The problem we kept running into…
Pentest reporting is by far the most crucial part of the process, but I challenge the reader to walk around DEFCON or Blackhat and find a single pentester who says reporting is their favorite part of the job. Making it easier on the pentester is not what this is all about, although that is a very welcome side effect. Easier reporting means higher quality reports. The less time a pentester spends on “the boring part” of their job, the more manageable the process becomes, thereby improving the accuracy of the final report.
Speaking from personal experience, unstructured notes, inconsistent taxonomies, and evidence on 2-3 different desktops result in:
- Inconsistent findings (same issue, different names/severity/rationale).
- Slow, error‑prone reporting with minimal reuse.
- Weak traceability from evidence → finding → recommendation → ticket.
- Difficult peer review and limited opportunities for automation.
We built Minerva Insights internally to treat reporting as data engineering: define the data model, validate it, transform it, then render the report. I’ve saved hundreds, if not thousands of reporting hours with this tool.
So why open-source the money printer?
Apart from giving back to the community, which we benefit greatly from and have a strong incentive to participate in, this isn’t a tool that automates pentesting. The tester's skill is still paramount, and we rest comfortably (not complacently) on our skill set. The idea that competing firms may use our reporting framework gives us confidence that we’re on the right path and that it forces competition on testing skill and depth, not on formatting.
We're confident enough in our testing that we're not worried about giving away the reporting framework. If competitors use it and can spend more time on actual testing, that is great - it forces us to stay sharp. The alternative is everyone wasting time fighting with Word templates while findings sit in scattered notes. Check it out on GitHub.Retry.
