AI-generated penetration test reports — real targets, real findings
OWASP Juice Shop v20.0.0 — a deliberately vulnerable web application. Full-scope web assessment with active recon, vulnerability scanning, directory discovery, and manual verification. 16 controls assessed across 4 security domains.
Top findings: Overly Permissive CORS · No HTTPS · Directory Listing on /ftp · Exposed Prometheus Metrics
zerodaybrief.blog — a production Hugo blog behind Cloudflare. Excellent hardening: hidden origin IP, strong CSP with hash-based allowlisting, HSTS with subdomain pinning, dual-layer clickjacking protection, SPF hard-fail.
Only action item: publish security.txt with vulnerability disclosure contact