BetaWe're currently in beta. Signing in will place you on our waitlist.
Architecture Overview

P4L4D1N AI

P4L4D1N is TurboPentest's multi-agent agentic pentesting system, powered by Claude Sonnet 4.6. Phase 1 tools gather reconnaissance data - P4L4D1N is where the actual penetration test happens. It deploys specialist AI agents in parallel, each focused on a specific vulnerability domain, to conduct exploit validation, discover attack chains, generate proof-of-concept demonstrations, and produce a comprehensive security assessment. Running tools is just the beginning; P4L4D1N is what makes this an agentic pentest rather than just a scan.

Multi-Agent Architecture

P4L4D1N uses a tiered agent system where the number and type of specialist agents scales with the credit tier:

TierAgentsSpecialist Roles
Recon1Generalist
Standard4Web, API, Infrastructure
Deep10Web, API, Infrastructure, Code, Crypto, Auth, Business, Supply Chain
Blitz20All 8 specialists + depth passes + exploit chain + verification

How P4L4D1N Works

P4L4D1N runs as a containerized system after all 14 Phase 1 tools complete. It executes a multi-phase pipeline:

1. Phase 1 Output Ingestion

P4L4D1N reads the raw output from all 14 Phase 1 tools via Azure Blob Storage:

  • Port and service enumeration (Nmap)
  • Web vulnerability findings (ZAP, Nikto, Nuclei)
  • TLS/SSL configuration issues (TestSSL)
  • Subdomain and HTTP endpoint discovery (Subfinder, HTTPX)
  • Directory and file exposure (FFUF)
  • WAF detection results (Wafw00f)
  • Vulnerability assessment results (OpenVAS)
  • Business logic and API analysis (PentestTools)
  • Secret detection in source code (Gitleaks) - white box only
  • Static analysis findings (Semgrep) - white box only
  • Dependency vulnerabilities (Trivy) - white box only

2. Parallel Specialist Agent Analysis

P4L4D1N deploys specialist agents for different vulnerability domains, running concurrently:

  • Web App Agent - XSS, CSRF, injection, session management, input validation
  • API Security Agent - IDOR, auth flaws, rate limiting, GraphQL, REST misconfigurations
  • Infrastructure Agent - Open ports, service misconfigurations, outdated software, cloud exposure
  • Code Analysis Agent - SAST findings, leaked secrets, dependency vulnerabilities (white box only)
  • Crypto/TLS Agent - Weak ciphers, certificate issues, HSTS, key management
  • Auth/Access Agent - Authentication bypass, privilege escalation, broken access control
  • Business Logic Agent - Race conditions, workflow bypass, data integrity
  • Supply Chain Agent - Dependency risks, third-party vulnerabilities, component security

In Blitz tier, additional agents are deployed:

  • Depth agents - Go deeper on breadth-pass findings with detailed exploit chains and PoCs
  • Exploit Chain Agent - Identifies multi-step attack paths by chaining findings from other agents
  • Verification Agent - Confirms severity ratings, PoC reproducibility, and CVSS accuracy

When source code is provided (white box mode), agents analyze the code to guide their attack strategy, targeting specific code-level weaknesses identified by static analysis.

3. Cross-Tool Correlation and Reporting

P4L4D1N correlates findings across Phase 1 tools and agent analysis results:

  • An open port found by Nmap + a vulnerability on that service confirmed by an agent = validated critical finding
  • A weak TLS configuration from TestSSL + an exposed admin panel from FFUF = elevated risk assessment
  • A hardcoded secret from Gitleaks + an exposed endpoint confirmed exploitable = critical credential exposure

Finding fingerprints enable continuity tracking across pentests - when a target is re-scanned, previous findings are automatically retested and their status tracked (confirmed, not confirmed, timeout).

Structured Output

P4L4D1N produces a JSON report containing:

  • Findings - Each with severity (Critical/High/Medium/Low/Info), description, proof-of-concept, CWE ID, CVSS score, and remediation steps
  • Attack surface map - Categorized inventory of endpoints, ports, technologies, authentication mechanisms, and input vectors
  • Threat model - STRIDE-based risk assessment with prioritized recommendations
  • Retest commands - Docker one-liners for each finding to verify fixes

Model

P4L4D1N is powered by Claude Sonnet 4.6 via the Anthropic API. The LLM drives the multi-agent decision-making, finding analysis, and report generation. Each specialist agent receives a domain-specific system prompt to focus its analysis.

What P4L4D1N Can and Cannot Do

P4L4D1N excels at:

  • Conducting the actual penetration test after Phase 1 tools gather reconnaissance data
  • Validating exploits and generating proof-of-concept demonstrations for confirmed vulnerabilities
  • Discovering multi-step attack chains by correlating findings across 14 Phase 1 tools
  • Code-aware attack targeting when source code is provided
  • Prioritizing vulnerabilities by exploitability and business impact
  • Tracking finding continuity across repeat pentests via fingerprinting
  • Generating compliance-ready documentation with CVSS scores and remediation steps

P4L4D1N does not replace:

  • Manual penetration testing for complex business logic flaws requiring domain expertise
  • Social engineering or physical security assessments
  • Zero-day vulnerability research
  • Network-internal lateral movement testing

For comprehensive assessments that go beyond automated tooling, IntegSec offers PTaaS (Penetration Testing as a Service).

Previous

Infrastructure

Next

Security

On this page