Tool Overview

TurboPentest runs up to 15 security tools in parallel during each pentest. Each tool runs in its own Docker container with dedicated resources.

Black box tools (11)

These run on every pentest - no source code access needed.

ToolCategoryPurposeResources
🌐NmapNetworkPort discovery, service detection, version fingerprinting1 CPU, 1 GB
πŸ•ΈοΈOWASP ZAPWeb appComprehensive web app vulnerability testing1 CPU, 2 GB
🎯NucleiWeb appTemplate-based vulnerability detection for known CVEs1 CPU, 1 GB
πŸ”NiktoWeb appWeb server misconfiguration and dangerous file detection1 CPU, 1 GB
πŸ“‚FFUFWeb appDirectory and file brute-forcing1 CPU, 1 GB
πŸ›‘οΈOpenVASVulnerabilityFull network vulnerability assessment2 CPU, 4 GB
πŸ”’TestSSLSSL/TLSTLS certificate and cipher analysis1 CPU, 1 GB
πŸ“‘SubfinderReconPassive subdomain enumeration1 CPU, 1 GB
πŸ”ŒHTTPXReconHTTP response probing and technology detection1 CPU, 1 GB
🧱Wafw00fReconWeb Application Firewall detection1 CPU, 1 GB
πŸ”§PentestToolsMultiAdditional vulnerability testing1 CPU, 1 GB

White box tools (3)

These require a GitHub connection and run in addition to all black box tools.

ToolCategoryPurposeResources
πŸ“SemgrepSASTStatic analysis for code-level vulnerabilities2 CPU, 4 GB
πŸ“¦TrivySCADependency vulnerability detection1 CPU, 2 GB
πŸ”‘GitleaksSecretsDetect hardcoded secrets in source code1 CPU, 1 GB

Shannon AI

In addition to the 14 open-source Phase 1 tools above, Shannon is TurboPentest's autonomous AI pentester (the 15th tool) that analyzes results, generates unified findings, and produces the executive summary and threat model. See Shannon AI for details.

Execution model

  • All tools run in parallel as isolated Docker containers on Azure Container Instances
  • Each tool has a timeout (typically 5-10 minutes)
  • Tools report results via callbacks as they complete
  • A pentest is complete when all tools have finished

Previous

Reports & Attestation

Next

OWASP Top 10 Coverage

On this page