Generate executive, technical, and compliance reports in PDF, HTML, or CSV — with AI-written narratives or template-based generation.
Report Types
Executive Report
A business-focused summary for CISOs, executives, and board-level audiences. No technical jargon. Focuses on business risk, financial impact, and strategic remediation priorities.
Sections:
1. Executive Summary (2-3 paragraphs, plain language)
2. Risk Posture Dashboard (critical/high/medium/low counts + trend)
3. Top 5 Critical Findings (title, business impact, fix cost estimate)
4. Attack Narrative (how an attacker could chain findings)
5. Remediation Roadmap (30/60/90 day priorities)
6. Compliance Status (pass/fail per framework)
Length : 8–15 pages
Audience: C-suite, board, non-technical stakeholders
AI : Claude writes all narrative sections (AI mode)
Template: Pre-written sections with finding placeholders (no-AI mode)
Technical Report
Full technical detail for the security team and developers who will remediate findings. Includes exact PoC steps, HTTP requests/responses, code snippets, and tool output.
Sections:
1. Scope and Methodology
2. Tools Used (with versions)
3. Finding Detail (one section per finding):
- Title, CVSS vector, base score, EPS score
- Description and root cause
- Step-by-step PoC reproduction
- Evidence (screenshots, HTTP captures)
- Remediation code example
4. Attack Chain Graph (all findings linked into paths)
5. CVSS Score Summary Table
6. Appendix: raw tool output, full evidence list
Length : 20–100+ pages depending on finding count
Audience: Security engineers, developers, IT ops
Compliance Report
Maps findings to specific compliance frameworks. Shows pass/fail status per control with evidence references.
Supported Frameworks:
PCI DSS 4.0 HIPAA Security Rule SOC 2 Type II
ISO 27001:2022 NIST CSF 2.0 CIS Controls v8
OWASP Top 10 OWASP API Top 10 OWASP Mobile Top 10
OWASP LLM Top 10 IEC 62443 UNECE WP.29
FedRAMP GDPR Article 32 DORA
Remediation Tracker
A living document (HTML format) that the development team uses to track fix progress. Each finding has a status field (Open / In Progress / Fixed / Accepted Risk) and a comments section for fix verification notes.
Prerequisites
At least one completed scan session with confirmed findings
For AI-written narrative: Claude API key configured
For PDF export: WeasyPrint installed (included in PhantomYerra setup)
Client name and engagement details filled in (Settings → Engagement)
1
Open Reports Panel
Click Reports in the left sidebar, or press Ctrl+R. The Reports panel shows all previous reports and a + Generate New Report button.
2
Select Report Type and Scan Session
Report Type : Executive / Technical / Compliance / Remediation Tracker
Scan Session : Select which scan(s) to include (can merge multiple)
Date Range : Filter findings by date
Severity : Include: Critical ✓ High ✓ Medium ✓ Low ○ Info ○
Compliance : Select framework(s) for compliance mapping
3
Configure Branding (Optional)
In report settings, add: company logo, client name, engagement reference number, classification marking (CONFIDENTIAL / RESTRICTED), and tester names. These appear on the cover page and headers.
4
Generate Report
Click Generate Report. If Claude AI is configured:
AI-Written Mode (Claude configured):
→ Claude writes executive summary (anonymized — no real targets sent to API)
→ Claude writes business impact narrative per finding
→ Claude writes attack chain story
→ Claude writes remediation recommendations with code examples
→ WeasyPrint renders final PDF
ETA: 3–8 minutes
Template Mode (no AI key):
→ Pre-written template sections filled with finding data
→ CVSS scores and findings auto-populated
→ WeasyPrint renders PDF
ETA: 30–90 seconds
5
Review and Export
The report preview opens in the Reports Viewer. Review for accuracy. Edit any section by clicking it. When satisfied, click Export to download in your chosen format.
💡 Always review AI-written narrative before sending to clients. Claude writes based on anonymized data — verify the real values are correctly substituted in the final document.
⏱️ Template report: under 2 minutes. AI-written full report: 5–10 minutes.
Export Format Reference
PDF (Recommended for Client Delivery)
Engine : WeasyPrint 62+ (server-side, pixel-perfect)
Features : Cover page, table of contents, page numbers, headers/footers
Embedded screenshots and evidence inline
CVSS severity color coding
Attack chain graph as vector graphic
Encryption : Optional AES-256 PDF password protection
Size : ~2–15 MB typical
HTML (Interactive)
Features : Filterable findings table, collapsible sections
Clickable attack chain graph (zoom/pan)
Dark/light theme toggle
Self-contained (single HTML file, no external dependencies)
Usage : Share as a file or host on internal portal
SARIF (CI/CD Integration)
Version : SARIF 2.1.0
Usage : Import into GitHub Advanced Security, Azure DevOps, SonarQube
Trigger CI/CD quality gates on finding severity thresholds
Format : JSON (application/sarif+json)
CSV / JSON (Data Integration)
CSV Fields : id, title, severity, cvss_score, eps_score, url,
parameter, cwe_id, cve_id, status, remediation
JSON : Full finding objects with evidence hashes and metadata
Usage : Import into Jira, ServiceNow, Splunk, custom dashboards
Evidence Package
Contents : ZIP archive containing:
- All screenshots and captures
- SHA-256 hashes for each file
- RFC 3161 timestamps (legal-grade chain of custody)
- Manifest JSON with metadata
Usage : Legal proceedings, regulatory submissions, audit evidence
Common Issues
WeasyPrint requires system fonts and Cairo/Pango libraries. On Windows (WSL2), ensure libcairo2 and libpango-1.0-0 are installed: sudo apt install libcairo2 libpango-1.0-0 libgdk-pixbuf2.0-0. Check the WeasyPrint version: weasyprint --version should show 62+. If it fails on a specific finding with a very long string, check for special characters in the finding title.
The PrivacyFilter.restore() step failed to substitute real values back. This can happen if the reference map session expired. Go to Reports → Regenerate → the system will re-run the anonymization/restore cycle. Check that the engagement's scope data is still present in the active session (Settings → Engagement).
Compliance mapping requires findings to have CWE IDs assigned. For automatically discovered findings, CWE IDs are assigned automatically. For manually logged findings, open each finding in the editor and select the appropriate CWE from the dropdown. Once CWEs are assigned, regenerate the compliance report.
Large reports are usually caused by many high-resolution screenshots embedded inline. In report settings, enable Compress Evidence Images (reduces to 800px max width, 85% JPEG quality). Alternatively, use the Evidence Package export separately and reference it from the report rather than embedding all images inline.
Related Topics
⚡ Automated AI Mode🎯 Zero-Day Disclosure🔗 Integrations