By DNSystems LLC (dnsystemsllc.com/contact)

https://ptrg.dnsystemsllc.com/

TL;DR:

PTRG now writes your finding descriptions, recommendations, and executive summaries for you (Claude Sonnet 4.5). It tags every finding to OWASP / PTES / HIPAA. It malware-scans every byte you receive from a client. And it costs 20% less than PlexTrac while shipping things PlexTrac doesn't.

See the Latest at: https://ptrg.dnsystemsllc.com/#vs-plextrac

---

What you'll see when you log in

Three new buttons. Three new tabs. One new appendix in every report.

1. AI Writeup Assistant — three one-click buttons

When you're editing any finding, three new buttons sit underneath the Description and Recommendation fields:

- ✨ AI suggest description — type a vulnerability title, optionally a CVE-ID, and click. Claude Sonnet 4.5 writes you a 80-160 word client-facing description in the terse, technical voice we've trained it on. No marketing fluff. No \"it is recommended that\". Plain English.

- ✨ AI suggest recommendation — click after you've written (or accepted an AI-suggested) description. Get a 60-140 word remediation block, bullet-friendly, vendor-neutral.

- ✨ AI suggest exec summary — click on the engagement detail page after you have at least one finding. Claude reads every finding in the engagement and writes a 4-6 sentence executive summary in plain English (no CVSS scores — those live in the findings detail).

Every suggestion lands in a cyan-bordered preview card with three buttons:

1. Use as field value,

2. Append to existing,

3. Discard.

AI never silently overwrites your text. You're always in the loop.

**Included free on Squadron and Command tiers.** Available as a $300/month add-on on Recon and Engage.

2. NVD CVE Enrichment

Type any CVE-ID into the CVE picker on a finding (`CVE-2024-12345`). Click Enrich from NVD. PTRG pulls the description, CVSS v4.0 vector, CVSS score, and CWE tags directly from the National Vulnerability Database — and fills in **only** the empty fields on your finding. Anything you've already typed stays exactly as you wrote it.

No more flipping to nvd.nist.gov in another tab. No more copy-paste. No more typos in the CVSS vector.

3. Compliance Mapping packs — OWASP, PTES, HIPAA, OWASP API

A new chip picker on every finding. Pick from four packs:

- OWASP Top 10 (2021) — A01 Broken Access Control through A10 SSRF

- OWASP API Top 10 (2023) — API1 BOLA through API10 Unsafe Consumption of APIs

- PTES — all 7 phases (Pre-engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting)

- HIPAA Security Rule (45 CFR §164) — all Administrative, Physical, and Technical Safeguards

Tag a finding `OWASP_2021:A03` and `HIPAA:164.312(a)(1)`. When you generate the report bundle, every tagged finding gets a one-line `Compliance: A03:2021 — Injection · §164.312(a)(1) — Access Control` footer. Your client gets a full compliance-mapping trail without you writing a word of crosswalk prose.

---

What's under the hood (since v0.4.0)

Five-layer malware-scan pipeline

Every file your team or your clients upload — scanner imports, evidence screenshots, scope artifacts, CSV bootstraps — passes through five sequential security gates before it hits disk:

1. Magic-byte sniffing — files whose extension lies about their content (`.png` that's actually a `.exe` header) are rejected.

2. Filename allowlist — `.exe`, `.bat`, `.com`, `.scr`, `.vbs`, `.js`, `.jar`, `.dll` denied outright.

3. Anti-virus scan — every byte streamed through a virus engine before storage. EICAR test files get a 422 and an audit-trail entry.

4. Static analysis rules — custom rules catch suspicious patterns (embedded PowerShell, Office macros calling shell exec, etc.).

5. Per-tenant quarantine — anything ambiguous gets quarantined; the operator gets a Security Events alert.

Every event is logged to a tenant-isolated security_events collection with timestamp, uploader, SHA-256 hash, and verdict. DNSystems Security Team monitors a live dashboard with 30-day scan-volume timeseries and an outcome donut.

PlexTrac and AttackForge don't scan uploads. Neither does Dradis. We do.

Mandatory MFA on every new account

TOTP (RFC 6238) — works with Google Authenticator, Authy, 1Password, anything. Per-user 10-code recovery set, bcrypt-hashed at rest, single-use on consumption. Pre-policy accounts were retroactively flagged on 2026-05-13 and will be forced through MFA enrollment on their next sign-in. Sandbox (48-hour) accounts are exempt by design.

Brute-force lockout

5 failed login attempts in a 5-minute sliding window → HTTP 429 with `Retry-After` header. Logged to the audit trail with source IP. Resets after the window expires or a successful login.

Cloudflare Turnstile

Privacy-focused bot challenge on login, registration, and sandbox-start endpoints. Server-side verification via Cloudflare's siteverify API with remote-IP pinning before any database query executes. No captcha solving puzzles — Cloudflare picks invisible / checkbox / challenge based on real-time risk score.

Kernel-level egress controls

The application server can't make outbound connections to anywhere except a hardcoded allow-list (Stripe API, NVD API, Resend SMTP, Cloudflare Turnstile siteverify). Even if an attacker pops a reverse shell, they can't exfiltrate to their own C2.

HSTS + tightened CSP

`max-age=63072000; includeSubDomains; preload` on every response. Content-Security-Policy locks scripts to `'self'` plus Cloudflare Turnstile and Stripe.js, with `object-src 'none'`, `frame-ancestors 'self'`, `base-uri 'self'`, `form-action 'self'`.

React XSS hardening

Zero `dangerouslySetInnerHTML` in the entire frontend. Every user-driven URL goes through `safeUrl()` — an allow-list validator that blocks `javascript:`, `data:`, `vbscript:`, `file:`, and protocol-confusion attacks like `httpjavascript:`. Every `target=\"_blank\"` has `rel=\"noopener noreferrer\"`. React's default JSX auto-escaping handles the rest.

---

Champion Program — bring your peers, get free months

The original v0.4 Champion Program lives on. Refer Engage+ subscribers — earn free Recon months instead of cash:

| Referrals | Reward |

|-------------------------------------------------|------------------------------|

| 2 Engage+ subscribers in 31 days | 1 month free Recon |

| 5 Engage+ subscribers in 31 days | 3 months free Recon |

| 5 Squadron+ subscribers in 31 days | 6 months free Recon |

| 10 Squadron+ subscribers in 90 days | 12 months free Recon |

No cash payouts. No Stripe Connect overhead. Just free tooling that gets richer as you keep introducing the right people. Free months stack cumulatively on top of any existing free time you've earned.

---

Pricing

| Tier | Annual | Monthly |Seats|

What's new |

|---------------------|------------------|--------------|-------|

----------------------|

| **Recon** | $7,500 / yr | $750 / mo | 2 |

NVD enrichment, Compliance packs |

| **Engage** | (custom) | (custom) | 5 |

+ DOCX export, encrypted PDFs default |

| **Squadron** | (custom) | (custom) | 10 |

+ **AI Writeup Assistant included free** |

| **Command** | (custom) | (custom) | 15 |

+ isolated cloud instance, custom subdomain, unlimited reports |

Add-ons (any tier):

- AI Writeup Assistant— $300/mo or $3,000/yr (free on Squadron+/Command)

- Pro Export Pack — $500/mo (adds Static Analysis Results Interchange Format

(SARIF) on lower tiers)

- White-label PDFs — $500/mo (your branding, not ours)

- API Access — $1,500/mo (15 keys, push findings from CI/SIEM)

- Data Sovereignty — $500/mo (your engagements excluded from owner-side analytics)

- Self-Host Frontend — $600/mo (your DNS, your reverse proxy)

- Extra Report Bundle — $50/bundle one-time top-up

---

The Pitch

• PTRG is the pentest reporting platform built by an active pentester for active pentesters.

  
  

• We malware-scan every byte your client uploads. We auto-derive severity from a 5×5 Mission Severity Matrix.

  
  

• We auto-convert DREAD ↔ CVSS v4.0. We enrich every CVE from the live NVD API. We let Claude Sonnet 4.5 write your descriptions, recommendations, and executive summaries — for free on Squadron+, as an add-on below.

  
  

• We tag every finding to OWASP / PTES / HIPAA and render the mapping appendix automatically. We do all of this for $6,500/yr at the entry tier, 20% less than PlexTrac, and ship features (universal scanner import, threat modeling, malware scanning, compliance mapping) that they don't have at any tier.

---

Try it free

The sandbox spins up in 5 seconds at ptrg.dnsystemsllc.com**. No credit card, no email confirm. You get a fully-loaded demo tenant with two pre-built engagements, a guided tour that opens the PDF and slide-deck inline, and a one-click bootstrap-from-CSV demo of the round-trip Excel workflow. After 48 hours the sandbox self-destructs — your data, the engagement, every byte.

Bring your own scanner output and we'll generate your first real report bundle in under three minutes. Secure Your Systems, Before Attackers Do!

-- DNSystems LLC

Got an integration you want? Email info@dnsystemsllc.com. We ship.

PTRG. Built by pentesters, for pentesters.

— DNSystems LLC · 15 May 2026