PTDoc – Documentation and Reporting for Penetration Tests

The binsec GmbH relies on PTDoc® for its penetration tests – a specialized tool for structured penetration testing and professional report generation. PTDoc was developed by binsec systems GmbH.

The idea for PTDoc emerged during the growth of the binsec team: How can quality remain consistently high when individual penetration testers have different personal focus areas? And how can we ensure that the outcome of a test is always identical – regardless of which senior penetration tester carries it out?

Before PTDoc, binsec faced the typical challenge: Should reports be written in Word or created with LaTeX? Initially, the decision was made for LaTeX, which produced technically clean but rather “typical” LaTeX documents in terms of design. With PTDoc, this changed fundamentally – today, it delivers professionally designed reports that are still powered by extensive LaTeX code in the background but managed through a user-friendly interface.

The core idea of the tool is to provide a uniform and standardized methodology for different targets – such as Active Directory, mobile applications (e.g., Android apps), or networks. The binsec team continuously maintains and extends this methodology, integrating well-established standards such as the OWASP Testing Guide, MASVS, and OSSTMM. This ensures consistently high quality and the exact repeatability of penetration tests.

In recent years, it has become clear that this structured approach regularly reveals vulnerabilities that were missed in previous tests. One client even stated that they no longer consider earlier assessments from other providers to have been “real” penetration tests.

PTDoc covers all three phases of pentest documentation:

  • Execution of the test – systematically working through the defined methodology.
  • Creation of findings – including management-level descriptions, detailed technical analysis, risk ratings (qualitatively via traffic-light system or quantitatively via CVSS), and management of screenshots and evidence.
  • Report generation – automated creation of a consistent, audit-proof report.

Retesting is also integrated: Once a tester verifies that a client has fixed a vulnerability, they simply document the proof of fix in the finding. When rebuilding the report, the issue is automatically marked as remediated, and the management summary is updated accordingly.

In addition, PTDoc supports the creation of both German and English reports, making it easy to provide clients with deliverables in either language – or even in both.

Conclusion: With PTDoc, penetration testers can fully focus on their actual work – conducting the test. At the same time, report creation becomes quick and efficient, ensuring that clients receive their results shortly after the test is completed.

NIS2 and Penetration Testing – Mandatory or Optional?

The new NIS2 Directive of the EU has been in force since early 2023. It no longer applies only to traditional critical infrastructure operators (KRITIS), but now covers a wide range of important entities, including:

  • medium-sized and large companies in energy, transportation, finance, and healthcare,
  • hosting providers, data centers, DNS service providers,
  • (almost) any tech company providing essential services.

The NIS2 Directive does not explicitly mandate penetration testing, but it requires measures that are hardly feasible or verifiable without it. Article 21 of the directive defines a central obligation:

Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

While penetration testing is not explicitly mentioned, the directive clearly implies it – particularly through the requirement for regular testing of the effectiveness of measures, and the demand to follow the state of the art, which, in practice, includes conducting penetration tests.

What Personal Data Is Processed During a Penetration Test?

The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished:

1. Customer Points of Contact

There’s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers — stored in emails, calendar entries, or the final report. These details are usually public anyway (e.g., in the imprint or on LinkedIn) and are solely used for communication. They are always processed but are generally considered low risk.

2. Other Employees of the Organization

As soon as the target system includes an internal network — especially one with Active Directory — it’s almost impossible to avoid encountering other personal data. Names, usernames, and often password hashes or even cleartext passwords may temporarily reside on the pentester’s system. This isn’t accidental; it’s part of the job — privilege escalation, lateral movement, domain takeovers.

What’s important here: there is no need to store personal data permanently or transfer it to the service provider’s infrastructure. All data is processed locally and remains local. Only relevant excerpts are included in the report — and even then, only as much as necessary. Identities can and should be anonymized or pseudonymized.

3. Customer Data of the Client

When production systems are tested — such as an online shop — it’s possible that real customer data may briefly become visible. The aim is not to store this data but to identify vulnerabilities. For example, can unauthorized users view other customers’ orders? If so, some records may be momentarily processed. This is unavoidable but kept as non-invasive as possible.

Recommendation: Data Processing Agreement (DPA) for Production Data

As soon as internal or production environments are involved, a DPA should be signed. The key principle is data minimization. A penetration test is not about collecting data — it’s about uncovering weaknesses. And that can be done without copying entire databases.

Search for Subdomains of a Domain online

Subdomains often reveal which internal systems, websites, or platforms a company operates. Finding subdomains is an important part of security assessments, penetration tests, or general research, as it can uncover potential attack surfaces that might otherwise remain hidden.

The SubDomainFinder from binsec.tools identifies subdomains of a domain by combining several methods:

  • It accesses the CertWatch database from binsec.tools – a collection of public SSL/TLS certificates where subdomains often appear.
  • Additionally, it performs DNS queries using a predefined subdomain wordlist to systematically test commonly used subdomains.
  • Moreover, targeted search queries are sent to google.com to discover additional subdomains that appear in public search results and might otherwise be overlooked.

What is my IP Address? <- No Ads, No User Tracking

A tool that displays your own public IPv4 and IPv6 addresses is now online at binsec.tools. It’s not the first tool that does that, but it’s free of advertising and tracking:

What is my IP address?

From a linux shell you can also call

$ curl https://ip.binsec.tools/

and get your IP back in JSON format

{"ip": "93.207.237.237", "version": 4}

or get the IPv4 or IPv6 address

$ curl https://ip4.binsec.tools/
$ curl https://ip6.binsec.tools/

In the browser you may stil use:

https://binsec.tools/lookup/whatismyip/

The Scam “Invitation to Tender With Emirates Group” vendor.registration@theemirategroup.com

On 11th of February 2025 binsec GmbH received an “Invitation to Tender With Emirates Group” from vendor.registration@theemirategroup.com:

Dear Valued Vendor,
Greetings from Emirates Group,
We invite you to register as a vendor with Emirates Group. A leading aviation company in UAE. Our goal is to build a diverse and qualified vendor base to support our business needs. This will open up opportunities to provide goods and services to our projects and developments.
Our projects are open for all companies. And this is a special consideration towards your participation for the ongoing registration
To register, Kindly confirm your interest by requesting for Vendor Questionnaire and EOI.
We look forward to potentially working with you!
Best Regards
Mr. Sameh Bakier
Vendor Coordinator Group Procurement & Contract
Shared Services Center of The Emirates Group

After answering to that e-mail, claiming to be interested, one receive an e-mail with three pdf documents including the Emirates Vendor Assessment Policy for example. Truth told, that documents look good and authentic. The mail also includes a “Vendor Regisgtration Acceptance Form”:

So they request a payment of AED 57.850 (equivalent to 15.000€) to start the vendor process. The domain sending the e-mails is theemirategroup.com, the original domain of The Emirates Group is theemiratesgroup.com. Take a look at the missing “s” in the domain…

free online tls test for a specific custom port, alternate to 443

You are looking for a free online tool, that checks and test the ssl/tls configuration on a specific custom port, alternative to 443? Then checkout the binsec.tool SSLCheck – there you can specify the port that should be tested, like 8443. The SSLScan fo binsec.tool will give you an overview over the protocols and ciphers of the TLS configuration and checks the level of security. It even supports testing StartTLS for SMTP, IMAP and LDAP.

binsec.tools – WebCompScan

WebCompScan from binsec.tools enables you to identify the technologies used on websites and check whether they are outdated or vulnerable.

The technologies that the WebCompScan tool can detect include CMS systems, web servers, programming languages, JavaScript libraries, and also payment methods offered.

To detect the technologies, it uses open source databases with regex patterns. The website to be checked is automatically opend up in a browser and the patterns are used to check whether the various components of the website contain indications of known technologies. In addition to HTTP headers and the HTML source code of the website, the Document Object Model (DOM) and the JavaScript variables are also analyzed.

In some cases, version information on the software components used can also be obtained in this way. In the next step, these are checked against an open source database for known vulnerabilities. It is also checked whether the software components are still supported by the manufacturer or are already end of life.

In principle, all of this information is public, but binsec.tools combines it into one free pentest tool.

Starting: binsec.tools | Online Tools for Penetration Testing

The binsec group launches binsec.tools:

https//binsec.tools | Online Tools for Penetration Testing

  • SSLCheck: The SSLCheck module will show the available SSL/TLS protocols, ciphers and additional certificate information. The scan will run multiple SSL/TLS connections to the target domain.
  • WebCompScan: WebCompScan will browse to the given URL and will try to find used technologies by different methods on the available information like DOM, headers and many more. This scan is not invasive as it will only browse the website once like any other browser. 
  • DNSCheck: The DNSCheck will perform security and validation checks on the given DNS domain. This check is not invasive and will perform standard DNS lookups.