🤖 AI Offsec Reporting

Markdown templates for security vulnerability reporting, designed for:

• Security audits
• Penetration testing
• Red team operations
• Web, mobile, API, infrastructure and network security
• LLM-assisted workflows (GitHub Copilot, ChatGPT, etc.)

This project focuses on a single, clean and professional reporting structure, combined with a free-form LLM brief that allows generating complete vulnerability reports from raw notes and partial information.

---

📂 Repository structure

├── templates/
│ ├── template-es.md # Spanish vulnerability template
│ ├── template-en.md # English vulnerability template
│ ├── llm-input-es.md # LLM input template (Spanish)
│ └── llm-input-en.md # LLM input template (English)
├── examples/
│ └── llm-input-en-example.md # Fully filled example
└── README.md

---

🧩 Template philosophy

• Single template suitable for multiple vulnerability types.
• CVSS v3.1 is always required.
• Platform-agnostic (web, mobile, API, infra, AD, WiFi, cloud, red team).
• LLM-first, optimized for incomplete and unstructured input
• Pure Markdown, ideal for Git, VS Code and document export.

---

🆔 Vulnerability ID convention

Each vulnerability identifier follows this format:

VULN-YYYY-XXX

Examples:

• VULN-2026-001
• VULN-2026-014

The numbering is manual by convention, avoiding external dependencies and working well with AI-assisted workflows.

---

🤖 Using the templates with LLMs

Recommended workflow

1. Copy the desired template (vuln-template-es.md or vuln-template-en.md)
2. Fill in the corresponding llm-input-*.md file with your raw findings:
   • Free text
   • Partial information
   • Payloads
   • Hypotheses
3. Provide both files to the LLM with an instruction such as:

🇺🇸 🇪🇳
“Use the information from llm-input-en.md to complete the vulnerability template.
Do not invent data. If something is uncertain, clearly state assumptions instead of inventing facts.”

🇪🇸
"Utiliza la información de llm-input-es.md para completar la plantilla de la vulnerabilidad.
No inventes. Si algo no está claro, indica claramente suposiciones en vez de inventar hechos."

This approach:

• Mirrors how pentesters actually take notes
• Reduces friction
• Allows the LLM to add real value
• Avoids rigid forms and unnecessary structure

Manual usage

The templates can also be filled manually without any AI assistance, while keeping:

• Traceability
• Technical clarity
• Professional reporting quality

---

📄 Exporting reports

Since the templates are written in Markdown, they can be easily exported to:

• PDF
• DOCX
• HTML

Using tools such as pandoc.

---

🤝 Contributing

Contributions are welcome:

• Structure improvements
• Field suggestions
• Anonymized real-world examples

Feel free to open an issue or submit a pull request.

---

🔒 Disclaimer — Use of AI Models and Sensitive Data

This project is designed to assist with security vulnerability reporting, including workflows that may involve Large Language Models (LLMs).

Please be aware that online or hosted AI services may collect, log, or retain submitted data, depending on their terms of service and configuration.

Important considerations

• Do not submit sensitive, confidential, or client-identifying information to online AI services.
• Always anonymize assets, domains, IP addresses, usernames, and any customer-related data before using LLMs.
• This repository does not recommend or endorse sharing real client data with third-party AI providers.
• When handling real-world assessments, consider using:
  • Locally hosted LLMs
  • Self-hosted or private AI solutions
  • Models and tools that explicitly guarantee no data retention

Responsibility

The user is solely responsible for ensuring compliance with:

• client agreements,
• internal security policies,
• legal and regulatory requirements.

The authors and contributors of this project assume no responsibility for improper use of AI services or disclosure of sensitive information.

---

📜 License

This project is released under the MIT License.