Made For Pentesters will help pentesters reduce wasted effort and focus on breaking stuff. It’s the first dedicated client-facing collaboration platform for pentesting – unlike other tools which focus on scan output aggregation or report generation only.

Save Time

High-quality customisable reports, on-demand and at the click of a button.

Save Effort

Integrated, Centralised & Rich Issue Library. Stop re-inventing the wheel.

Save Money

Tools and workflows to reduce project overheads and costs by up to 40%.

Team Collaboration

Collaborate with your team, client and developers.


Pre-loaded with industry benchmarks and methodologies, out of the box.


See the attack from hacker's perspective. Chain vulnerabilities together.

Still interested? Try


Automated Reports

High-Quality Automated Reports

On-demand reporting at the click of a button, whenever you or the client needs it. Reports can be customised and includes templates for Executives, Risk Managers, Third-Parties such as Auditors, and Developers. All reports can be downloaded in PDF, HTML, DOCX, CSV and JSON. JSON export allows you to integrate AttackForge into your own custom report templates.

Attack Chains

Built For Red Teams

Build Attack Chains quickly and effortlessly to help demonstrate exactly what an attacker is doing at every step - in a simple and clear visual story. Help your clients understand your attack paths and focus remediation where its needed. Map Attack Chains to MITRE ATT&CK® Framework in minutes!

Vulnerability Library

Rich Issue Library With Over 1300 Vulnerabilities

Immediately access every CWE, CAPEC and other industry standard vulnerability definitions, or create your own. Save time on reporting - it takes on average less than 30 seconds to add a vulnerability to your pentest. No traditional report writing required.


Build Up Your Team and Collaborate

Connect with People to build your dream team and share your vulnerability libraries and test suites. Combine your hard work and avoid reinventing the wheel. Intended for small pentest teams or collaborative groups of freelancers.

Stealth Mode

Custom Methodologies & Test Cases

AttackForge comes pre-loaded with common industry benchmarks from OWASP, OSSTMM and others. However you can build your own custom methodologies for Red Team assessments, OSINT, Physical Security sssessments - your only limited by your creativity! You can capture evidence against every test case too.

Enterprise Connector

AttackForge Connector - Import Vulnerabilities From Tools, Platforms and Scripts

AttackForge Connector helps you Import vulnerabilities to your projects from tools such as Tenable Nessus and Burp Suite Proxy. Or you can use the API directly.


AttackForge ReportGen - Create Custom Reports

Create fully customised reports in a fraction of the time, based on your own DOCX templates. Personalize your reports to your own style or corporate branding. Creating custom reports is a breeze with AttackForge ReportGen!

Stealth Mode

Personalise Your Theme

Enable Stealth Mode for the full hacker experience. You can change themes at any time. More themes coming soon!

Need Help? Check out our Support Site

Case Study



The client is a small security company in Europe, providing penetration testing services to clients within Europe and North America....


Client has to compete for work with big and medium sized security companies and therefore relies on their ability to be fast and efficient with time and resources. Client also competes for talent as it is hard to find and even harder to retain good penetration testers.
The problems for this client were:

  1. Significant time (and therefore cost) spent by the most senior people on penetration testing logistics - scheduling, scoping, collecting necessary information, and doing quality assurance over the reports.
  2. Language barrier – most of their customers expected reports in English, and a lot of their pentesters come from a non-English speaking background.
  3. Pentesters being burned out by writing reports.

As the client’s Managing Consultant put it: “If I have to spend my time chasing clients, collecting testing credentials, reviewing reports, and saying goodbye to my best pentesters - who is going to do business development?”.

Solution:'s main purpose is help small security companies and freelancers. It provides proven methodologies, comprehensive vulnerability and issue library, and a secure method of communication with customers.

Client had tried with a testing project and then introduced it to the principal pentesting team. The first full pentest was executed in February 2019. Customers’ representatives were invited for the third project.


1. After several projects, the time spent on logistics went down by 50%. Quality assurance (such as peer and tech reviews of the reports) was reduced by 90%.

2. The language issues went away entirely as provided the most word heavy components such as vulnerability definitions out-of-the-box.

3. Pentesters are happier as they do not need to write reports any more.

4. The clients' customers reported that the use of helped them to track and fix vulnerabilities faster, saving time and money. paid for itself after the second project. One day of wages saved on writing reports is more than annual Pro subscription fees.

Will It Work For You?

If you are concerned with having your pentesters happy, and keeping your overheads and costs low – go for Try it for free. If your deliver more than 30 projects then go for AttackForge Enterprise.

Case Study



This freelance penetration tester is based in the United States and had come across from a Reddit post. He had been conducting pentesting professionally for over 5 years, with the last year working as a freelancer. Before freelancing, he was working for a large retail bank in the US. The bank had built it's own internal reporting capability which helped pentesters significantly. All other processes were mostly manual, such as email communications for interactions with clients / internal business units and their related technology teams....


Since leaving the bank, he had set up his own legal entity, insurances, background checks, purchased all standard commercial tools which are typically used during professional engagements, and was ready to start working as a freelancer. However there were a number of challenges that he faced:

  1. No Report templates. Freelancer had no intellectual property rights over previous report templates used at the bank, and needed to create a new report template to use with own clients.
  2. Reputation, Trust and Pipeline. As he was only new to this type of work and sales - it was difficult to win work and convince people to go with him, and why he's a better choice than cheaper offshore alternatives.
  3. Visibility and Maturity. It was difficult for this freelancer to demonstrate that his methodology and testing coverage would be aligned with client's expectations. The lack of visibility until a report was produced at end of testing meant that he was having to manually write daily status updates each day so that the client could have visbility over testing progress, and what was being covered off daily.

This created additional overheads and stress for this freelancer, which was especially difficult as he was also learning how to run a small business for the first time. As he had put it "I needed something to keep client's happy and coming back".

Solution: is a full collaboration platform which bring's pentesters and their clients together in one place. For the first handful of projects using - he had not invited clients directly to project workspaces. Instead he had indicated to them that he was using a tool to help him with tracking and reporting. He was adding his findings daily using the in-built Vulnerability and Issue Library, and ticking off test cases as he went along. At the end of each day, he downloaded the report and sent this to the client.

After getting used to - he started to invite client's directly to their project workspaces. This meant that he no longer needed to send them daily updates and that they could log in and see progress for themselves, and download reports when they needed it.

The feedback he had recieved from client's was mostly positive, and importantly helped him to build trust and pipeline as they could see exactly what was being tested (scope), when it was tested (timestamps), how it was tested (test cases), upload details directly to the workspace when needed, and all evidence to help them understand the issue and how to fix it.

Eventually, few of his clients who had got used to had requested that he gives access to developers directly so they could see the findings and start actioning them, without the client having to be a bottleneck. This meant that client spent less time and effort managing logistics and communication, which freed up a lot of their time.

Some of the regular clients who were using had also started managing their remediation testing through The clients developers' were selecting which issues were ready for retest and requesting a retest round, and the freelancer was able to perform this swiftly and invoice client for the retesting performed.


1. Freelancer no longer needed to worry about maintaining his own report template as customers were happy with the results produced from as it was sufficient for developers to understand the issues and how to fix them.

2. Freelancer was able to show new prospective clients his sanitised/de-identified projects to help give him a competitive advantage when bidding for new work. Prospective client's could see that industry standard methodologies were being used and detailed information for findings was being produced. This helped to build trust and win more clients and work.

3. Freelancer was able to create 'stickiness' with his regular clients, as they were now using his projects as their defect management tool for penetration testing findings, providing him with regular income and helping him to build his pipeline.

Will It Work For You?

If you are a freelance penetration tester and you need a tool to help take some pressure off you and keep your clients happy - is for you. It is free to sign up and start using immediately. However if your client's requirement is to have their data isolated and not stored in a multi-tenant solution, then is not for you.

Features & Pricing

Do more with

Our prices are very easy to understand. There's no extra or hidden fees. You just pay what is listed here. You can cancel at any time.




/ user /

Create Pentesting Projects
Invite People to Your Projects
Automated & On-Demand Reports
Integrate Into Your Own Reports
Custom Vulnerability Library - Preloaded 1300+ Vulnerabilities
JIRA / Slack / ServiceNow Integration
Remediation Tracking
Free Forever!
All amounts are in US Dollars




/ user /

Everything in Free
Unlimited Projects
Customise Your Reports
Import Vulnerabilities to Projects
Create Teams To Share Knowledge
Access Powerful Analytics
Custom Test Suites
Unlimited Project Scope & Uploads
Priority Support
All amounts are in US Dollars




Global Dashboard For All Your Vulnerabilities
View & Search Vulnerabilities by Project, Asset, Priority and Status
Track by Open, Closed and Ready For Retest
Analytics & Trends Discovery
Create Attack Chains & Map to MITRE ATT&CK® Framework
Import Vulnerabilities Into Your Projects via API or Connector
Export & Sync Vulnerabilities With Your JIRA Project
Export Vulnerabilities Into Your ServiceNow Tenant
Detailed Vulnerability Information
Upload and Store Vulnerability Evidence & Artefacts (Limited)
Audit Logs For Life of Vulnerability
Access & Manage Vulnerability Library (1300+ Vulnerabilities)
Share Vulnerability Library with Team
Choose When Your Vulnerabilities Are Visible To Project Team
Choose Your Scoring System, Including CVSS v3.1


Global Dashboard For All Your Projects
Create & Manage Projects (Limited)
Daily Notifications on Start/Stop Testing
Project Overview & Dashboard
Daily Tracker For Testing Progress
Secure Workspace For File Uploads (Limited)
Create Private, Team & Reporting Notes
View & Action Test Cases
Access Test Suites & Methodologies From OWASP, NIST, PCI, OSSTMM & Others
Create Your Own Test Suites & Methodologies
Share Custom Test Suites & Methodologies with Team
Storage For Testing Logs (Limited)
User Access Management


User Profiles
Invite People To Collaborate on Your Projects
Scheduling & Calendar
Private Slack Channels For Communication
Request, Track and Perform Remediation Testing
Invite People To Your Team


Automated & On-Demand Reporting
Detailed Vulnerability Reports (PDF, HTML, DOCX, CSV, JSON)
AttackForge ReportGen - Create Fully Customised & Personalized Reports
Export JSON Into Your Own Reports and Tools
Customise Executive Summary
Templates for Executives, Auditors, 3rd Parties, Developers
Customise Your Reports
Upload & Add Your Own Logo To Reports
Rebrand DOCX For Your Own Needs


Mandatory Two-Factor Authentication
Encrypted Communications & Storage
Role-Based Access Controls On Projects


In-built Knowledgebase For Help & Support
Training Videos
Email Support
Priority Email Support

For Peace of Mind

As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. Our SaaS platform ( is built on Microsoft Azure (Azure) and MongoDB Cloud (Mongo) compute and storage ‘As-a-Service’ technologies, which are compliant with a wide variety of industry-accepted security standards.

Additionally, our engineers have security backgrounds and utilize proven security technologies and techniques in order to protect our systems, data, and information from unauthorized access in the best possible way.

We rely on a number of strict security controls built into our people, processes and technologies; as well as subject to third party assessments including penetration testing.

Where is my data stored?

For data storage, analysis, and backups, AttackForge utilizes Azure and Mongo cloud services and therefore shares several Azure and Mongo standards and accreditations.
All virtualized servers are run in the Australian region.

Amongst others, Azure is certified by the following security compliance standards:
• ISO 27001, 27017, 27018
• SOC 1, 2 and 3
• FIPS 140-2

Amongst others, Mongo is certified by the following security compliance standards:
• ISO 27001
• SOC 2 Type II
• EU-US Privacy Shield

AttackForge does not store bank information or credit card data. All payments are handled and managed by our payment provider Square (

Who has access to my data?

AttackForge does not share customer data with third parties.

Administrative access to customer data is restricted to a small number of closely managed AttackForge administrators.

Access to production systems and data follows the security standard of Least Privilege.

How is my data protected?

Network Security

• All traffic to and from our service is encrypted using the TLS v1.2 protocol.
• We enforce the usage of strong TLS cipher suites.
• All systems are firewalled to a minimal number of access points.

Account Security

• Multi-Factor Authentication (TOTP) is mandatory and enforced on all application and administrative interfaces.
• We enforce a strong password policy.
• Passwords are stored hashed and salted (bcrypt).
• Role-Based-Access-Controls (RBAC) on a user-level and project-level are utilized to manage authorization to data.
• Access to an account, including actions performed by the account, is logged, tracked, and audited.
• Anti-automation controls are utilized to prevent brute-force login attempts.
• Session monitoring & management is utilized to prevent authenticated abuse of the platform.
• Email notifications for events such as new logins from different IP addresses are enabled.

System Security

• All operating systems are managed, patched and maintained by Azure and Mongo.
• Unnecessary users, services, and components are disabled.
• All systems are constantly monitored.

Secure Data Storage

• Data is stored on virtualized servers on Azure and Mongo.
• All data is encrypted in-transit and at-rest.
• Database backups are stored and transmitted encrypted at all times.
• Vulnerability reports are generated in memory on request by user, and never stored.