Export Formats

Beyond the PDF: Integration With Reporting Platforms

While TurboPentest's PDF reports are comprehensive standalone deliverables, many security teams manage their pentest findings within dedicated reporting platforms. These platforms provide collaboration features, finding lifecycle management, retesting workflows, and client portals that complement TurboPentest's automated output.

TurboPentest supports export to four major pentest reporting platforms: PlexTrac, Dradis, AttackForge, and Ghostwriter. Each export produces a format native to the target platform, so findings import cleanly without manual reformatting.

PlexTrac Export

PlexTrac is a security assessment management platform used by pentest consultancies and internal security teams. It provides client management, finding tracking, report generation, and analytics dashboards.

TurboPentest exports findings in PlexTrac's CSV import format, mapping fields as follows:

• Finding Title maps to PlexTrac's finding name
• Severity maps to PlexTrac's severity levels (Critical, High, Medium, Low, Informational)
• Description maps to the finding description field
• Evidence/PoC maps to PlexTrac's evidence section with embedded screenshots and code blocks
• Remediation maps to the recommendations field
• CVSS Score maps to PlexTrac's scoring fields (both vector string and numeric score)
• CWE/References map to PlexTrac's tag and reference systems

The export also includes the finding's unique fingerprint as a custom field, enabling continuity tracking when the same target is re-tested. PlexTrac users can group TurboPentest findings alongside manual findings in the same report, then use PlexTrac's narrative editing to add custom context before delivering to clients.

For teams using PlexTrac's API, TurboPentest can push findings directly via PlexTrac's REST endpoint when configured with API credentials at the team level. This enables a fully automated pipeline: TurboPentest runs the scan, findings flow into PlexTrac, and the consultant's job becomes review-and-edit rather than write-from-scratch.

Dradis Export

Dradis is an open-source collaboration and reporting platform popular with both consultancies and internal teams. It uses a project-based structure with issue templates.

TurboPentest exports to Dradis using its XML import format. Each finding becomes a Dradis issue with:

• Title mapped to the issue title
• Fields populated according to Dradis field definitions (Description, Evidence, Impact, Remediation)
• Tags set to severity level and vulnerability category
• Embedded content formatted in Dradis's textile markup for proper rendering

Dradis exports preserve the full evidence chain — HTTP requests, response bodies, and proof-of-concept steps are formatted as textile code blocks that render correctly in Dradis's report templates. The export includes node information (target host, port, service) so Dradis can organize findings by target within a project.

Teams using Dradis Pro can import TurboPentest findings alongside output from other tools (Burp Suite, Nessus, OWASP ZAP) and use Dradis's combination features to merge duplicates and build unified reports.

AttackForge Export

AttackForge is a pentest management platform focused on enterprise workflows, offering project management, vulnerability tracking, SLA monitoring, and client self-service portals.

TurboPentest exports to AttackForge using its JSON import schema. The mapping includes:

• Vulnerability details — Title, severity, CVSS vector, CWE ID, description, and detailed evidence
• Affected assets — Target URL, IP, port, and service information
• Remediation guidance — Step-by-step fix instructions and retest commands
• Proof of concept — Full request/response pairs and exploitation steps
• Status — Initial status set to "Open" for triage by the AttackForge project owner

AttackForge's strength is its project lifecycle management. Once TurboPentest findings are imported, AttackForge tracks them through states: Open, Accepted, In Remediation, Ready for Retest, Fixed, and Risk Accepted. Teams using TurboPentest for repeat scans can update finding statuses automatically — when a finding no longer appears in a subsequent scan, AttackForge can flag it as a fix candidate.

The export also populates AttackForge's analytics fields, enabling dashboard visualizations of vulnerability density by category, severity distribution, and time-to-remediation metrics.

Ghostwriter Export

Ghostwriter is an open-source reporting tool built specifically for offensive security teams. Developed by SpecterOps, it excels at collaborative report writing with activity tracking, finding libraries, and customizable report templates.

TurboPentest exports to Ghostwriter using its JSON finding format:

• Finding — Title, severity, CVSS score, and description formatted for Ghostwriter's rich text editor
• Evidence — Uploaded as inline evidence entries with captions and code formatting
• Affected entities — Domain, IP, and port information linked to Ghostwriter's infrastructure tracking
• Recommendations — Mapped to Ghostwriter's recommendation fields with priority tagging
• MITRE ATT&CK mapping — Where applicable, findings are tagged with ATT&CK technique IDs

Ghostwriter's collaborative workflow means multiple consultants can review and refine TurboPentest's AI-generated findings before they become part of the final report. The activity log tracks every edit, providing an audit trail of human review applied to automated findings.

Choosing the Right Export

Each platform serves different organizational needs:

All four exports include TurboPentest's finding fingerprints as custom metadata, ensuring that finding continuity tracking works regardless of which platform manages the findings long-term.

Export Access

Exports are generated on-demand from the scan detail page. Each export format is available alongside the PDF download. The export uses the same data as the PDF report — all findings, evidence, and remediation guidance — reformatted for the target platform's schema.