We just launched PenTest.WS v2.3, and it’s a big one, especially if your red team ops go beyond just scanning ports and popping shells. With this release, we’re giving Pro Tier users new tools to track and understand the people behind the infrastructure. Because sometimes the weakest link isn’t a host, it’s a human.

People Hacking

Social engineering is more than just an attack vector, it’s a workflow. And now you can track it like one.

People Hacking gives you a dedicated space to track social engineering targets, tactics, and outcomes. Each person is a first-class object, complete with contact details, tags, profile URLs, locations, and communication history.

People Hacking lets you:

Log phone calls, phishing attempts, texts, or in-person interactions
Assign custom tags to track roles, regions, risk levels, or anything else
Link SE engagements directly to findings as supporting evidence
Capture everything in one searchable, structured view

No more scattered notes or one-off spreadsheets. With People Hacking, social engineering becomes a trackable, repeatable part of your red team ops.

For more information, visit the docs:
https://docs.pentest.ws/people-and-events/people-hacking

Available now in Pro Tier. Because real-world attackers don’t stop at the firewall, and neither should you.

Events Timeline

Every op leaves behind a trail of actions, commands, and interactions. Now you can see them all – organized, timestamped, and linked – in the new Events Timeline.

The Events Timeline tracks everything you do across:

Hosts
Services
People
Detections
Social Engineering interactions

Quickly log any event with built-in shortcuts – like when you vish a target, phish credentials, or run a tool. Just click “Add Event” to capture everything: summary, metadata, related objects, and context.

Better yet: every time you launch a command from the Service Command Library (via Copy Command in Hosts or Services), an event is automatically created and linked to the relevant host or port. No extra clicks, no forgotten steps.

All events are UTC timestamped to simplify cross-system correlation.

🔒 Evidence Locking

When an event becomes critical to your story, tag it as Evidence. From that moment on, it’s immutable – locked from edits or deletion – to preserve the integrity of your timeline and findings. This ensures you have a defensible, auditable chain of actions tied directly to your report.

For more information, visit the docs:
https://docs.pentest.ws/people-and-events/events-timeline

Available now in Pro Tier. Build a real timeline. Back it with real evidence.

Report Engine Update

Breaking Change: Report Template Syntax Update
PenTest.WS now uses {{ and }} as the default delimiters for report template commands, replacing the previous { and } syntax.

This update improves compatibility with more complex templating scenarios.

If you maintain custom report templates, you’ll need to update any placeholders like {engagement.name} to {{engagement.name}} to ensure they continue rendering correctly.

Until then, use the "Generate Legacy Report" button to generate reports using the old syntax.

We’ve officially sunset support for LibreOffice in the main report engine. You’ll still find “Generate Legacy Report” available for now, but moving forward, all reports are optimized for Microsoft Word (.docx).

This change was made to ensure full compatibility with embedded HTML content – like rich text from summaries, notes, and evidence fields – which LibreOffice often struggles to handle cleanly. Over the years, these issues have created friction for users and undermined the reliability of the reporting experience.

Our focus is on stability and precision, especially for users generating formal deliverables. Supporting LibreOffice was a well-intentioned effort to reduce cost barriers, but ultimately, Word is the only platform that consistently handles the full range of features we support.

For an updated Report Template which includes People & Events:
https://docs.pentest.ws/clients-and-reporting/reporting-templates

This update applies to all tiers: Free, Hobby, and Pro.

Defenders, Meet Your New Ally

PenTest.WS is built for red teams. ChallengeWord is built for blue.

Social engineering remains one of the most effective attack vectors. While technical defenses are essential, empowering your team to verify identities in real time is just as critical.

ChallengeWord introduces a human-centric layer of security by providing your team with a rotating, shared secret word, on-demand. It gives employees a discreet, low-friction way to confirm the legitimacy of unexpected calls, texts, or in-person interactions, without confrontation.

By integrating ChallengeWord into your security protocol, you equip your team to:

Quickly identify impersonators attempting to breach your organization.
Enhance existing training with a practical, real-time verification tool.
Reduce the risk of falling victim to vishing, smishing, and other social engineering tactics.

It’s a straightforward solution to a complex problem, designed to bolster your organization’s human firewall.

Learn more about ChallengeWord or request a demo today!

PenTest.WS Pro is just around the corner! Today we’re pushing a small point release to the online version, including both the Free Tier and the Hobby Tier.

Echo Up Goes Base64

One of the first dedicated tools built into PTWS was Echo Up. This tool is used to easily create files through a terminal interface and relies on the echo command. Previously, Echo Up would double encode single quotes and double quotes, and echo the contents line by line into an output file.

Thanks to @4lph4b and the b64chunk.py script, Echo Up is getting new capabilities. More resilient to non-alphanumeric characters, Echo Up now encodes your file into Base64 and uses a series of targeted shell commands to create the file on a remote server.

There are three options: bash, cmd, and Powershell. Each one works slightly differently, but the end result is the same: an exact copy of your file, on the remote server, using nothing but shell commands. You simply copy and paste these commands into your terminal session, no additional ports or protocols needed.

Note: b64chunk.py supports binary files, while the PTWS version currently supports text only.

Venom Builder NOP Sled

A late addition to this point release, the Venom Builder tool now includes a NOP Sled option.

-n, --nopsled <length> Prepend a nopsled of [length] size

There are a number of options missing from Venom Builder that are available directly through the msfvenom command line. The NOPs option is a great addition and has been requested a few times, and today its here! Keep that feedback coming!

Last, But Not Least – Export Creds

Have you captured usernames, passwords, hashes? Need a quick way to password spray a new service login you just discovered? Want to kick-off a hashcat or john-the-ripper session?

Use the Export Creds button to generate a list of every known username, password, hash in your credentials list and a few different mixtures of each.

Each of the sections in the Export Creds tool is useful in different situations. Sometimes its as simple as reporting your findings – “UN:PW”. Other times it can be a little more complicated.

Here’s a short rundown of each section:

Usernames: Every known username in your credentials list
Passwords: Every known password in your credentials list
UN-PW: A simple combination of username:password
UN:PW All-U: All permutations of every known username:password, looped around the username
UN:PW All-P: All permutations of every known username:password, looped around the password. This mode is best for password spraying to reduce the chance of account lockout with large lists.
Uncracked Hashes: Every known hash in your credentials list that does not also have a password. This is ideal for starting a hashcat or john-the-ripper session.
UN:Hash All: Every credential record that contains a hash

Note: Export Creds is currently a Host level export and is available on the Host or Port page. Engagement wide credential management is coming in a future release.

PenTest.WS Pro – Status Update

We’re still on track for an end of June release of PenTest.WS Pro. The features are complete and currently being tested. Pricing is nearly settled. Store infrastructure is under heavy development but moving quickly.

We’ll be releasing more information on this blog and Twitter in the weeks ahead. Any unforeseen delays will be announced as soon as possible. Its been a lot of work to get this far, and we’re incredibly excited about the new product.

Thanks for reading, enjoy the new online features, and as always, keep the feedback coming!!

PenTest Workshop News

Tag: pentest.ws pro

Point Release – v1.5.3