Datasheet

Reporting, Templates and Delivery

4 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this datasheet

Turn live vulnerability data into branded, versioned, integrity-signed deliverables, then deliver them by email, public link, or schedule, all from one ViewModel pipeline.

The Report domain is PMAP document generation engine. It produces multi-format security reports from live vulnerability data, and every one is built from the same format-independent ViewModel and rendered to PDF, DOCX, or HTML on demand. A report is not a static export. It is a governed artefact with a lifecycle, a version history, and an optional signature.

Three domains cooperate. The report domain owns generation, scheduling, delivery, signing, and comparison. The reporttemplate domain is the configuration layer deciding which sections render, which findings qualify, and how output is branded. The reportshare domain distributes the finished file to people without a PMAP account through random public tokens.

One ViewModel feeds three renderers: editable where it needs to be, pixel-faithful where it needs to be.
One ViewModel feeds three renderers: editable where it needs to be, pixel-faithful where it needs to be.

A consulting practice lives or dies by its deliverables, yet the deliverable is usually where the tooling stops. PMAP treats the report as a product of the platform, driven by the same governed data that drives triage.

At a glance

  • Backend domains: report, reporttemplate, reportshare (Go modular monolith)
  • Report types: Six first-class types; scope_type derived automatically from report_type
  • Output formats: PDF (headless Chromium), DOCX (native Go), HTML, one shared ViewModel
  • Generation: Async in-process queue; queued, generating, completed, failed
  • Versioning: Every generation versioned; MinIO objects under timestamped keys, never overwritten
  • Integrity: SHA-256 file signing with a public, no-account QR-verifiable check
  • Sharing: 64-hex public tokens, optional bcrypt password and expiry, no account required

How it works

One ViewModel, many destinations. Live finding data becomes a versioned, integrity-signed report that renders to PDF, DOCX, or HTML and reaches its audience by email, public link, or schedule.

Onboarding a large estate cannot freeze the interface while a report renders. A generate call sets the status to queued synchronously and returns immediately, and a single worker goroutine then processes the buffered in-process queue serially. A download before the file exists returns ErrNotYetGenerated as HTTP 422 rather than a partial file.

A finished report has to reach an audience. PMAP schedules generation on a one-time or recurring cadence, emails the file to many recipients with optional AES-256 PDF encryption, signs it with a SHA-256 fingerprint that any recipient can verify, and shares it over a no-account public token, all from the same domain.

Key capabilities

  • Scheduled, unattended generation. A one-time scheduled_at or a recurring schedule_cron drives generation without a person present. The RunDueScheduled runner finds due reports, clears the schedule before firing to avoid a double trigger on a slow run, and calls Generate per report, preserving a recurring cron for the next cycle.
  • Email delivery with encryption. A completed report is emailed to multiple recipients at once, optionally in several formats. When a delivery_password is set, encryptPDF builds an AES-256 configuration through pdfcpu with permissions none and encrypts the attachment in memory before it leaves the platform. The original is never silently sent in the clear.
  • Rule-based narrative. The executive summary is generated by a deliberately rule-based and local generator: zero external dependencies and no large language model, which suits air-gapped deployments. The seven-section output reads the aggregated counts and only mentions what is present, so a clean posture reads as one and figures stay consistent with the cover.
  • Integrity signing and QR. Signing hashes the generated file with SHA-256, stores the digest in report_signatures, and returns a QR code to a public verify endpoint. A recipient scans it and the server confirms whether the file matches, without a PMAP account. It is an integrity check, not a download path.

Use cases

  • Deliver a branded pentest report. A pentest lead generates a project_technical report from a system template. Generation is asynchronous, so the interface stays responsive while the worker renders a branded PDF through headless Chromium. A later regeneration adds a new version rather than overwriting the client copy.
  • Schedule an unattended posture report. A security manager configures a monthly company_risk_posture report with a recurring cron and a delivery password. Each cycle the background runner generates a fresh version, encrypts the PDF with AES-256, and emails it to the executive list, recording every recipient outcome in the delivery log.
  • Prove integrity to a compliance officer. A compliance officer signs a completed report, producing a SHA-256 fingerprint and a QR code to a public verify endpoint. The officer shares the QR code alongside the file, and an auditor confirms the document is byte-for-byte the signed version without a PMAP account.

One ViewModel, versioned and integrity-signed, reaching every destination from one stored artefact.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.