Invite Only-We're in an invite-only launch. Sign in to join the waitlist.
How to Write Great Pentest Notes for Better Results
GuideMethodologyAI

How to Write Great Pentest Notes for Better Results

How to Write Great Pentest Notes for Better Results

When you submit an application for an agentic pentest on TurboPentest, the Notes field is one of the most powerful inputs you have. It directly shapes how P4L4D1N and its agents approach your application. A few well-written sentences can mean the difference between surface-level findings and deep, business-critical vulnerabilities.

This guide covers what to include, what to avoid, and real examples you can adapt.

Why Notes Matter

TurboPentest's 15 tools run automatically against your target domain. But P4L4D1N - the AI orchestrator that conducts the actual penetration test - uses your notes to make decisions:

  • Which parts of the application to prioritize
  • How to authenticate and maintain sessions
  • What business logic is worth testing
  • Where previous issues were found
  • What specific compliance requirements you care about

Without notes, the agents still run a thorough pentest. With good notes, they focus where it matters most.

Authentication Credentials

If your application requires login, provide test credentials. This is the single highest-impact note you can add.

Good format:

Test account: user@example.com / TestPass123!
Admin account: admin@example.com / AdminPass456!

Even better:

Standard user: user@example.com / TestPass123!
  - Has access to: dashboard, profile, billing
  - Does NOT have access to: admin panel, user management

Admin user: admin@example.com / AdminPass456!
  - Full access to all features

API key for programmatic access: sk-test-abc123
  - Used in Authorization header as Bearer token

Providing multiple roles lets the agents test privilege escalation - one of the most common and dangerous vulnerability classes. They can attempt to access admin endpoints using the standard user's session, test IDOR between accounts, and verify that role boundaries are enforced.

Paths and Areas of Interest

Your target URL is a domain - the starting point. But your application likely has specific areas that matter more than others. Use notes to point the agents in the right direction.

Good examples:

Focus areas:
- /api/v2/ endpoints (new API, not fully reviewed)
- /admin/users - user management panel
- /billing/invoices - handles PII and payment data
- /upload - file upload functionality (accepts PDF and images)
The application has a GraphQL endpoint at /graphql
that handles all data operations. Introspection is
enabled in staging.
Most sensitive paths:
- /api/payments/* - Stripe integration, handles card tokens
- /api/export - generates CSV reports with customer data
- /settings/webhooks - allows configuring callback URLs

Business Logic Context

Automated tools find technical vulnerabilities well. Where agentic pentesting excels is in understanding business logic - and your notes are what provide that context.

Good examples:

This is a SaaS invoicing platform. Key workflows:
1. User creates invoice -> sends to client via email
2. Client clicks payment link -> pays via Stripe
3. Invoice status updates automatically

Concern: Can a user modify an invoice after it has been
sent? Can they change the payment amount or recipient?
The app has a referral system: users get a unique code,
new signups with that code get a discount. We want to
make sure users cannot generate unlimited referral
credits or apply codes to their own account.
Multi-tenant SaaS - each organization has its own data.
Critical that Org A cannot access Org B's resources.
Tenant ID is passed in the X-Org-Id header.

Previous Findings and Known Issues

If you have had pentests before (with TurboPentest or elsewhere), sharing past findings helps agents dig deeper.

Good example:

Previous pentest found:
- IDOR on /api/users/:id (fixed, please verify)
- Missing rate limiting on /api/auth/login (fixed)
- Open redirect on /oauth/callback (not yet fixed)

Please re-test these and also check for similar patterns
in the new /api/v2/ endpoints added since then.

Technology Stack

While the agents detect technology stacks automatically, explicit notes help them choose the right attack vectors immediately.

Good example:

Stack: Next.js 14, PostgreSQL, Redis sessions
Auth: NextAuth.js with JWT strategy
File storage: AWS S3 with presigned URLs
Search: Elasticsearch (exposed at /api/search)

Compliance Requirements

If you need findings mapped to specific frameworks, mention it.

Good example:

We are preparing for SOC 2 Type II audit. Please
prioritize findings relevant to:
- Access control (CC6.1)
- Data encryption in transit and at rest
- Logging and monitoring
- Input validation

What to Avoid

Do not include:

  • Production credentials or real customer data
  • Credentials for accounts you do not own
  • Instructions to test third-party services you do not control
  • Requests to perform denial-of-service testing

Keep notes concise. The agents process your notes intelligently, but a wall of text with irrelevant details can dilute the important information. Focus on what makes your application unique and what you are most concerned about.

Quick Template

Here is a template you can copy and adapt:

## Auth
- User: test@example.com / password123
- Admin: admin@example.com / adminpass

## Focus Areas
- /api/v2/ (new endpoints)
- /admin/ (admin panel)
- /upload (file handling)

## Business Context
[1-2 sentences about what the app does and what
matters most to you]

## Known Issues
[Any previous findings to re-verify]

## Special Instructions
[Anything else the agents should know]

Start Your Next Pentest

Ready to put these tips into practice? Head to Start a Pentest and use the Notes field to guide P4L4D1N toward the findings that matter most to your application.