Dradis Framework

Dradis Framework
Dradis Framework
Developer	The Dradis Framework community
Initial release	2007
Stable release	4.18.0 / October 2, 2025; 57 days ago
Written in	Ruby, Ruby on Rails
Operating system	Cross-platform
Type	Penetration test tool
License	GPLv2
Website	dradis.com

Dradis Framework is an open-source web application designed for security testing teams to collaborate and generate reports.^[1] It functions as a centralized repository to consolidate findings, notes and evidence from various security tools and manual testing processes during penetration tests and vulnerability assessments.^[2]^[3]^[4]

History

Dradis Framework was first released in 2007. It was created to address the challenge of managing and correlating information from multiple tools and testers during security engagements. The project's name is inspired by the radar-like system from the television series Battlestar Galactica, a reference to its role as a central information system.

The framework gained early exposure through presentations at major security conferences, starting with its introduction at DEF CON 17 in 2009.^[5] Its development has been community-driven, with its source code hosted on GitHub.

Like many mature software projects, it has addressed security vulnerabilities during its development, such as a XSS vulnerability documented in 2019.^[6]

Features

The Dradis Framework is built on the Ruby on Rails framework. Its core functionality includes:

A centralized database for project information, including notes, findings, and evidence.
Collaboration features allowing multiple testers to work on the same project simultaneously.
A reporting engine that generates consolidated reports from the collected data.^[7]
An upload feature and a plugin architecture for importing data from other security tools.
A REST API for programmatic interaction and integration with external systems.

The framework supports integration with web application testing tools such as Burp Suite through official extensions.^[8]

Usage

Dradis is primarily used by penetration testers and security assessment teams. Its main use case is to serve as the central hub for a security test, where output from scanners like Nmap, Burp Suite, and Nessus is imported and enriched with manual findings. This consolidated data is then used to produce the final client report.^[7]

The framework is included in several security-focused Linux distributions, most notably Kali Linux.^[9]^[10]

Editions

Dradis Community Edition (CE): The free and open-source version, available under the GPLv2 license.
Dradis Professional: A commercial version that includes additional features such as advanced reporting templates, user management, and dedicated support.

Reception

The Dradis Framework has been recognized as a tool for streamlining the reporting process in penetration testing. It is referenced in the syllabus for the CompTIA PenTest+ certification.^[7] The tool has been covered in multiple textbooks on penetration testing and ethical hacking, establishing its role in the field.^[1]^[2]^[11]^[12]

The framework has been referenced in security bulletins by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as part of recommended security assessment toolkits.^[13]^[14]

It has been featured in professional security training materials and presentations by international cybersecurity firms such as Japan's iSEC.^[15]

Dradis Framework has been adopted in academic settings, including graduate-level cybersecurity curricula^[16] and featured in peer-reviewed educational research.^[17]^[18]^[19]

The framework has been presented at security conferences, including DEF CON,^[5] Black Hat,^[20] and Security BSides.^[21]

References

^ ^a ^b Allen, Lee (2012). Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide. Packt Publishing. ISBN 978-1849517744. Describes the Dradis framework as a Rails-based application for managing pentest data and reporting.
^ ^a ^b Ali, Shakeel; Heriyanto, Tedi (2011). BackTrack 4: Assuring Security by Penetration Testing. Packt Publishing. ISBN 978-1849513944. Demonstrates Dradis as a web-based repository for organizing penetration-test results.
^ "Dradis Framework - SecTools.org". SecTools.org. Retrieved 29 May 2024.
^ Zhang, Wei; Johnson, Mark (2017). "A Framework for Collaborative Security Assessment in Enterprise Networks". Procedia Computer Science. 110: 1–8. doi:10.1016/j.procs.2017.10.001. ISSN 1877-0509.
^ ^a ^b "DEF CON 17 Speakers". DEF CON. Retrieved 29 May 2024.
^ "JVNDB-2019-000017: Dradis Framework Cross-site Scripting Vulnerability". Japan Vulnerability Notes. Retrieved 29 May 2024.
^ ^a ^b ^c Santos, Omar; Taylor, Ron (2018). "Using Dradis for Effective Information Sharing and Reporting". CompTIA PenTest+ PT0-001 Cert Guide. Pearson IT Certification. ISBN 978-0789760357. Contains dedicated subsections on using Dradis for reporting.
^ "Burp Suite Extension: Dradis Framework Integration". PortSwigger. Retrieved 29 May 2024.
^ "Kali Linux Tools - Dradis". Kali Linux. Retrieved 29 May 2024.
^ "Using the Dradis framework for penetration testing reporting". Kali Linux 2018: Assuring Security by Penetration Testing. Packt Publishing. 2016. ISBN 978-1785888427. Explains integration with Kali Linux workflows.
^ Gray Hat Hacking: The Ethical Hacker's Handbook (3rd ed.). McGraw-Hill Education. 2011. ISBN 978-0071742566.
^ Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. McGraw Hill. 2016. ISBN 978-1259589713.
^ "CISA Security Bulletin SB25-195". Cybersecurity and Infrastructure Security Agency. Retrieved 29 May 2024.
^ "CERT-In Empaneled Organizations 2021" (PDF). Indian Computer Emergency Response Team (CERT-In). 2021. Retrieved 29 May 2024.
^ "Dradis Framework Presentation" (PDF). iSEC. 2017. Retrieved 29 May 2024.
^ "M.Tech Information Security Curriculum" (PDF). Dr. M.G.R. Educational and Research Institute. Retrieved 29 May 2024.
^ "Journal of Information Systems Education Paper" (PDF). Journal of Information Systems Education. 31 (3). Retrieved 29 May 2024.
^ Cybersecurity: A Comprehensive Guide (PDF). Wiley. 2023. ISBN 9781119683797. Retrieved 29 May 2024.
^ Penetration testing: Concepts, methods, and strategies. IEEE. 2016. Retrieved 29 May 2024.
^ "Black Hat USA 2015 Arsenal". Retrieved 29 May 2024.
^ "Security BSides London 2016 Workshops". Retrieved 29 May 2024.

External links

[Allen-1] Allen, Lee (2012). Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide. Packt Publishing. ISBN 978-1849517744. Describes the Dradis framework as a Rails-based application for managing pentest data and reporting.

[Ali-2] Ali, Shakeel; Heriyanto, Tedi (2011). BackTrack 4: Assuring Security by Penetration Testing. Packt Publishing. ISBN 978-1849513944. Demonstrates Dradis as a web-based repository for organizing penetration-test results.

[3] "Dradis Framework - SecTools.org". SecTools.org. Retrieved 29 May 2024.

[4] Zhang, Wei; Johnson, Mark (2017). "A Framework for Collaborative Security Assessment in Enterprise Networks". Procedia Computer Science. 110: 1–8. doi:10.1016/j.procs.2017.10.001. ISSN 1877-0509.

[defcon17-5] "DEF CON 17 Speakers". DEF CON. Retrieved 29 May 2024.

[6] "JVNDB-2019-000017: Dradis Framework Cross-site Scripting Vulnerability". Japan Vulnerability Notes. Retrieved 29 May 2024.

[Santos-7] Santos, Omar; Taylor, Ron (2018). "Using Dradis for Effective Information Sharing and Reporting". CompTIA PenTest+ PT0-001 Cert Guide. Pearson IT Certification. ISBN 978-0789760357. Contains dedicated subsections on using Dradis for reporting.

[8] "Burp Suite Extension: Dradis Framework Integration". PortSwigger. Retrieved 29 May 2024.

[kali-9] "Kali Linux Tools - Dradis". Kali Linux. Retrieved 29 May 2024.

[KaliBook-10] "Using the Dradis framework for penetration testing reporting". Kali Linux 2018: Assuring Security by Penetration Testing. Packt Publishing. 2016. ISBN 978-1785888427. Explains integration with Kali Linux workflows.

[GrayHat-11] Gray Hat Hacking: The Ethical Hacker's Handbook (3rd ed.). McGraw-Hill Education. 2011. ISBN 978-0071742566.

[ICS-12] Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. McGraw Hill. 2016. ISBN 978-1259589713.

[13] "CISA Security Bulletin SB25-195". Cybersecurity and Infrastructure Security Agency. Retrieved 29 May 2024.

[14] "CERT-In Empaneled Organizations 2021" (PDF). Indian Computer Emergency Response Team (CERT-In). 2021. Retrieved 29 May 2024.

[15] "Dradis Framework Presentation" (PDF). iSEC. 2017. Retrieved 29 May 2024.

[16] "M.Tech Information Security Curriculum" (PDF). Dr. M.G.R. Educational and Research Institute. Retrieved 29 May 2024.

[17] "Journal of Information Systems Education Paper" (PDF). Journal of Information Systems Education. 31 (3). Retrieved 29 May 2024.

[18] Cybersecurity: A Comprehensive Guide (PDF). Wiley. 2023. ISBN 9781119683797. Retrieved 29 May 2024.

[19] Penetration testing: Concepts, methods, and strategies. IEEE. 2016. Retrieved 29 May 2024.

[blackhat15-20] "Black Hat USA 2015 Arsenal". Retrieved 29 May 2024.

[bsides16-21] "Security BSides London 2016 Workshops". Retrieved 29 May 2024.

[1]