Purple Firefish logoPurple Firefish

AI Pentest Reports

Purple Firefish pentest reports turn authorized campaign results into local, redacted evidence packages that operators can review or share internally.

The current report generator lives in app/pentest/reporting.py and produces:

Safety Model

Reports are safe by default:

while PENTEST_ALLOW_RAW_EVIDENCE_EXPORT=true and SECURE_DEBUG_MODE=true.

Raw evidence export is intended only for authorized review workflows. Normal UI/API surfaces should use redacted previews and hashes.

Example Usage

from app.pentest.reporting import generate_pentest_report

report = generate_pentest_report(
    engagement=engagement,
    session=session,
    targets=targets,
    campaigns=campaigns,
    results=module_results,
    module_specs=module_specs,
    output_dir="data/pentest_reports",
)

print(report.json_path)
print(report.markdown_path)

JSON Snippet

{
  "schema_version": "firefish.pentest_report.v1",
  "executive_summary": {
    "finding_count": 2,
    "max_severity": "high",
    "top_firefish_protection_outcome": "missed"
  },
  "privacy": {
    "raw_evidence_included": false,
    "secrets_redacted": true
  }
}

Markdown Snippet

## Firefish Protection Effectiveness

| Outcome | Count |
| --- | --- |
| prevented | 3 |
| detected_only | 1 |
| missed | 0 |

Report Sections

Generated reports include:

Coverage Matrix

The coverage matrix summarizes what the campaign actually exercised by OWASP and MITRE mapping. It helps reviewers distinguish tested coverage from not-tested gaps without exposing raw prompts, secrets, or unsafe payloads.

The matrix is an evidence aid. It should not be read as a guarantee that an AI system is secure.

API Export Status

Pentest report export is available behind FIREFISH_PENTEST_ENABLED. Keep exports local, redacted, and scoped to authorized engagements.