Core Concepts

Credits

Every pentest consumes one credit. Credits come from:

• One-time purchase - Buy individual credits starting at $49 (Recon tier)
• Subscriptions - Annual plans paid upfront - all credits are issued immediately
• Vouchers - Promotional codes that grant free credits

Credits are consumed when a pentest starts. If a pentest fails to launch, the credit is returned. You can also transfer available credits to other users by email address.

Domain verification

Before pentesting a domain, you must prove you own it. This prevents unauthorized testing.

Verification methods:

• DNS TXT record - Add a turbopentest-verify=<token> TXT record to your domain's DNS
• Domain verification covers all subdomains (verifying example.com allows testing app.example.com)

Safe harbor agreement

Before launching your first pentest, you must accept a safe harbor agreement confirming you own or have authorization to test the target domains. This is a one-time confirmation and does not block credit purchases.

Pentests

A pentest runs up to 15 security tools against your target URL. There are two types:

Pentests go through these statuses: queued -> running -> complete (or failed).

Findings

Each vulnerability discovered is a finding with:

• Severity - critical, high, medium, low, or info
• Title - Short description of the vulnerability
• Description - Detailed explanation
• Proof of exploit - Evidence that the vulnerability exists
• Remediation - How to fix it
• Retest command - Docker one-liner to verify the fix
• Source tool - Which tool discovered it
• CVSS vector - Detailed breakdown of how the severity score was calculated

Multi-domain pentests

You can test up to 20 domains in a single request. Each domain consumes one credit. All pentests in the group share a groupId for easy tracking.

API keys

API keys authenticate requests to the TurboPentest API. Each key has a tp_ prefix and is shown once at creation. Use the X-API-Key header to pass it in requests.