poellie01/pentestcompanion

★ 28HTMLAudience · ops devopsComplexity · 3/5ActiveLicenseSetup · moderate

Mindmap

mindmap
  root((PentestCompanion))
    Inputs
      Targets
      Nessus XML
      Burp XML
      Screenshots
    Outputs
      DOCX report
      PDF report
      ZIP archive
      Findings library
    Use Cases
      Track engagement
      Run nmap and ffuf
      Score CVSS findings
      OSCP exam mode
    Tech Stack
      Python
      Flask
      Docker
      xterm.js
      SSE

mindmap root((PentestCompanion)) Inputs Targets Nessus XML Burp XML Screenshots Outputs DOCX report PDF report ZIP archive Findings library Use Cases Track engagement Run nmap and ffuf Score CVSS findings OSCP exam mode Tech Stack Python Flask Docker xterm.js SSE

Things people build with this

USE CASE 1

Run a full OSCP-style engagement and produce a branded DOCX report at the end

USE CASE 2

Self-host a team workspace that tracks targets, credentials, and findings across testers

USE CASE 3

Stream live nmap and ffuf output into a shared engagement timeline

USE CASE 4

Import Nessus and Burp Suite XML to bulk-create findings with CVSS scores

Tech stack

PythonFlaskDockerxterm.js

Getting it running

Difficulty · moderate Time to first run · 30min

Most utility comes from the 43 host CLI tools, so a Kali-style box with them installed is expected; Docker run is one command but missing tools dim out until apt-installed.

MIT lets you use, modify, and redistribute the code for any purpose as long as you keep the copyright and license text.

In plain English

Pentest Companion is a self-hosted web app for penetration testers, bug bounty hunters, and people studying for offensive security certifications like OSCP, OSEP, CRTP, or PNPT. The idea is to give someone a single workspace where they can keep all the moving parts of an engagement, the targets, the tools they ran, the findings, screenshots, notes, and the final report. It is written in Python (the language tag is HTML because of the templates) and runs either as a plain Flask app or in a Docker container, with a default port of 5000. The Tools Hub bundles 43 common command line tools across 10 categories including network scanning (nmap, masscan), web testing (gobuster, ffuf, sqlmap), Active Directory work (enum4linux-ng, netexec, kerbrute), the Impacket suite, password cracking (hydra, hashcat, john), DNS reconnaissance, SSL checks, OSINT helpers, and Linux privilege checks. The app probes the host with which to see which tools are actually installed, dims the missing ones with an apt install hint, and lets you launch the rest from a form. Output streams live to the browser through server-sent events, and parsed findings can be pushed into an engagement with one click. You can also tick tools to run automatically in the background when you add a new target. Engagements are the core unit of work. Each one tracks targets, open ports, a methodology checklist organised around PTES phases (enumeration, initial access, privilege escalation, lateral movement, data exfiltration, persistence, reporting), an attack timeline, a credentials vault, time tracking, and archive or full ZIP export. Findings get a CVSS v3.1 score, evidence uploads, a status workflow, NVD-based CVE lookup, and bulk import from Nessus and Burp Suite XML. There is a 22-template finding library and a reporting layer that produces branded DOCX and PDF reports with cover page, executive summary, and per-section redaction toggles. Other pieces include a browser-based terminal built on xterm.js and a PTY for running commands on the host, a pclog bash helper that pipes any command's output into the app via a personal API token, an Exam Mode with live countdown and screenshot slots, a multi-user setup with roles and invite links, and small utilities like a hash identifier, Base64 codec, and Markdown notes with Obsidian vault import. The first run prints a bootstrap admin login that the README tells you to change. License is MIT.

Copy-paste prompts

Prompt 1

Walk me through running PentestCompanion in Docker and changing the bootstrap admin password

Prompt 2

Add a new tool entry for naabu to PentestCompanion's Tools Hub including the apt install hint

Prompt 3

Wire the pclog bash helper to a remote host so command output streams into a chosen engagement

Prompt 4

Extend PentestCompanion's reporting layer with a custom DOCX cover page template

Prompt 5

Build a CVSS v3.1 scoring widget like PentestCompanion's in a standalone Flask page

Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.