Findings management: one uncluttered view for every result
Centralize everything your scanners uncover into one organized view, grouped neatly by workspace. Every finding is fully customizable and tracked with an audit-ready history, so you always know what changed and why.
See results from every tool in one place, validate fixes instantly without kicking off new scans, and pull reports straight from live data - no busywork, no guessing.
Why scattered findings slow teams down
Collecting security data from disparate scanners, analysts, and third-party tools is almost always a painful process. Teams lose time chasing duplicates, sorting noise, and rebuilding reports just to get a clear view of risk. Context disappears, ownership slips, and remediation stalls.
Pentest-Tools.com solves that fragmentation
Our product consolidates all findings in one place to provide a single, structured list you can act on immediately.
Teams focus on what matters, track remediation with clear statuses, and push verified findings straight to where engineers actually work. They cut duplication, close loops faster, and rely on a single source of truth for every engagement.
How Pentest-Tools.com simplifies findings management
Bring all findings together
Pentest-Tools.com automatically collects findings from all scan types – web, network, API, or cloud – and merges them with manually added or imported issues.
What’s more, analysts can pull results directly from Burp Suite, or add manual findings using predefined templates that already include risk ratings and remediation steps. Each entry can include screenshots, code, or custom evidence to ensure context stays accurate and consistent.
Organize results instantly
We automatically group similar findings, flags duplicates, and tags informational issues automatically. You can apply multi-filters to slice results by target, severity, verification state, or status. The findings view updates as you filter, giving teams an immediate, uncluttered picture of what needs attention.
Triage and manage remediation
Every finding has a clear status that matches real remediation flow: Open, Fixed, Accepted, Ignored, or False Positive. Analysts update statuses as they work, making it easy to see what’s live, what’s been addressed, and what the team has consciously accepted as risk – without losing historical context.
Send findings where they’re needed
When it’s time to hand off work, you can push findings directly to Jira or Nucleus. Each ticket includes the finding’s details, severity, remediation notes, and linked evidence, giving developers full context. You can also automate Nucleus handoffs using notification rules to trigger based on severity or scan results.
Your workflow in practice
From asset onboarding to remediation reporting, the API covers every step with endpoints that fit into your workflows, not the other way around.
Add targets with /targets to register assets by hostname, IP, or URL.
Run scans with /scans, selecting the right tool and parameters
Pull findings via /findings and /reports for CVEs, severity scores, and evidence.
Push results into your existing stack – JSON to dashboards, CSV to asset managers, and PDF to stakeholders.
From scan to fix, without the manual steps
By embedding scans directly into your workflows, you cut time to remediation and deliver consistent, evidence-backed reports that teams and clients can trust.
Turn findings into fixes instantly
Integrate vulnerability data via API into ticketing tools like Jira, closing exposure gaps faster.
Scale scans without adding staff
One consistent workflow handles a handful of assets or large environments, without needing to add staff.
Use results in your existing tools
Export scan results via API in the formats your team already uses, reducing errors and wasted time.
Prove coverage with evidence-rich reports
Every finding includes proof, payload, and remediation details, so engineers trust the data and managers see the proof.
Free analysts for high-value testing
Automation clears repetitive work, leaving analysts to focus on deeper, more accurate testing and remediation guidance.
Who our REST API is built for
Security consultants
Run repeatable scans across client environments in minutes, not days. Use the API to standardize testing, launch validation scans after exploitation, and pull JSON/CSV outputs directly into deliverables.
Every report is consistent and backed with evidence, freeing consultants to spend time validating critical findings and advising clients instead of re-running manual checks.
Internal security teams
Catch vulnerabilities earlier by embedding scans into CI/CD pipelines. Engineers and DevSecOps specialists can trigger scans automatically with each build, pull CVE data and severity scores into Jira, and generate actionable tickets for developers.
That means fewer last-minute surprises, shorter remediation cycles, and production systems that ship with far fewer exploitable flaws.
MSPs
Run automated scans per client, feed results into multi-tenant dashboards, and deliver branded remediation reports directly to client portals.
Analysts save hours of manual reporting per client per week, while managers track SLA compliance with clear metrics on remediation timelines.
Discover how our REST API helps you automate scanning at scale
REST API FAQs
Do API scans return the same results as the web interface?
Yes. Our REST API for vulnerability scanning returns the same data-rich results you see in the UI, including CVEs, CVSS, CWE, and EPSS scores, remediation steps, evidence logs, and full reports.
Who is the REST API designed for?
Our vulnerability scanning API is built for both technical practitioners and security leaders. Pentesters, security engineers, DevSecOps specialists, and SOC analysts use it daily to run scans and pipe results into their tools. Security leaders rely on consistent, evidence-backed reports to track remediation timelines and prove compliance.
How quickly can I start using the API?
You can be up and running in minutes. Generate an API key under My Account – API, test with our ready-to-use Python client and explore the auto-generated REST reference based on our public OpenAPI schema.
What output formats does the API support?
Results are available in JSON, CSV, and PDF, making it easy to integrate into dashboards, SIEMs, ticketing systems, or client deliverables.
Which pricing plans include API access?
All paid plans include full REST API access. Unlike competitors that gate automation behind enterprise pricing tiers, every subscription comes with the ability to launch, stop, and manage scans programmatically.
Are there any API limits I should know about?
Yes. By default, the API enforces:
250 API requests per minute per user
A lower limit of 60 requests per minute for /scans/{id}/output
125 API requests per minute for POST requests
Is the vulnerability scanning API secure?
Yes. Access is authenticated via API key, which you can create or revoke anytime from your account. The API delivers data securely and only scans scoped targets, keeping your infrastructure and client data protected.
Can I manage workspaces and reports through the API?
Yes. You can create or query workspaces programmatically and generate and download reports directly from the API. That means you can automate report delivery or integrate scan data into client portals without manual exports.
Does the API support internal and authenticated scans?
Yes. You can run authenticated web app scans as a logged-in user and perform internal network scans via VPN. This ensures comprehensive coverage across both public and private environments.