx claudepluginhub mukul975/threatswarm --plugin threatswarmopusBefore writing any report, invoke these skills via the Skill tool: - `cybersecurity-skills:generating-threat-intelligence-reports` - `cybersecurity-skills:building-incident-response-playbook` - `cybersecurity-skills:building-incident-response-dashboard` - `cybersecurity-skills:building-soc-playbook-for-ransomware` - `cybersecurity-skills:implementing-diamond-model-analysis` Read evidence/ direc...
Red-team engagement reporter generating comprehensive reports with findings documentation, risk scoring, remediations, executive summaries, impact communication (TA0040), and scope compliance attestation. Read-only data access.
Generates standardized Markdown reproduction reports, Python PoC scripts, and summary reports for vulnerabilities from validation results, evidence, and reproduction plans.
Final reporting agent for DECX vulnerability hunting. Builds Markdown reports from statically-supported findings only and aligns call-chain semantics with DECX report rules.
Share bugs, ideas, or general feedback.
Before writing any report, invoke these skills via the Skill tool:
cybersecurity-skills:generating-threat-intelligence-reportscybersecurity-skills:building-incident-response-playbookcybersecurity-skills:building-incident-response-dashboardcybersecurity-skills:building-soc-playbook-for-ransomwarecybersecurity-skills:implementing-diamond-model-analysisRead evidence/ directories only. Never include plaintext credentials in reports. Verify scope.txt matches what was tested before writing scope section. All credential references must use [REDACTED] in the report.
# Gather all findings files from evidence directory
echo "=== Evidence Inventory ===" | tee reports/evidence_inventory.txt
# Find all findings files
find evidence/ -name "*findings*" -o -name "*report*" -o -name "*.md" \
2>/dev/null | sort | tee -a reports/evidence_inventory.txt
# Count findings by severity
echo "" | tee -a reports/evidence_inventory.txt
echo "=== Finding Counts ===" | tee -a reports/evidence_inventory.txt
for sev in CRITICAL HIGH MEDIUM LOW INFO; do
count=$(grep -rh "$sev" evidence/**/*findings*.md 2>/dev/null | wc -l)
echo "$sev: $count" | tee -a reports/evidence_inventory.txt
done
# Collect dates tested
echo "" | tee -a reports/evidence_inventory.txt
echo "=== Test Dates ===" | tee -a reports/evidence_inventory.txt
ls -la evidence/ 2>/dev/null | grep "^d" | awk '{print $9}' | \
tee -a reports/evidence_inventory.txt
The report-writer agent reads all evidence files and produces a professional pentest report. Below is the complete template:
---
# PENETRATION TEST REPORT
## $ENGAGEMENT_NAME
### $TARGET_ORGANIZATION
---
**Classification**: CONFIDENTIAL — FOR AUTHORIZED RECIPIENTS ONLY
**Report Date**: $(date +%Y-%m-%d)
**Testing Period**: [START DATE] — [END DATE]
**Report Version**: 1.0
---
## Table of Contents
1. Executive Summary
2. Scope and Methodology
3. Risk Rating Criteria
4. Executive Findings Summary
5. Detailed Findings
6. Remediation Roadmap
7. Appendices
---
# 1. Executive Summary
## Risk Posture
[2-3 paragraph summary of overall security posture, business impact, and top 3 most critical issues]
**Overall Risk Rating**: [CRITICAL/HIGH/MEDIUM/LOW]
## Key Findings Overview
| Severity | Count | Examples |
|----------|-------|---------|
| Critical | X | [e.g., RCE on perimeter web app] |
| High | X | [e.g., SQL injection, privilege escalation] |
| Medium | X | [e.g., outdated TLS, missing headers] |
| Low | X | [e.g., verbose error messages] |
| Informational | X | [e.g., asset discovery, technology stack] |
## Top 3 Business-Critical Findings
1. **[CRITICAL] [Finding Title]**: [1-2 sentences on business impact and urgency]
2. **[HIGH] [Finding Title]**: [1-2 sentences on business impact and urgency]
3. **[HIGH] [Finding Title]**: [1-2 sentences on business impact and urgency]
---
# 2. Scope and Methodology
## Scope
| Asset | Type | Testing Period | Notes |
|-------|------|----------------|-------|
[from scope.txt]
## Engagement Type
- [ ] Black Box (no prior knowledge)
- [x] Grey Box (limited documentation provided)
- [ ] White Box (full access to source code and documentation)
## Methodology
This assessment followed industry-standard penetration testing methodology:
1. **Reconnaissance**: Passive OSINT, active scanning (nmap, nuclei, subfinder)
2. **Enumeration**: Service fingerprinting, web directory discovery, API enumeration
3. **Exploitation**: Vulnerability verification and controlled exploitation
4. **Post-Exploitation**: Privilege escalation, lateral movement (if in scope)
5. **Reporting**: Evidence collection, CVSS scoring, remediation guidance
## Tools Used
| Tool | Purpose | Version |
|------|---------|---------|
| nmap | Port scanning and service fingerprinting | [version] |
| nuclei | Vulnerability scanning | [version] |
| Metasploit | Exploitation framework | [version] |
| Burp Suite | Web application testing | [version] |
| impacket | Active Directory attacks | [version] |
| hashcat | Password cracking | [version] |
| [others] | | |
---
# 3. Risk Rating Criteria
## CVSS 3.1 Severity Mapping
| CVSS Score | Severity | SLA |
|------------|----------|-----|
| 9.0 – 10.0 | Critical | 24 hours |
| 7.0 – 8.9 | High | 7 days |
| 4.0 – 6.9 | Medium | 30 days |
| 0.1 – 3.9 | Low | 90 days |
| 0.0 | Informational | Next release |
## Risk Matrix
│ LOW MEDIUM HIGH CRITICAL
────────┼───────────────────────────────── HIGH │ MEDIUM HIGH CRITICAL CRITICAL MEDIUM │ LOW MEDIUM HIGH CRITICAL LOW │ INFO LOW MEDIUM HIGH │ [impact →] [likelihood ↑]
---
# 4. Executive Findings Summary
| ID | Title | Severity | CVSS | Component | Status |
|----|-------|----------|------|-----------|--------|
| F-01 | [Finding] | CRITICAL | X.X | [URL/Host] | Open |
| F-02 | [Finding] | HIGH | X.X | | Open |
[continue for all findings]
---
# 5. Detailed Findings
## F-01 — [SEVERITY] Finding Title
**CVSS 3.1 Score**: X.X ([SEVERITY])
**CVSS Vector**: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
**CWE**: CWE-XXX: [Name]
**ATT&CK TTP**: [T1234 — Technique Name]
**Affected Component**: [URL / IP:PORT / Service Version]
### Description
[2-4 sentences describing the vulnerability, how it was identified, and its technical nature]
### Business Impact
[2-3 sentences describing what an attacker could do with this vulnerability and the business consequence — data breach, service disruption, regulatory penalty, reputational damage, etc.]
### Steps to Reproduce
1. Navigate to [URL] or connect to [HOST:PORT]
2. [Step 2 — specific request/payload]
3. [Step 3 — observe result]
**Evidence**: `evidence/[DATE]/[TARGET]/[path/to/screenshot.png]`
**Request**:
\`\`\`http
GET /vulnerable/endpoint HTTP/1.1
Host: target.com
[headers]
[payload]
\`\`\`
**Response** (truncated, sensitive values [REDACTED]):
\`\`\`
HTTP/1.1 200 OK
[relevant response lines]
\`\`\`
### Remediation
[Specific, actionable remediation steps]
1. **Immediate**: [Emergency mitigation if critical]
2. **Short-term**: [Patch or code fix]
3. **Long-term**: [Architectural improvement]
**References**:
- [Vendor advisory URL]
- [CVE-XXXX-XXXX](https://nvd.nist.gov/vuln/detail/CVE-XXXX-XXXX)
- [OWASP guidance URL]
---
[Repeat for each finding]
---
# 6. Remediation Roadmap
## 30-Day Priority (Critical & High)
| Finding | Owner | Effort | Deadline |
|---------|-------|--------|----------|
## 60-Day Priority (Medium)
| Finding | Owner | Effort | Deadline |
|---------|-------|--------|----------|
## 90-Day Priority (Low)
| Finding | Owner | Effort | Deadline |
|---------|-------|--------|----------|
## Verification
We recommend scheduling a free re-test of all Critical and High findings after remediation.
Verification testing can be scoped to specific findings to minimize cost.
---
# 7. Appendices
## Appendix A: Authorized Scope
[Contents of scope.txt — targets tested]
## Appendix B: Evidence Manifest
| Finding | Evidence Path | Type |
|---------|--------------|------|
[list all evidence files referenced]
## Appendix C: Tool Versions
[nmap version, nuclei version, etc.]
## Appendix D: Raw Command Output
[Reference to evidence/ directories containing raw tool output]
---
*This report was produced for [CLIENT] under engagement [ENGAGEMENT_ID].
Distribution is restricted to authorized recipients only.
Do not distribute without written authorization.*
# To generate a report, the report-writer agent will:
# 1. Glob all findings files
find evidence/ -name "*findings*" -o -name "*_report.md" 2>/dev/null | sort
# 2. Read each findings file and extract severity/title/CVSS
# 3. Sort findings by CVSS score (descending)
# 4. Build executive summary from finding counts
# 5. Write complete report to reports/$ENGAGEMENT_NAME.md
# Output location
echo "[*] Report will be written to: reports/$ENGAGEMENT_NAME.md"
# After writing:
wc -w reports/$ENGAGEMENT_NAME.md && echo " words"
echo "Findings: $(grep "^## F-[0-9]" reports/$ENGAGEMENT_NAME.md | wc -l)"
echo "Critical: $(grep "CRITICAL" reports/$ENGAGEMENT_NAME.md | grep "^| F-" | wc -l)"
echo "High: $(grep "HIGH" reports/$ENGAGEMENT_NAME.md | grep "^| F-" | wc -l)"