PoCcraft is a vulnerability report generator for penetration testers and bug bounty hunters. It turns your proof of concept into a structured, scored, export-ready finding — so you spend less time writing and more time testing.
Every pentester and bug bounty hunter knows the pattern. You spend hours chaining requests, bypassing controls, or spotting a logic flaw — then you still have to write it up. Description, impact, remediation, CVSS score, reproduction steps formatted for triagers or clients. That work is repetitive, slow, and easy to get wrong when you're tired at the end of an engagement.
Most people solve this by copying old reports, keeping personal templates in scattered notes, or rewriting the same sections from scratch for every platform. CVSS gets calculated in a separate tab. Impact language drifts between findings. PDF formatting breaks at the worst time. The result: inconsistent reports, missed submissions, and hours lost on work that doesn't find new vulnerabilities.
PoCcraft starts where you actually start — with the proof of concept. Paste your reproduction steps, HTTP traffic, or exploit details first. From there, the tool helps you structure the finding: title, affected component, severity via an integrated CVSS 3.1 / 4.0 calculator, and optional AI-generated description and impact based on what you wrote.
A live preview shows exactly how the report reads in bug bounty or pentest mode before you export. When you're done, download Markdown for your repo, plain text for a platform submission, or a polished PDF for a client deliverable. Optional encrypted cloud saves let you pick up multi-finding engagements without losing work.
The goal isn't to replace your judgment — it's to remove the friction around it. You still verify every line. PoCcraft just makes the blank page, the CVSS math, and the formatting someone else's problem.
"The best finding in the world doesn't pay if the write-up is unclear, incomplete, or late."
— Every triager, eventually
Your reproduction steps are the source of truth. Everything else — description, impact, severity — builds from what you actually found.
Templates and AI are starting points, not final copy. Every field is editable. Quality warnings flag gaps before you export.
Core tooling runs client-side. Cloud saves are encrypted. You choose what leaves your browser.