The Problem Every Pentester Knows
You spend 3 days breaking into a network. You find critical vulnerabilities — Log4Shell, ProxyLogon, default credentials on core switches. Real impact, real risk.
Then you spend the next 3 days fighting a Word document.
Commercial VAPT reporting tools exist, but they're either expensive SaaS subscriptions, clunky enterprise installs, or generic templates that don't map to Indian regulatory frameworks like RBI CSF, CERT-In, SEBI CSCRF, or IRDAI guidelines.
I wanted something different: a tool a single security consultant or small red team could clone, run in two terminal commands, and have a complete findings-to-PDF pipeline — without any cloud dependency, subscription, or database administrator.
What I Built
A single-page React application handling the entire VAPT lifecycle:
Report Building — Cover page, scope/asset management, findings engine with CVSS v3.1 scoring, CVE/NVD auto-lookup, OWASP/CWE mapping, 12-template vulnerability library, remediation roadmap, retest workflow (Open → In Progress → Retested → Closed), SLA tracking, and compliance mapping across 9 frameworks including RBI CSF, CERT-In, SEBI CSCRF, and IRDAI.
AI Integration — Gemini/Claude API for executive summary generation, full finding auto-fill from just a title, root cause analysis, attack narratives for management, field-level "Polish" rewrites in Technical/Management/Compliance mode, and screenshot-based remediation validation (upload evidence → AI says Fixed/Partially Fixed/Not Fixed).
Scanner Import — Bulk CSV/XLSX from Nessus, Nuclei, Qualys, Burp Suite, Acunetix, OpenVAS with flexible column mapping.
Multi-User RBAC — Three roles: user (view/download only), admin (full edit), superuser (everything + Password Manager + System Audit Trail). Per-user report ownership. Credentials base64-encoded in local storage.
Exports — Real binary PDF (jsPDF + html2canvas), XLSX register (SheetJS), JSON database backup.
The Architecture Decision That Mattered Most
The hardest constraint was persistence. Browsers can't silently write files to disk — that's a security feature, not a bug. Most "local-first" web apps solve this with localStorage, but localStorage dies the moment someone clears their browser cache.
My solution: a zero-dependency Node.js server built only on the http and fs modules — no Express, no npm packages needed for it. It exposes a tiny REST API and writes everything to a real db.json file on disk. The audit trail is an append-only audit.txt — one pipe-delimited line per event. Same design principle production logging systems use, scaled down to a local file.
The clever part is the fallback chain in the frontend:
async get(k) {
try {
const r = await fetch("http://localhost:4001/api/storage/" + k);
if (r.ok) return await r.json();
} catch {}
// server offline? fall back silently
try { return await window.storage.get(k); }
catch { return JSON.parse(localStorage.getItem(k)); }
}Same App.js works in three contexts — standalone demo mode, Claude artifact sandbox, or full file-based persistence with the Node server — and the user never thinks about which mode they're in.
PDF Generation
Three iterations to get right:
window.print()in a popup — works everywhere, but requires manual "Save as PDF" step- html2canvas + jsPDF from CDN — real binary PDF, but sandbox environments block dynamic script loading
- Final: try the binary pipeline first (1000px-wide canvas, multi-page A4), fall back to print dialog only if CDN fails — never mislabels an HTML file as PDF
The report supports 7 visual themes: Dark Cyber, Light Pro, Red Team, Navy Ops, Green Ops, MD Report, CISO Exec — because the same findings go to a technical team in one format and a CISO in another.
Indian Compliance Context
Most VAPT reporting tools map to OWASP and PCI DSS. That's not enough for Indian financial sector clients.
VAPT Pro auto-maps every finding to: OWASP Top 10, PCI DSS 4.0, ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, RBI Cyber Security Framework, CERT-In Guidelines, SEBI CSCRF, and IRDAI Cyber Security Guidelines.
One OWASP category selection on a finding automatically populates all 9 framework references. A CISO gets a report that speaks their regulator's language without the pentester manually cross-referencing annexures.
Animations and UX
The login page has a circuit-board SVG background with flowing dashed current animation, cursor-tracked cyan spotlight, and pulsing nodes — all pure CSS, no JavaScript animation libraries. The main dashboard uses a single global CSS rule with nth-child selectors to stagger fade-in-up animations on every tab's content automatically, without touching individual components.
What I'd Do Differently at Scale
The base64 credential encoding is honest about what it is — obfuscation, not encryption. For a real multi-user deployment, I'd replace it with bcrypt hashing behind a proper auth endpoint. The JSON file store works well for a single consultant's machine; SQLite would be the right upgrade once concurrent writes from multiple users become a concern.
Try It
npx create-react-app vapt-pro && cd vapt-pro
npm install recharts xlsx papaparse
# copy App.js and server.js
node server.js # terminal 1
npm start # terminal 2Login: super / super123
All findings, evidence, SLA tracking, compliance mappings, and exported PDFs live entirely on your machine.
Feedback, bug reports, and pull requests welcome.


Post a Comment