Unlock vault to continue
Welcome to Attackgrid.io
Set a password to create your encrypted vault

Attackgrid.io is a fast checklist manager for penetration testing. All data is 100% encrypted in your browsernothing ever leaves your device.

On your first use, set a password to secure your encrypted vault. If you lose this password or clear your browser data, your information is lost forever.

The present instance is simply serving a static HTML file. If you want to use it locally, simply save the page with CTRL+S. This app is fully open source.



Minimum 8 characters. Use a strong passphrase.

What is Attackgrid.io?

Attackgrid.io is a fast, lightweight, open-source checklist manager for penetration testing engagements. It lets you efficiently organize and track your work using the OWASP Security Testing Guides and/or your own custom checklists, with a focus on speed and simplicity during real-world assessments.

How does it work?

For each engagement, create a project and add your target systems or URLs. When working through an assessment, use the checklist to mark each step as you complete it; this makes it easy to track your progress and see what’s left to do, even if you work over several days.

For each item, you can mark it as passed, failed, or issues, and also add notes, procedures, findings, or reminders as you go. These notes are saved securely with your project, so you can refer back to them later, or during reporting.

Is my data sent anywhere?

Never! This entire application is a single HTML file: a completely static, client-side app. There is no backend and no data is ever sent to any server. Projects, targets, checklist statuses, notes, templates, audit logs, and everything else are encrypted with AES-GCM and stored locally in your browser.

It is impossible for anyone except you (or whoever has access to your browser's data) to see your data.

Using AttackGrid Offline

If you don't trust any hosted version, you can download and run it offline: press Ctrl+S to save it locally, then open the saved file directly from disk.

Hosting and Deployment

Because it's just static files, it can be hosted almost anywhere: an AWS S3 bucket, GitHub Pages, GitLab Pages, Cloudflare Pages, Netlify, Vercel, Azure Static Web Apps, Google Cloud Storage static hosting, Firebase Hosting, a simple nginx/Apache static site, or even served from a local folder with python -m http.server and ngrok, for example.

Backups & Security

Backups are encrypted. You can export an encrypted backup file and restore it later (or move it between machines). If you clear your browser storage or site data, your local projects will be lost—so make encrypted backups regularly. To move your data to another device or browser, export a backup and restore it there.

This application protects data at rest in the browser. It does not protect you from a compromised device/browser, malicious extensions, or a weak password.

Disclaimer: Attackgrid.io is not affiliated with, sponsored by, or endorsed by the OWASP® Foundation.

Projects

Locked. Click “Unlock”.

Template (default)

Customize checklist categories/items (titles/objectives/tips). This does not change existing engagement data.
Edits apply to the selected version. Checklists use the built-in default unless a target is pinned.
Loading…
Back

Project

Locked. Click “Unlock”.
Back

Checklist for (…)

Loading…
Loading…
Back

Settings

Hides URLs and titles in the Audit logs UI.

Change password

Update your password.

Storage

We request persistent storage to reduce risk of accidental eviction.
Important
Even if Persistent storage is enabled, using your browser's "Clear browsing data / site data" will delete this app's local vault forever. Export backups regularly.

Backup / Restore

Download a backup file, or restore from one.
Backup status
Note: browsers often block fully automatic downloads. When enabled, we'll show a prompt with a one-click download.

Danger zone

Permanently erase all local data from this browser (projects, targets, checklist data, audit logs, templates). This cannot be undone unless you have an encrypted backup.

Audit logs

Activity stream.