Unified findings pipeline
Every tool, parser and reviewer writes to one per-client findings store with CVSS scoring, evidence capture and remediation text ready for report generation.
Self-hosted · Kali-native · Job-driven
One workspace for the entire pentest.
90+ integrated tools, a unified findings pipeline, and automated reports. Built by pentesters, for pentesters.
- 90+integrated tools
- 9firewall vendors
- 14assessment types
Dashboard screenshot appears here once capture.mjs has run.
What's inside
A curated stack of reconnaissance, exploitation, review and reporting tooling, all writing to a single per-client workspace.
Attack path visualisation
Kill-chain graph with MITRE ATT&CK mapping, auto-generated from credentials, hosts and compromise state. Fully editable for manual attack narratives.
Firewall review, nine vendors
Palo Alto, Cisco IOS, ASA, FortiGate, Juniper ScreenOS and JunOS, Check Point, SonicWall and pfSense. Plus Titania Nipper v2/v3 XML import to reuse prior audits without re-analysis.
External importers
Nessus, Burp Suite Pro, BloodHound, Nmap XML, MobSF, Office 365 scan output, IART finding library. Data flows into the same unified pipeline.
Background job system
Every long-running tool runs as a cancellable background job with live terminal streaming, PID tracking, completion events and per-client history.
PDF and Word reports
Executive summary, scope table, findings by severity, evidence tables, auto-populated host tables. Generated from a template that keeps the professional voice consistent across engagements.
Inside the app
A tour of the tool. All content shown is synthetic: screenshots are captured against a fictional “Demo Inc” client populated from static fixture data.
Attack Path Graph
Kill-chain visualisation with MITRE mapping.
Findings
The deliverable. CVSS, evidence, remediation.
Firewall Review
Nine-vendor parser plus Nipper v2/v3 import.
AD Insights
Domain admin exposure, privileged groups, password policy.
Hash Cracker
Hashcat and John with live terminal streaming.
Loot
Credentials, hashes, subdomains, emails, certificates.
Hosts
Unified inventory from Nmap, Nessus and manual input.
Nessus Parser
Ingest .nessus scans, triage by severity, auto-file findings.
Office 365 Review
Tenant security posture across 49 compliance checks.
Mobile Testing
MobSF, ADB and Drozer side by side.
OSINT Dashboard
Subdomains, takeover candidates, discovered assets.
Password Analysis
Length histogram, reuse percentage, top patterns.
Findings Database
Reusable template library with IART import.
How to run it
The tool is built against Kali Linux and expects its default tool paths and wordlists. Other distributions may work but are not supported.
One-time setup
Clones the repository, installs the Python backend and Node frontend dependencies, builds the Vite bundle, and pins tool versions.
git clone https://github.com/leonteale/Pentest-Assessment-Tool.git
cd Pentest-Assessment-Tool
./setup.shDaily use
Brings up the FastAPI backend on port 8000 and the Vite frontend on 5173. Open the browser, create your first client, and start ingesting.
./start.sh
# Backend: http://localhost:8000
# Frontend: http://localhost:5173Requirements
- Kali Linux (recent rolling release)
- Python 3.10 or later
- Node.js 18 or later
- Typical pentesting utilities available on the PATH: nmap, impacket, responder, bloodhound, hashcat, john, mobsf, and others (setup.sh installs any that are missing)
Changelog
Release history, latest first.
- Loading changelog…
Get it
The tool is source-available on GitHub. Clone the repository,
run ./setup.sh, then ./start.sh.