Building VAPT Pro: An Enterprise Penetration Testing Report Platform From Scratch

The Problem Every Pentester Knows

You spend 3 days breaking into a network. You find critical vulnerabilities — Log4Shell, ProxyLogon, default credentials on core switches. Real impact, real risk.






Then you spend the next 3 days fighting a Word document.

Commercial VAPT reporting tools exist, but they're either expensive SaaS subscriptions, clunky enterprise installs, or generic templates that don't map to Indian regulatory frameworks like RBI CSF, CERT-In, SEBI CSCRF, or IRDAI guidelines.

I wanted something different: a tool a single security consultant or small red team could clone, run in two terminal commands, and have a complete findings-to-PDF pipeline — without any cloud dependency, subscription, or database administrator.

That's what VAPT Pro is. link: kidnapshadow-sidharth/VAPT-PRO-Report-: Enterprise-grade Vulnerability Assessment & Penetration Testing report platform. Built in React with AI-powered finding generation, multi-user RBAC, compliance mapping (RBI/CERT-In/SEBI/IRDAI/OWASP), SLA tracking, and real PDF export. Runs locally — zero cloud dependency. --sidharth


What I Built

A single-page React application handling the entire VAPT lifecycle:

Report Building — Cover page, scope/asset management, findings engine with CVSS v3.1 scoring, CVE/NVD auto-lookup, OWASP/CWE mapping, 12-template vulnerability library, remediation roadmap, retest workflow (Open → In Progress → Retested → Closed), SLA tracking, and compliance mapping across 9 frameworks including RBI CSF, CERT-In, SEBI CSCRF, and IRDAI.

AI Integration — Gemini/Claude API for executive summary generation, full finding auto-fill from just a title, root cause analysis, attack narratives for management, field-level "Polish" rewrites in Technical/Management/Compliance mode, and screenshot-based remediation validation (upload evidence → AI says Fixed/Partially Fixed/Not Fixed).

Scanner Import — Bulk CSV/XLSX from Nessus, Nuclei, Qualys, Burp Suite, Acunetix, OpenVAS with flexible column mapping.

Multi-User RBAC — Three roles: user (view/download only), admin (full edit), superuser (everything + Password Manager + System Audit Trail). Per-user report ownership. Credentials base64-encoded in local storage.

Exports — Real binary PDF (jsPDF + html2canvas), XLSX register (SheetJS), JSON database backup.


The Architecture Decision That Mattered Most

The hardest constraint was persistence. Browsers can't silently write files to disk — that's a security feature, not a bug. Most "local-first" web apps solve this with localStorage, but localStorage dies the moment someone clears their browser cache.

My solution: a zero-dependency Node.js server built only on the http and fs modules — no Express, no npm packages needed for it. It exposes a tiny REST API and writes everything to a real db.json file on disk. The audit trail is an append-only audit.txt — one pipe-delimited line per event. Same design principle production logging systems use, scaled down to a local file.

The clever part is the fallback chain in the frontend:

js
async get(k) {
  try {
    const r = await fetch("http://localhost:4001/api/storage/" + k);
    if (r.ok) return await r.json();
  } catch {}
  // server offline? fall back silently
  try { return await window.storage.get(k); }
  catch { return JSON.parse(localStorage.getItem(k)); }
}

Same App.js works in three contexts — standalone demo mode, Claude artifact sandbox, or full file-based persistence with the Node server — and the user never thinks about which mode they're in.


PDF Generation

Three iterations to get right:

  1. window.print() in a popup — works everywhere, but requires manual "Save as PDF" step
  2. html2canvas + jsPDF from CDN — real binary PDF, but sandbox environments block dynamic script loading
  3. Final: try the binary pipeline first (1000px-wide canvas, multi-page A4), fall back to print dialog only if CDN fails — never mislabels an HTML file as PDF

The report supports 7 visual themes: Dark Cyber, Light Pro, Red Team, Navy Ops, Green Ops, MD Report, CISO Exec — because the same findings go to a technical team in one format and a CISO in another.


Indian Compliance Context

Most VAPT reporting tools map to OWASP and PCI DSS. That's not enough for Indian financial sector clients.

VAPT Pro auto-maps every finding to: OWASP Top 10, PCI DSS 4.0, ISO 27001:2022, NIST CSF 2.0, CIS Controls v8, RBI Cyber Security Framework, CERT-In Guidelines, SEBI CSCRF, and IRDAI Cyber Security Guidelines.

One OWASP category selection on a finding automatically populates all 9 framework references. A CISO gets a report that speaks their regulator's language without the pentester manually cross-referencing annexures.


Animations and UX

The login page has a circuit-board SVG background with flowing dashed current animation, cursor-tracked cyan spotlight, and pulsing nodes — all pure CSS, no JavaScript animation libraries. The main dashboard uses a single global CSS rule with nth-child selectors to stagger fade-in-up animations on every tab's content automatically, without touching individual components.


What I'd Do Differently at Scale

The base64 credential encoding is honest about what it is — obfuscation, not encryption. For a real multi-user deployment, I'd replace it with bcrypt hashing behind a proper auth endpoint. The JSON file store works well for a single consultant's machine; SQLite would be the right upgrade once concurrent writes from multiple users become a concern.


Try It

bash
npx create-react-app vapt-pro && cd vapt-pro
npm install recharts xlsx papaparse
# copy App.js and server.js
node server.js    # terminal 1
npm start         # terminal 2

Login: super / super123

All findings, evidence, SLA tracking, compliance mappings, and exported PDFs live entirely on your machine.


Feedback, bug reports, and pull requests welcome. 

Post a Comment

Post a Comment (0)

Previous Post Next Post