reporting
Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detection gap analysis, attack path documentation, CVSS v4.0 scoring.
Best for Penetration testersWorks with GitHubLow risk
⌘source
- author
@PurpleAILAB- language
- Python
★2.1kstars
366forks
Apr 18, 2026
✦overview.md
Key Features
- ·Phase-specific templates for credential access, privilege escalation, lateral movement
- ·Detection gap analysis guidance aligned with PTES, CREST, and TIBER-EU standards
- ·Mandates Markdown format for agent-authored documents
- ·CVSS v4.0 scoring integration
- ·YAML frontmatter schema for consistent metadata
Use Cases
- →Documenting credential access findings after a penetration test
- →Creating privilege escalation reports for security audits
- →Mapping lateral movement and attack paths for incident response
- →Analyzing detection gaps to improve Blue Team capabilities
- →Generating post-exploitation reports aligned with industry standards like PTES
Best for
- ✓Penetration testers
- ✓Red teams
- ✓Security auditors
Not ideal for
- !General software development documentation
- !Non-security-related reporting
FAQs
name
reporting
description
Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detection gap analysis, attack path documentation, CVSS v4.0 scoring.
allowed-tools:Read Write
metadata:{"subdomain":"reporting","when_to_use":"write finding, document escalation, lateral movement report, credential found, detection gap, attack path, post-exploit report","tags":"report, post-exploit, findings, privesc, lateral, creds, detection-gap, attack-path","mitre_attack":"TA0003, TA0004, TA0005, TA0006, TA0007, TA0008, TA0009, TA0010"}
Post-Exploitation Reporting Knowledge Base
Post-exploitation findings require richer documentation than reconnaissance findings because they demonstrate real-world impact, test Blue Team detection capabilities, and map the full kill chain traversal. This skill provides phase-specific templates and detection gap analysis guidance aligned with PTES, CREST, and TIBER-EU standards.
All agent-authored documents MUST be Markdown format (.md). Operational data files (creds/*.json, network_map.json) are exceptions.
1. Phase-Specific Finding Templates
Each post-exploitation phase has a specialized template. All templates share the same YAML frontmatter schema but differ in body sections to capture phase-relevant details.
A. Credential Access Finding (TA0006)
---
id: FIND-007
severity: high
cvss_score: 8.4
cvss_vector: "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"
cwe: CWE-522
mitre: [T1003.001]
affected_target: "WEB01 (10.0.0.5)"
affected_component: "LSASS process memory"
confidence: verified
objective_id: OBJ-004
phase: post-exploit
agent: postexploit
detected: false
remediation_priority: immediate
$install
1-click copynpx skills add PurpleAILAB/Decepticon --skill reportingSafety assessment
★
Clarity score
How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
5/ 5
excellentVery clear and well structured, with almost no room for misunderstanding.
◎
Actionability score
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
5/ 5
very highHighly actionable with clear, concrete steps that an agent can follow directly.