Pentographer
Docs/Core Features/Tracking Playbook Coverage During an Engagement

Tracking Playbook Coverage During an Engagement

How to use Pentographer's playbook checklist to track test coverage, link findings to items, and report which areas were tested during an assessment.

When you assign a playbook to a project at creation time, Pentographer links that playbook's checklist to the engagement. As you test, linking findings to checklist items builds a coverage map that shows what you tested and what you skipped.

[!NOTE] You can only assign a playbook when creating a project. You cannot change or swap the playbook version after the project is saved. See Project Lifecycle and Scoping for setup details.

How Coverage Works

A playbook item is considered covered when at least one finding links to it. Items with no linked findings remain uncovered. Pentographer does not require every item to have a finding — not every test item results in a vulnerability. Covered items indicate you ran that test, regardless of outcome.

This matters at report time: clients and reviewers can see exactly which test areas were exercised and which were out of scope or skipped.

Linking a Finding to a Playbook Item

  1. Open the finding you want to link.
  2. In the finding editor, locate the Playbook Item field in the metadata panel.
  3. Search for and select the relevant checklist item.
  4. When you select an item, Pentographer auto-populates the finding title, risk level, description template, and remediation template from the playbook item's defaults. Edit these fields as needed.
  5. Click Save.

You can link one finding to one playbook item. If a single vulnerability covers multiple test areas, create separate findings for each relevant item and describe the shared exploit in each.

Viewing Coverage

Open the project page. The playbook coverage panel lists every category and item from the assigned playbook, grouped by category. Items with at least one linked finding display the finding title and severity. Uncovered items appear without linked findings.

This panel is the fastest way to spot gaps mid-engagement before the report stage.

Checking Coverage via MCP

If you are running an AI agent connected to your workspace, use the list_project_playbook_items tool to retrieve the full coverage state for a project programmatically. The tool returns each playbook item along with any linked findings, making it straightforward to ask questions like "which OWASP categories have no linked finding?" directly in your AI client.

See MCP Server Setup for connection instructions.

Coverage and Reports

When you publish a report, the coverage map is not automatically included in the default export. However, the findings appendix implicitly reflects coverage: findings linked to playbook items include the framework reference (such as the OWASP identifier) and the tested item title.

If your report template includes a test coverage matrix, the template engine can render the item list from the project data. See Report Template Authoring for details on building templates that include a coverage section.

Was this article helpful?

Help us improve the Pentographer documentation.

Subscribe to security audits for builders

Get technical write-ups on building deterministic AI pipelines, self-hosting secure apps, and automating pentesting workflows. No marketing spam.

← Previous articleReverse Proxy and SSL Setup for Self-Hosted DeploymentsNext article →Authoring Custom Report Templates