Pentest Assessment System
Automated vulnerability assessment with multi-phase scanning, severity-weighted findings, and visual result overlays
Pentest Assessment System
The assessment page (/admin/pentest/assessment) provides one-click vulnerability assessments that orchestrate multiple scan tools across the tri-node pentest daemon cluster, aggregate findings by severity, and present results in a structured detail overlay.
How It Works
- Target selection — Pick a pre-configured target or enter a custom hostname/IP
- Assessment launch — The daemon runs a scan pipeline: port scanning (nmap), service enumeration, vulnerability detection (nuclei), web scanning (nikto/ffuf), and SSL analysis
- Phase tracking — Each scan tool runs as a named phase with status, duration, and finding count
- Results aggregation — Findings from all phases are merged and classified by severity (Critical, High, Medium, Low, Info)
- Detail overlay — Click a completed assessment to view the full breakdown
Detail Overlay Layout
The overlay displays five sections in order:
Summary Stats Bar
Five severity-colored cards showing finding counts. Each card has:
- 3px colored top border matching severity (red/amber/yellow/cyan/gray)
- Tinted background per severity for visual reinforcement
- Large stat number (1.5rem, weight 800)
- Cards use
flex: 1to distribute evenly across the row
Severity Distribution Bar
A proportional horizontal bar showing the relative distribution of findings by severity. Below it, a legend with colored dots and counts.
Assessment Metadata
Key/value pairs: target, start time, end time, duration, node, status.
Scan Phases Grid
A CSS grid table with columns: status icon, tool name, description, findings count (pill badge), duration, and status label. Features:
- Grid layout:
28px minmax(80px, auto) 1fr auto auto auto - Alternating row tint for readability
- Findings pills: Rounded badges with severity-weighted coloring
- Each row links to the raw scan output via “View Output” button
Findings List
Finding cards grouped by severity, each with:
- 4px left border colored by severity class
- Subtle background with hover darkening
- Title row: finding name + tool source badge
- Description: One-line summary
- Evidence toggle: Button-styled control that expands to show raw evidence/output
Severity Classification
| Level | Color | Border | Background | Typical Sources |
|---|---|---|---|---|
| Critical | #ef4444 | Red | rgba(239,68,68,0.08) | RCE, auth bypass, SQLi |
| High | #f59e0b | Amber | rgba(245,158,11,0.08) | XSS, SSRF, privesc |
| Medium | #eab308 | Yellow | rgba(234,179,8,0.08) | CORS, info disclosure |
| Low | #22d3ee | Cyan | rgba(34,211,238,0.06) | Missing headers, cookies |
| Info | #475569 | Gray | rgba(71,85,105,0.1) | Port open, service version |
API Routes
| Endpoint | Method | Purpose |
|---|---|---|
/api/admin/pentest/scans | GET | List all assessments |
/api/admin/pentest/scans | POST | Launch new assessment |
/api/admin/pentest/scans?id=X | GET | Get assessment details |
/api/admin/pentest/reports | POST | Generate report from assessment |
Architecture
Browser (assessment.astro)
↓ POST /api/admin/pentest/scans
↓ (Astro API proxy)
Pentest Daemon (port 8095)
├── Sentinel (178.x.x.x) — external scans
├── Tarn-Host VM 150 (192.168.20.229) — internal Kali
└── Izar-Host CT 203 (10.42.0.203) — internal scans
↓ runs scan pipeline
↓ returns findings + phases
Browser renders detail overlayKey Files
| File | Purpose |
|---|---|
modules/pentest/src/pages/admin/pentest/assessment.astro | Page + CSS + client JS |
modules/pentest/src/pages/api/admin/pentest/scans | API proxy to daemon |
modules/pentest/src/config/pentest-nodes.ts | Node definitions |
modules/pentest/src/config/pentest-targets.ts | Target presets |
CSS Architecture
All styles are scoped within the assessment page via <style> tags. Key design decisions:
- CSS Grid for scan phases — provides column alignment that flexbox can’t guarantee
- Severity as visual language — every element (cards, borders, backgrounds, pills) uses consistent severity colors
- Progressive enhancement — summary shows generic stats first, then replaces with severity-colored cards once findings load
- Mobile responsive — grid collapses to single-column layout on narrow viewports
Version History
| Date | Change |
|---|---|
| 2026-02-27 | Initial assessment UI with severity-colored summary stats and finding cards |
| 2026-02-28 | Major CSS overhaul: flex-fill stats, grid phase layout, 4px finding borders, button evidence toggles |