By DNSystems LLC (dnsystemsllc.com/contact) · 16 May 2026

PTRG: ptrg.dnsystemsllc.com

Pentest reports reflect the trust your clients have in you, and the system that stores them should meet the same high standards. With version 0.7, PTRG enhances security in all aspects of user sign-in, account management, and credential protection.

If your clients inquire about who can access their report data — and the best ones will — this release provides the assurance you need.

Argon2id Password Hashing

PTRG now uses Argon2id for password hashing, a modern, memory-hard algorithm endorsed by OWASP and winner of the Password Hashing Competition. This method is significantly more resistant to GPU and ASIC cracking attacks compared to older algorithms. Existing accounts will upgrade seamlessly upon next login without any forced resets or disruptions.

Phishing-Resistant Passkeys

PTRG now supports FIDO2 / WebAuthn passkeys alongside TOTP. Users can sign in using Touch ID, Face ID, Windows Hello, Android biometrics, or hardware keys like YubiKey or SoloKey. Passkeys are inherently phishing-resistant, as spoofed login pages cannot replay them. Users can register multiple passkeys, assign friendly names, and revoke them individually. Either passkeys or a TOTP authenticator satisfy the MFA requirement.

Breached-Password Protection

Every new password is checked against a global database of over a billion known-leaked credentials using a privacy-preserving k-anonymity API, ensuring the password never leaves the server. If a password has appeared in a public breach, PTRG will prevent its use.

No-Reuse Password History

PTRG tracks the last 24 passwords for regular users and the last 50 for owner and admin accounts. Attempting to reuse an old password, whether yours or a team member's, is silently blocked.

Visible, Fair Account Lock-Out

After five failed sign-in attempts within fifteen minutes, the account is locked for fifteen minutes. The login page displays a clear, persistent banner with a live countdown, eliminating guesswork. The banner does not reveal the number of attempts. If a legitimate user needs immediate access after being locked out, the PTRG administrator can remove the lock-out with a single click from the Security Events dashboard.

Owner-Managed Access Controls

Three new tools exclusive to the DNSystems Security Team:

• Lock or unlock any account via email, useful when an operator leaves the team or suspicious activity is detected.

• Reset any user's password; the new temporary credential is logged in the Master Vault's User Access tab, visible only to the owner, and auto-deletes once the user signs in and sets their own password.

• Clear an active brute-force lock-out without disabling the account, ideal for a legitimate user who made multiple failed attempts and doesn't want to wait.

User-set passwords never appear in the vault. They are hashed with Argon2id and are mathematically irrecoverable by anyone, including us. That's the goal.

Engagement Managers for Everyone

The Priority Queue, Clients Board, Scheduled Deliveries, and Clients pages, previously owner-only, are now accessible to every operator for managing their own business.

Continuous Static Analysis

Every PTRG deployment now runs Semgrep with the OWASP Top 10, secrets-detection, FastAPI, and React rule packs before the build can be shipped. Reports are saved and reviewable. Critical findings automatically halt the deployment.

Privacy-Preserving Marketing Analytics

UTM parameters on inbound links are captured at sandbox-trial initiation, allowing operators to attribute campaigns without exposing individual visitor identities to the platform.

PTRG. Built by pentesters, for pentesters.

— DNSystems LLC · 16 May 2026