Every pentest ends the same way: a huge list of findings. Twenty, fifty, sometimes more. Then comes the question nobody likes — "so how do we track the fixing of all this?". The default answer, in 9 of 10 places, is the same: a spreadsheet. And I promise you, from experience, the spreadsheet always falls apart.
Why the vulnerability spreadsheet can't hold
At first it looks organized. Two weeks later it's a graveyard. The holes are always the same:
- Priority by gut feeling. The spreadsheet doesn't know what's worse. Whoever shouts loudest decides what gets fixed first — not the real risk. The CVSS sits in a column nobody uses.
- A deadline nobody chases. That critical finding that had to be fixed in 24h? Three months later it's still "open", and nobody noticed, because a spreadsheet doesn't nag. An SLA with no alarm is decoration.
- "Who's fixing this?" Security in one tab, dev in email, the manager on WhatsApp. The info scatters and nobody knows the real status of anything.
- Zero proof. Fixed when? Who moved it to "done"? Where's the screenshot that proves it? All gone. When the client (or the auditor) asks, there's no history.
- The report, by hand, every time. To show the board or hand it to the client, someone builds a document from scratch — again — copy-pasting from the spreadsheet.
The underlying problem: finding the flaw is the pentest's job. Managing the fix — prioritizing, chasing deadlines, assigning, recording and proving — is a different job, and the spreadsheet wasn't built for it.
The solution: VulnGuard, and fixing becomes a flow
I got tired of seeing this and built VulnGuard: a vulnerability-management platform that takes that loose list and turns it into a real remediation flow. What it does that the spreadsheet doesn't:
- Automatic severity and deadline. You enter the CVSS and the system sets the severity and the SLA instantly — critical gets 24h, high 7 days, and so on. The clock starts on its own, with nobody guessing.
- Workflow with an audit trail. Each finding moves through statuses (New → in review → fixing → mitigated), and every change is logged: who touched it, from what to what, and when. The "proof" that vanished in the spreadsheet is now automatic.
- Real teamwork. Teams isolated by code, roles (manager/member) and comments on each finding — security and dev talking in one place, not across three apps.
- PDF report in one click. The executive document for the board or the client comes out ready, with the numbers and the detail — no building slides by hand.
And you don't have to take my word for it: there's a live, read-only demo, no signup. You open it, browse the dashboard, the findings list, open a vulnerability and even generate the PDF — with fictitious data, saving nothing.
Not a mockup — a real system
I want to be clear: VulnGuard is a full multi-user SaaS, and I built it as proof of work too. Under the hood it's PHP 8 with PDO and prepared statements everywhere, per-team data isolation (multi-tenant) with roles, an immutable audit trail and the SLA engine computing on the server. The demo you open is the same system — just in read-only mode.
FAQ
Can I try it without signing up? Yes — the demo is read-only, with fictitious data: browse the dashboard, the list, open a finding and generate the PDF, all without login.
How does it set priority and deadline? From the CVSS, on the server: ≥9 Critical (24h SLA), ≥7 High (7 days), ≥4 Medium (30 days), the rest Low (90 days).
Can teams work together? Yes: teams isolated by code, roles (manager/member), comments and an audit trail per finding.
Who is it for? Anyone who runs or receives a pentest — pentesters, AppSec, product security and dev — who needs to track fixes with a deadline and proof.