Introducing Pentographer: Open-Source Pentest Management

We built Pentographer to solve a simple problem: pentesting is fun, but reporting is not.

Most security engineers spend half their work hours formatting Word documents, copying screenshots, and writing the same remediation guidance. We wanted a tool that does the grunt work.

Our goal is to make Pentographer the repository for all audit findings, and the central hub for all security assessment work. We want to align pentest reporting with modern development. To achieve this, we will build integrations with LLMs and all major pentesting tools, including Burp Suite.

Pentographer tracks findings, manages structured test playbooks, and generates reports. It also includes an assistant powered by Claude to help draft descriptions from raw notes and screenshots.

Why We Built Pentographer

The current security tool ecosystem has three main issues:

1. Closed platforms require sensitive data access. Many modern tools are SaaS-only. Sending raw vulnerabilities, infrastructure logs, and customer data to a third-party cloud is a security risk. We license Pentographer under the MIT license and build it for self-hosting. Your data stays on your own infrastructure.
2. Standard reports are static documents. PDFs and Word files are dead formats. When developers receive a pentest report, they cannot query it or import it easily into their ticketing workflows. We treat findings as structured, queryable data.
3. AI assistants lack consistency. Many AI features in security tools just send prompts to a model. Without local context or structured databases, the LLM hallucinates and loses track of findings.

We built Pentographer to address these issues. We decoupled the reasoning engine from the data layer. Pentographer runs a Model Context Protocol (MCP) server so you can query your findings directly from Cursor or Claude Desktop.

What You Will Find on This Blog

We want this blog to be a resource for security engineers, developers, and DevOps teams. We will cover:

• AI engineering in security. We will share how we build deterministic AI workflows, manage model context windows, and prevent hallucinations.
• Tool integrations. We will detail how we connect Pentographer to scanners and testing suites to automate data ingestion.
• Data ownership and self-hosting. We will write guides on running secure applications, setting up local databases, and managing workspace permissions.
• Bridging the dev-sec divide. We will discuss how to standardize findings so developers can triage them inside their existing pipelines.

Security Audits for Builders

Our core philosophy is simple: security audits must serve the people building the software.

Auditors write most pentest reports for compliance officers, resulting in static documents that developers ignore. A 50-page PDF report satisfies a compliance check, but it does not help developers patch vulnerabilities.

By treating findings as structured, versioned data and exposing them via protocols like GraphQL and MCP, we turn audits into engineering tasks. Security teams can write clear, actionable guidance, and developers can pull that data directly into their existing issue trackers and build pipelines.

On this blog, we do not write compliance fluff or high-level industry summaries. We write for builders. Every article will contain concrete examples, configurations, or code to help you secure your systems.

You can try the platform on app.pentographer.com or view the source code on GitHub.