Running a Pentest

From the dashboard

  1. Go to New Pentest
  2. Enter your target URL (e.g. https://app.example.com)
  3. Optionally add a GitHub repository URL for white box analysis
  4. Click Start Pentest

The pentest will consume one credit and begin immediately. You will be redirected to the results page where you can watch tool progress in real time.

From the API

Terminal
curl -X POST https://turbopentest.com/api/pentests \
  -H "X-API-Key: $TURBOPENTEST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "targetUrl": "https://app.example.com",
    "repoUrl": "https://github.com/org/repo"
  }'

Request body

FieldTypeRequiredDescription
targetUrlstringYesThe URL to pentest
repoUrlstringNoGitHub repo URL for white box analysis
creditIdstringNoSpecific credit to consume (uses oldest available if omitted)
notesstringNoOptional notes for this pentest

Response

Response
{
  "id": "uuid",
  "targetUrl": "https://app.example.com",
  "repoUrl": "https://github.com/org/repo",
  "status": "queued",
  "createdAt": "2026-02-16T00:00:00.000Z"
}

From CI/CD

See CI/CD Integration for pipeline configurations.

Scheduling pentests

You can schedule pentests to run automatically - either as a one-off at a specific time or on a recurring basis.

One-off schedules

Run a pentest at a specific date and time. This is useful for coordinating with deployment windows or change management schedules.

Recurring schedules

Set up automatic pentests on a regular cadence:

FrequencyDescription
DailyRuns every day at the scheduled time
WeeklyRuns once per week on the scheduled day
BiweeklyRuns every two weeks on the scheduled day
MonthlyRuns once per month on the scheduled date
QuarterlyRuns once every three months on the scheduled date

How scheduled pentests consume credits

  • When a scheduled pentest fires, it consumes one credit using FIFO order (oldest available credit is used first)
  • If no credits are available when the schedule fires, the pentest is skipped and you receive an email notification
  • You will receive reminder emails at 7 days and 1 day before your credits run out so you can purchase more or adjust your schedules
  • Skipped pentests are not retried automatically - the next run will occur at the next scheduled time

Managing schedules

You can create, pause, resume, and delete schedules from the dashboard or via the Schedule API. Pausing a schedule prevents it from firing until you resume it. Deleting a schedule removes it permanently.

What happens during a pentest

  1. Queued - Pentest is created and credit is consumed
  2. Phase 1 - All applicable tools are launched in parallel as Docker containers
  3. Tool callbacks - Each tool reports results as it finishes
  4. AI analysis - Shannon AI analyzes raw results and generates unified findings
  5. Complete - Findings, report, and attestation are available

Previous

Core Concepts

Next

Black Box vs White Box

On this page