Pentographer
Docs/Core Features/Playbook and Checklist Management

Playbook and Checklist Management

Standardize assessment baselines using system and organization playbooks, versioning, and JSON import or export.

Playbooks help security teams standardize their testing methodologies. By defining categories and checklist items, you ensure that auditors follow consistent testing baselines across different engagements.

System vs. Organization Playbooks

Pentographer supports two levels of playbooks:

  1. System Playbooks: These are global methodologies (such as the OWASP Top 10) available to all workspaces. They display a System badge in the interface. To populate these playbooks on a fresh database, administrators must run the database seed script: 
    pnpm db:seed
  2. Organization Playbooks: These are custom methodologies created by or imported into your workspace. They are private to your organization and do not display a system badge.

Creating and Editing Playbooks

To create a custom playbook:

  1. Navigate to the Playbooks page.
  2. Click New Playbook and enter a name.
  3. Click Save.

Managing Categories and Items

Once you create a playbook, you can define its structure:

  • Add Category: Create logical groupings (such as "Authentication Testing" or "Data Protection").
  • Add Item: Insert specific test cases within a category.

When you add or edit an item, you can configure:

  • The default risk level (such as Critical, High, Medium, Low, or Informational).
  • The framework reference identifier (such as OWASP or ASVS mapping).
  • The vulnerability description template.
  • The remediation advice template.
  • The active toggle (to temporarily disable check items without deleting them).

When you link a project finding to a playbook item, Pentographer auto-populates the finding title, risk level, description, and remediation fields with these configured templates. To learn how to generate these structures using AI, see the AI Drafting Assistant guide.

Versioning and Publishing

New playbooks start in a Draft state. To use a playbook on active projects, you must publish it:

  1. Open the draft playbook.
  2. Click Publish Version.
  3. The badge changes to v1.0 and the playbook becomes active.

If you need to make changes to a published playbook, click Create Draft to start editing a new draft version. Active projects continue using the published version until you publish the new update.

Importing and Exporting Playbooks

You can share playbooks between organizations or back up configurations using JSON files.

Exporting a Playbook

To export a playbook, open the playbook editor and click Export. The server returns a JSON configuration containing the playbook name, categories, and test items.

Importing a Playbook

To import a playbook:

  1. Navigate to the Playbooks list.
  2. Click the Import button in the header.
  3. Select your JSON playbook file.
  4. The system parses the file, creates a new organization-scoped playbook, and redirects you to the playbook editor.

[!NOTE] Imported playbooks are scoped to your active organization. They do not receive a global system badge.

Using a Playbook During an Engagement

Once a playbook is published and attached to a project, you can track which items have been tested by linking findings to checklist items as you work. See Tracking Playbook Coverage for a step-by-step walkthrough of the coverage workflow.

Was this article helpful?

Help us improve the Pentographer documentation.

Subscribe to security audits for builders

Get technical write-ups on building deterministic AI pipelines, self-hosting secure apps, and automating pentesting workflows. No marketing spam.

← Previous articleAuthoring Custom Report TemplatesNext article →Model Context Protocol (MCP) Server Setup