Documentation Index
Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Penetration Tests module lets you plan, execute, and track penetration testing engagements directly in Matproof. Connect your testing provider, import findings, track remediation, and automatically link results as evidence against the relevant compliance controls. Penetration testing is required or recommended by most compliance frameworks:| Framework | Requirement |
|---|---|
| DORA | TLPT (Threat-Led Penetration Testing) every 3 years for significant entities |
| ISO 27001 | A.18.2.3 - Technical compliance review |
| SOC 2 | CC7.1 - System monitoring and penetration testing |
| PCI DSS | Requirement 11.4 - Annual penetration testing |
| NIS2 | Article 21 - Testing effectiveness of cybersecurity measures |
Navigate to Penetration Tests in the sidebar to access the module.
Creating a test engagement
- Name - descriptive label (e.g., “Q1 2026 External Infrastructure Test”)
- Type - External network, internal network, web application, API, mobile, social engineering, or TLPT
- Scope - list the systems, networks, or applications being tested
- Provider - select your testing provider or enter a new one
- Scheduled dates - start and end dates for the engagement
The testing provider conducts the engagement. During the test period, the engagement status shows as In progress in Matproof.
Finding management
Each finding contains:| Field | Description |
|---|---|
| Title | Short description of the vulnerability |
| Severity | Critical, High, Medium, Low, Informational |
| Description | Detailed description including the attack vector and impact |
| Affected asset | Which system or application is vulnerable |
| Status | Open, In remediation, Remediated, Accepted, False positive |
| Remediation owner | Team member responsible for fixing the issue |
| Due date | Target date for remediation |
| Evidence | Proof of remediation (screenshot, configuration change, retest result) |
Remediation workflow
- Review imported findings and assign owners
- Set remediation due dates based on severity:
- Critical: 7 days (recommended)
- High: 30 days
- Medium: 90 days
- Low: next scheduled maintenance window
- Owners update the finding status as they work through fixes
- Upload remediation evidence (configuration changes, patches applied, retest results)
- When all findings are addressed, mark the engagement as Completed
Provider integration
Matproof integrates with penetration testing providers to streamline finding import:- Manual upload - upload the provider’s report in PDF, CSV, or JSON
- API integration - for providers with API access, configure automatic finding sync
- Go to Settings - Integrations - Penetration Testing
- Select your provider or add a custom one
- Follow the setup instructions for API-based sync
Linking to compliance controls
Penetration test results serve as evidence for multiple framework controls. To link findings:- Open a completed engagement
- Click Link to controls
- Matproof suggests relevant controls based on the engagement type and findings
- Confirm the mapping - the engagement summary and finding status become evidence on those controls
Scheduling and reminders
Stay on top of your testing program:- Go to Penetration Tests - Schedule
- Set up recurring reminders (e.g., “External pentest due every 12 months”)
- Matproof sends notifications 30 days before the next test is due
- Track compliance with testing schedules from the dashboard
Reporting
Generate penetration test summary reports:- Open a completed engagement
- Click Generate report
- The report includes: scope, findings by severity, remediation status, and timeline
- Export as PDF for management review or audit evidence