Hermes Pentest Lab

Sample Reports

AI-generated penetration test reports — real targets, real findings

Juice Shop Benchmark

HIGH · 38/100
14
Findings
1
High
8
Medium
5
Low

OWASP Juice Shop v20.0.0 — a deliberately vulnerable web application. Full-scope web assessment with active recon, vulnerability scanning, directory discovery, and manual verification. 16 controls assessed across 4 security domains.

Top findings: Overly Permissive CORS · No HTTPS · Directory Listing on /ftp · Exposed Prometheus Metrics

ZeroDayBrief Blog

LOW · 94/100
1
Finding
15
Pass
0
Warn
1
Fail

zerodaybrief.blog — a production Hugo blog behind Cloudflare. Excellent hardening: hidden origin IP, strong CSP with hash-based allowlisting, HSTS with subdomain pinning, dual-layer clickjacking protection, SPF hard-fail.

Only action item: publish security.txt with vulnerability disclosure contact

Report Design

Dark gradient cover 4-category scorecards Findings heatmap Inline evidence screenshots Business-first descriptions CVSS 3.1 vectors Observed controls with values Remediation checklist Tool screenshots appendix 5-phase methodology A4 print-native