Multi-Domain Pentests

Multi-domain pentests let you test multiple URLs at once. Each URL becomes its own pentest, but they share a groupId for tracking.

Requirements

All domains must be verified
You need one credit per domain (up to 20 domains)
All domains can optionally share the same GitHub repository

API usage

Terminal

curl -X POST https://turbopentest.com/api/pentests \
  -H "X-API-Key: $TURBOPENTEST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "targetUrls": [
      "https://app.example.com",
      "https://api.example.com",
      "https://admin.example.com"
    ],
    "repoUrl": "https://github.com/org/repo"
  }'

Response

Response

{
  "groupId": "uuid",
  "scans": [
    { "id": "scan-1", "targetUrl": "https://app.example.com" },
    { "id": "scan-2", "targetUrl": "https://api.example.com" },
    { "id": "scan-3", "targetUrl": "https://admin.example.com" }
  ]
}

Limits

Maximum 20 domains per request
Each domain must pass URL validation (must be a valid HTTPS URL, not an IP address)
Credits are consumed atomically - either all pentests start or none do

Previous

Black Box vs White Box

Next

Understanding Results

On this page

Requirements API usage Response Limits