AI-powered vulnerability hunting, automated scanning, and professional reporting in one platform.
Available for Windows, Mac, and Linux
PenPeeper is an open source pentesting engagement management system built for security professionals. It combines local and external LLM integrations with automated scanning tools to streamline your entire workflow from reconnaissance to final report delivery.
Local and cloud LLM integration for automated vulnerability hunting, evidence gathering, and generating professional recommendations. Support for LM Studio, Ollama, OpenRouter, Claude, Gemini, ChatGPT, and custom providers.
Built-in automation for Nmap, Nikto, SearchSploit, WhatWeb, Enum4Linux, FFUF, and SNMP. Scans are parsed and summarized automatically to save you hours of manual analysis.
Direct integration with the National Vulnerability Database to automatically pull CVE information and populate vulnerability details for confirmed findings.
Hunt for vulnerabilities across all devices with powerful filtering. Tag devices for custom grouping and generate targeted reports by department, location, or device type.
Easily import scans from other tools and organize findings in one place. Quick keyword search helps you assign appropriate vulnerability categories and subcategories.
Generate polished PDF reports with AI-assisted executive summaries. Built-in rich text editor with custom vulnerability classifications and multiple graphic templates.
Manage multiple engagements and clients simultaneously. Export and import encrypted projects to securely share with team members.
Designed around the natural pentesting process: Gather data, Search for vulnerabilities, manage Findings, and generate Reports. Simple left-to-right tab navigation.
How to properly use the PenPeeper workflow: The purpose of PenPeeper is to simplify pentesting and make it easier to generate a nice report. It's designed to move across the tabs from left to right until you're done. After installing the software and installing the prerequisite tools on the home page. You can create your first project and then:
Start on the GATHER tab to add your devices or networks to the project.
Once you have all your devices added and scanned, you can see all the points of interest by clicking on a device and looking at the Details section or click on the Scans section if you want to see the raw results.
If you want to import your own scans or screenshots from another app, click on the Scans section for the device and then click the "Import Scan" button. "Add New Scan" button will open a blank note where you can manually write your own information or paste in contents.
If you find any vulnerabilities or issues you can click on the red "Add Flag" button to add it. Flagging any items is how you will populate your findings tab. Later, after you've looked over all your data and flagged everything of interest, you'll go to the findings tab and complete all findings or remove them to determine what ends up on the report.
Another helpful feature is that you can add tags from the top bar. Tags can be anything you want, such as a building, location, department, or identification such as Camera, DVR, NAS, etc. These are very useful later because you can use them on the SEARCH tab to filter by tags and even on your report, for instance if you want to generate different reports for different departments, so they only see the issues they need to deal with.
Once you’re done with the GATHER tab, you can move to the SEARCH tab to try to find more potential issues or vulnerabilities.
Here you can do things like looking for Vendors you don't recognize, check all banners for known vulnerabilities, or search for specific services or protocols. A great way to start can be searching by service name or by FFUF findings to check web pages for instance.
This will also allow you to do things like search by service telnet and automatically connect to the device via telnet from the app to check for vulnerabilities.
Once you complete all your searches and flag the rest of the issues, you can move on to the FINDINGS tab.
The FINDINGS tab by default will show you all your incomplete findings (flagged items), where not all the information has been filled out. You’ll review each of your incomplete findings and can either delete them if they didn't pan out or click the "Complete missing information" button to fill out all the fields.
Every field must be filled in to mark it as complete. You can change the dropdown from incomplete to complete if you want to go back to ones you've finished.
Once you've completed all your findings, you can move on to the REPORT tab to generate a report.
The report will only pull in completed findings, and you just need to fill in the report template. You can click the question mark next to each section to get a description of what information it should contain, along with a realistic example that you can copy and paste as a starter.
The report will automatically pull in a summary graphic of your choosing, make sure to click the help icon next to it to see a sample of each graphic.
If you are working with somebody else or want to send all of the data (Not just the PDF report.) You can click the export project button on the home screen to create an encrypted project file that you can safely send.
PenPeeper
