Infrastructure
TurboPentest runs on Microsoft Azure with enterprise-grade infrastructure. This page covers the services used and how data flows through the system.
Azure Services
| Service | Purpose | Details |
|---|---|---|
| App Service | Web application | Next.js 15, auto-scaling, custom domain |
| Container Instances | Tool execution | 15 isolated containers per pentest |
| Blob Storage | Output storage | Tool results, PDF reports, attestation letters |
| Container Registry | Tool images | Pre-built images for all 15 security tools |
| Entra ID | Authentication | SSO via Microsoft identity platform |
| PostgreSQL | Database | Prisma ORM, managed database |
Tool Resource Allocation
Each security tool runs in its own Azure Container Instance with dedicated resources:
| Tool | CPU | Memory | Timeout |
|---|---|---|---|
| Nmap | 1 core | 1 GB | 5 min |
| Nikto | 1 core | 1 GB | 5 min |
| ZAP | 1 core | 2 GB | 10 min |
| Nuclei | 1 core | 1 GB | 10 min |
| PentestTools | 1 core | 1 GB | 5 min |
| TestSSL | 1 core | 0.5 GB | 5 min |
| Subfinder | 0.5 core | 0.5 GB | 2 min |
| HTTPX | 0.5 core | 0.5 GB | 2 min |
| FFUF | 1 core | 0.5 GB | 5 min |
| Wafw00f | 0.5 core | 0.5 GB | 2 min |
| OpenVAS | 2 cores | 4 GB | 15 min |
| Gitleaks | 0.5 core | 0.5 GB | 5 min |
| Semgrep | 1 core | 2 GB | 5 min |
| Trivy | 1 core | 1 GB | 5 min |
Data Flow
- User submits target - Domain is validated and ownership verified via DNS TXT record
- Pentest created - Record stored in PostgreSQL with status "running"
- Containers launched - Azure Container Instances spin up for each tool
- Tool execution - Each container runs its tool against the target
- Results stored - Tool output written to Azure Blob Storage
- Callbacks received - Each container sends a completion webhook to the app
- Shannon analysis - AI reads all tool outputs from Blob Storage and generates findings
- Report generated - PDF and attestation created, stored in Blob Storage
- User notified - Email via Mailgun, Slack webhook, or in-app notification
Deployment
The application is deployed via GitHub Actions CI/CD:
- Every push triggers: lint, type-check, test suite, production build
- Pushes to the main branch auto-deploy to Azure App Service
- Tool container images are maintained in Azure Container Registry
- A scheduled cron job keeps tool images updated with latest CVE databases
Data Retention
- Tool containers are destroyed immediately after completion
- Tool output blobs are retained for the lifetime of the pentest record
- Users can delete their pentests and all associated data at any time
- A cleanup cron job removes stale data from incomplete pentests