Pentest project management
from kickoff to invoice
Run penetration testing engagements as structured projects. Scope the work, assign your team, track findings live, deliver reports through a branded portal, and bill the engagement from one workspace.
No credit card required. Free plan available forever.
Pentest project management software for security firms and consultants
Most pentest firms grow into a familiar problem. The first ten engagements run from email and a shared drive. The next thirty stretch the model until it breaks: scope drifts because nobody owns the source of truth, findings sit in a tester's spreadsheet until report week, two testers log the same vulnerability with different severities, and the practice manager has to assemble the operating picture by hand every Monday morning. Generic project management tools like Jira and Asana help with task tracking but have no native concept of a finding, a CVSS vector, a retest, or a client portal, so the team ends up rebuilding the same fields by hand and still has nowhere to deliver the report.
SecPortal models the pentest as a structured engagement with scope, team, findings, deliverables, retests, and invoicing on a single record. The engagement is the project plan and the source of truth. Testers log findings with CVSS vectors against the engagement they are assigned to, AI report generation works from the live findings, retests pair back to the original record, and invoicing happens against the same engagement that delivered the work. The result is fewer handoffs, fewer transcription errors, and a portfolio view the practice manager can act on without rebuilding it from memory.
Project capabilities purpose-built for pentest delivery
Engagement record as the project plan
Each pentest is a structured engagement with scope, target list, rules of engagement, testing windows, and agreed deliverables captured against the record. The engagement is the project plan, not a separate Word document that nobody opens after week one.
Team assignment with role control
Pull engagement leads, testers, and reviewers in by role. Owner, admin, member, viewer, and billing roles keep junior testers scoped to assigned work while leads keep visibility across every active project. Onboarding a new tester is an email invite, not a week of provisioning.
Findings as structured data
Every finding is logged with CVSS 3.1 vectors, severity, affected asset, evidence, and remediation guidance from 300+ templates. The findings list is filterable, sortable, exportable, and reusable across engagements rather than buried in a Word table.
Live status across the portfolio
A single dashboard shows every active engagement, every assigned team member, every overdue finding, and every pending deliverable. Status meetings get shorter because the dashboard already answers the questions that used to drive them.
Reports tied to live findings
AI generates executive summaries, technical writeups, and remediation roadmaps directly from the engagement findings. The report is a view of the live data, not a copy that ages out the day after delivery.
Engagement-level invoicing
Each engagement carries its own invoice record. Generate invoices, send them through the branded portal, and collect payment via Stripe. Revenue per engagement is visible alongside delivery status so unbilled work stops slipping through.
Where pentest projects break, and how SecPortal closes the gap
The same handful of failure modes show up in almost every pentest practice that has outgrown email and spreadsheets. Each one is a structural problem with a structural fix.
Scope drifts because nobody owns the source of truth
The original quote lives in email, the kickoff notes live on a shared drive, and the test plan lives in a Notion page only one person edits. Three weeks in, the team is testing assets nobody remembers agreeing to. Keeping the engagement record itself as the scope means the same document the team works against is the document the client signed.
Findings sit in spreadsheets until report week
When findings are tracked in a working spreadsheet that only the lead tester sees, the rest of the team is blind until the report draft circulates. By that point the writeup is full of inconsistencies and the client is hours away from a delivery deadline. A shared findings database fixes this on day one of the engagement.
Quality varies between testers
Different testers structure findings differently, score CVSS differently, and write remediation guidance with different levels of detail. The client sees the inconsistency in the final report. Templates with pre-set vectors and consistent fields close most of the gap before AI report generation has to do any cleanup.
The post-delivery work is invisible
Reports get delivered, retests get billed, and remediation tracking happens over email. Three months later the team cannot answer the simple question of which findings are still open across which clients. Keeping retests, status, and closure on the same engagement record makes the post-delivery work visible and self-documenting.
One engagement record, five different views
Pentest projects are multi-stakeholder by default. The engagement lead, the tester, the reviewer, the practice manager, and the client contact each need a different view of the same work. SecPortal serves all five from the same engagement record so the data stays consistent and the views stay role-appropriate.
| Role | What they see |
|---|---|
| Engagement lead | Sees scope, target list, rules of engagement, team, deliverables, and the live findings list. Approves CVSS calls, signs off on the report, and moves the engagement to delivered when the client confirms receipt. |
| Tester | Sees the engagements assigned to them, the targets in scope, and the findings they are working on. Logs new findings against the right engagement and target, attaches evidence, and updates status without seeing other engagements that are not theirs. |
| Reviewer | Sees the engagement findings ready for QA, applies severity calibration, and sends items back with notes when needed. The review pass is part of the engagement record rather than a separate spreadsheet. |
| Practice manager | Sees every engagement across every client, the team load, the upcoming deliverables, the overdue items, and the revenue pipeline. The dashboard is the operating picture they used to assemble manually each Monday morning. |
| Client contact | Sees their own engagements through a branded portal: scope, agreed dates, live findings, the final report, retest status, and the invoice. They get a professional view of the engagement and the firm gets fewer status emails to answer. |
The portfolio metrics that actually drive a pentest practice
Once engagements live as structured records, the practice gets a small set of operating metrics that previously took a quarterly spreadsheet to assemble. The six below are the ones most practice managers settle on.
- Active engagements by stage so the practice manager sees what is in scoping, in delivery, in review, and waiting on client signoff at a glance.
- Tester load measured in active engagements per person so resourcing decisions stop being a Slack negotiation and start being a planning conversation.
- Findings velocity per engagement so a stalled test gets visible before the deadline, not after it.
- Time-to-deliver per engagement type so the next quote is grounded in real numbers rather than optimistic memory.
- Revenue by engagement and by client so the practice can price the next round of work from delivery cost data.
- Retest closure rate so the firm can demonstrate that the engagement actually reduced risk, not just that the report shipped.
For pentest firms, MSSPs, and security consultants
The shape of the project management problem changes with the size and structure of the practice. The platform is built to serve all three of the common shapes from the same workspace.
Pentest firms
Multi-tester, multi-client practice running concurrent engagements. Use role-based access to scope juniors to their work, the dashboard to see practice-wide load, and engagement-level invoicing to keep delivery and revenue aligned.
MSSPs
Service delivery at scale across many clients with recurring engagements. Standardise engagement types, finding templates, and report structures so the same operating picture covers point-in-time pentests and continuous testing.
Independent consultants
Solo or small team practice that needs to look enterprise-grade from day one. Run every engagement through a branded portal, deliver structured reports without a project manager, and keep the back office to the platform itself.
How project management connects to the rest of the platform
Pentest project management is not a separate module bolted onto the platform. It sits on top of engagement management for scope and lifecycle, uses team management for assignment and role control, draws from findings management for the structured findings database, feeds AI reports for live deliverables, ships through the client portal for delivery, and closes with invoicing for billing. Onboarding the client is its own structured workflow on the pentest client onboarding use case so intake, scope, ROE, credentials, and portal access all land on the same record the engagement runs on. After delivery, the engagement flows naturally into the remediation tracking workflow so retests, owner assignment, and SLA tracking sit on the same record the project plan was built on. For the dedicated retest deliverable view, the pentest retesting use case covers retest scope, pricing models, and the verification status ladder that turns retest results into a structured deliverable. When a tester rotates off mid-engagement (planned leave, priority reassignment, or scaling), the tester rotation and handover workflow keeps engagement state, in-flight findings, evidence, and access transferring cleanly so the project plan does not collapse at the change of personnel. When the engagement has to pause mid-test (production-impact incident, exposed credential, scope dispute, regulator hold), the pentest resume workflow captures the halt and the resume on the same engagement record so the project timeline survives the interruption.
Methodology-aligned by default
The engagement record covers scope, intelligence gathering notes, threat model, findings, exploitation evidence, and reporting in line with the Penetration Testing Execution Standard. Methodology compliance becomes a property of the workspace rather than a separate artefact.
Reusable scoping primitives
Pair the workflow with the scope of work template, the kickoff meeting agenda, the pricing playbook, and the research on pentest scope creep so kickoff is grounded in real numbers and a written scope rather than a verbal agreement that drifts mid-engagement.
Pentest project management is one of those workflows that looks small from the outside and turns into the single biggest source of operating leverage once it is in place. Engagements stop slipping, deliverables stop being late, the practice manager stops rebuilding the operating picture every Monday, and the team gets back the hours that used to disappear into spreadsheet reconciliation. The goal of this workflow is to make running pentests as projects the path of least resistance for the firm and the path of least friction for the client.
Frequently asked questions about pentest project management
What is pentest project management software?
Pentest project management software is a platform that handles the operational side of running penetration testing engagements: scope, team assignment, findings tracking, report generation, retest workflow, and invoicing. SecPortal treats every pentest as a structured engagement record with a defined lifecycle so the same workspace covers kickoff, delivery, retest, and billing rather than splitting the project across email, spreadsheets, Word, and an accounting tool.
How is this different from generic project management tools like Jira or Asana?
Generic project management tools have no native concept of a finding, a CVSS vector, a retest, or a client portal. Pentest project management software models those entities directly. SecPortal stores findings as structured data with severity and evidence, calculates CVSS automatically, pairs retests to original findings, and gives the client a branded portal view of their own engagements. A pentest team that runs in Jira ends up rebuilding the same fields by hand and still has nowhere to deliver the report.
Can multiple testers work on the same engagement at once?
Yes. Assign multiple team members to a single engagement, log findings concurrently against the shared engagement record, and use role-based access to keep visibility scoped appropriately. Activity is timestamped per user so the engagement record shows who logged what and when, which removes the manual coordination overhead that usually shows up on multi-tester engagements.
How does report generation fit into the project workflow?
Reports are generated from the live engagement findings, not from a separate spreadsheet. Once findings are logged with CVSS vectors and remediation guidance, AI report generation produces the executive summary, technical writeup, and remediation roadmap in seconds. The report is a view of the engagement data, so updating a finding updates the report rather than requiring a manual edit pass.
How do retests and remediation tracking fit in after delivery?
The engagement does not end at report delivery. Retests are paired to the original finding so the audit trail shows the original scope, the fix, the retest evidence, and the final outcome on a single record. Remediation tracking continues inside the branded client portal where clients update fix status and post questions tied to the finding. See the remediation tracking use case for the deeper workflow.
Does the platform handle invoicing for the engagement?
Yes. Each engagement carries its own invoice record. Create invoices, deliver them through the branded portal, and collect payment via Stripe. Revenue per engagement is visible next to delivery status, so unbilled engagements stop slipping through and the practice can see margin per engagement type rather than just total revenue per quarter.
How it works in SecPortal
A streamlined workflow from start to finish.
Scope and kickoff
Create the engagement, capture scope, rules of engagement, target list, testing windows, and the agreed deliverables. The record becomes the single source of truth for everyone working the project.
Assign the team
Pull engagement leads, testers, and reviewers in by role. Role-based access keeps junior testers scoped to their assigned engagements while leads keep visibility across every active project.
Track findings live
Findings are logged with CVSS 3.1 vectors, severity, evidence, and remediation guidance from 300+ templates. Status, owner, and timestamps update in place rather than across spreadsheets.
Review, report, deliver
AI generates the executive summary, technical writeup, and remediation roadmap from the live findings. Deliver through a branded client portal so the report is the workspace, not a frozen PDF.
Retest, close, invoice
Run the retest, pair the result to the original finding, and close the engagement. Generate the invoice against the same engagement record and collect payment through Stripe.
Features that power this workflow
Run pentests as projects, not as fire drills
Scope, team, findings, reports, retests, and invoicing in one workspace. Start free.
No credit card required. Free plan available forever.