Pentest findings are blueprints for compromise, not generic business data.
Cloud platforms aggregating findings are high-value targets for supply chain attacks.
Self-hosted: the vendor cannot be breached for data they never received.
Open-source: verify the data residency claim yourself by reading the code.
Most data governance treats all sensitive data as roughly equivalent:
PII here, financial records there. Pentest data breaks that model.
Exactly how to access patient records, disable medical device monitoring, and move laterally through the network.
SCADA system access points, authentication weaknesses, and network segmentation gaps for a power utility.
Proof-of-concept exploits for the transaction processing system of a financial services platform.
These are not records that need "protection" in the same way a customer database does.
In the wrong hands, they enable the specific attacks they describe. Where this data lives is not a policy decision -- it is an architectural one.
A SaaS tool serving hundreds of security teams aggregates the exact vulnerabilities, attack paths, and exploitation evidence for every organization those teams have tested. Government agencies.
The question is not whether any specific cloud vendor has been breached. Absence from public breach records is not evidence of security.
The relevant question is: what resources does a single SaaS company command relative to the resources of a well-funded nation-state actor motivated by what that company holds?
MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1199 (Trusted Relationship)
NIST SP 800-161: Supply chain risk management requires architectural controls, not vendor assurances alone.
Self-hosted elimination: The vendor cannot be breached for data they never received.
Supply chain risk management cannot rely on vendor assurances alone. It requires architectural controls that limit exposure regardless of vendor behaviour.
What you get: Zero infrastructure overhead. Fastest time to value.
What you accept: The vendor has access to your data. Their infrastructure is a target. A breach exposes every customer's findings.
When appropriate: Limited infrastructure capacity, low regulatory exposure, findings that would not cause catastrophic harm if exposed.
What you get: Full data residency control. No vendor access to findings. No cross-border transfer risk.
What you accept: Infrastructure overhead. Proprietary code means you cannot verify what the software does with your data.
When appropriate: Data residency control needed, but source code audit is not a procurement requirement.
What you get: Data residency control plus verifiability. Your team can audit the code and confirm no data leaves the environment.
What you accept: Same infrastructure overhead as self-hosted proprietary. Open-source does not mean zero-cost.
When appropriate: Regulated enterprises, government agencies, defence contractors, and any team whose procurement values supply chain risk.
Your pentest findings stay on your infrastructure. Your team can audit every
line of code.
Deploy on your servers, your private cloud, or fully air-gapped
with no internet connection.
Full functionality after installation with no connectivity.
No phone-home, no usage data, no update pings.
License activation without internet access.
No dependency on cloud-based SSO or identity providers.
Every feature works identically in air-gapped mode.
Dradis supports fully air-gapped deployment with offline license activation and zero internet connectivity requirements.
Pentest data sovereignty is the principle that the organization commissioning or conducting a penetration test maintains complete control over where findings are stored, who can access them, and under what jurisdiction they fall.
Unlike generic business data, pentest findings are detailed blueprints for compromising the target infrastructure, which makes their governance a security problem, not just a compliance one.
Yes. A cloud SaaS platform with SOC 2 Type II, ISO 27001, and a well-structured DPA that specifies data residency can be appropriate for teams with limited infrastructure capacity, low regulatory exposure, and findings that would not cause catastrophic harm if exposed.
The decision depends on the sensitivity of the data, the regulatory environment, and the organization's tolerance for the residual risk that comes with any third-party data processing relationship.
Under GDPR Article 28, using a cloud SaaS tool means the vendor is a data processor, requiring a Data Processing Agreement, ongoing processor assessment, sub-processor documentation, and a breach notification chain.
Self-hosted deployment eliminates the data processing relationship entirely -- the organization is both controller and sole processor. There is no DPA to negotiate, no sub-processor chain to audit, and no processor breach notification dependency.
Open-source matters because it makes the data residency claim verifiable. A proprietary self-hosted tool can claim that no data leaves the environment, but you cannot independently confirm it without source access.
With open-source software, any customer, auditor, or regulator can inspect the code and verify that no telemetry, usage data, or findings are transmitted externally. Regulated buyers in government and defence procurement routinely require source code access as a condition of tooling approval.
Air-gapped environments -- classified facilities, defence contractors, secure government networks -- require platforms that function with zero internet connectivity. This means no license check pings, no update downloads, no telemetry, and no dependency on cloud-based authentication.
Cloud SaaS tools cannot operate in these environments. Self-hosted tools that support fully offline operation, including offline license activation and local user management, are the only option. Dradis supports fully air-gapped deployment with no internet connectivity requirements.
No. Ghostwriter is an open-source alternative that also supports self-hosted deployment, but for Red Teams.
Dradis has been self-hosted and open-source since 2007, supports fully air-gapped deployment, and is designed so that knowledge compounds across different types of security engagements permanently on your infrastructure. The comparison of pentest report generators breaks down the trade-offs in detail.
Loading form...
Your email is kept private. We don't do the spam thing.