Phase 1 Tools

The Reconnaissance Layer

Before any AI agent touches a target, TurboPentest runs a comprehensive automated reconnaissance phase. Phase 1 deploys 14 dockerized security tools in parallel, each specialized for a different domain of security testing. This approach ensures broad attack surface coverage while keeping execution time short — all 14 tools run concurrently rather than sequentially.

Every tool runs inside its own isolated Docker container with defined CPU and memory limits. Each container is ephemeral: it starts, executes its scan, reports results via a callback endpoint, and terminates. This architecture provides isolation (a crashing tool cannot affect others), reproducibility (identical container images every run), and scalability (containers can run on Azure Container Instances in production or local Docker in development).

The 14 Tools

Network and Service Discovery

Nmap performs service version detection and script scanning against the target hostname. It identifies open ports, running services, and their versions — the foundational map of the target's network surface. Nmap runs with a 5-minute host timeout and outputs XML for structured parsing.

Subfinder discovers subdomains through passive enumeration using public data sources. Every subdomain found expands the attack surface and may reveal staging environments, admin panels, or forgotten services. Results are output as JSON for downstream consumption.

HTTPX probes discovered URLs for HTTP response details including status codes, page titles, server headers, and technology fingerprinting. It detects the technology stack (frameworks, CDNs, server software) that informs which vulnerability classes are most relevant.

Web Vulnerability Scanning

OWASP ZAP (Zed Attack Proxy) runs a baseline scan against the target URL, testing for common web vulnerabilities including XSS, SQL injection, and security header misconfigurations. ZAP operates in automated mode with a 10-minute active scan limit and produces a JSON report.

Nuclei runs template-based vulnerability checks from ProjectDiscovery's extensive template library. Each template targets a specific CVE, misconfiguration, or exposure pattern. Nuclei outputs JSONL (one finding per line) for easy streaming and parsing.

Nikto is a web server scanner that checks for dangerous files, outdated server software, and server configuration issues. It identifies over 6,700 potentially dangerous files and programs and checks for over 1,250 outdated server versions.

Directory and File Discovery

FFUF (Fuzz Faster U Fool) brute-forces directory and file paths against the target URL using a curated wordlist. The default wordlist includes common admin paths, API endpoints, configuration files, backup files, and environment files. FFUF runs with 50 concurrent threads and filters for HTTP 200, 301, 302, and 403 responses — the last being important because a 403 confirms the path exists even if access is denied.

WAF and TLS Analysis

Wafw00f detects whether a Web Application Firewall sits in front of the target. Knowing the WAF vendor and configuration helps agents understand which attack payloads might be filtered and which bypass techniques to attempt.

TestSSL performs a comprehensive TLS/SSL analysis of the target's HTTPS configuration. It checks for weak cipher suites, deprecated protocol versions (TLS 1.0/1.1), certificate issues, and known TLS vulnerabilities like BEAST, POODLE, and Heartbleed.

Infrastructure Vulnerability Scanning

OpenVAS (Open Vulnerability Assessment Scanner) runs a full vulnerability assessment against the target host. It checks for known CVEs in running services, misconfigurations, and missing patches. OpenVAS requires the most resources (2 CPU, 4 GB RAM) and the longest timeout (15 minutes) due to its comprehensive scanning approach.

PentestTools provides additional vulnerability detection coverage with a focus on web application and infrastructure issues, outputting structured JSON results for all detected findings.

White-Box Tools (Source Code Required)

Three tools require access to the application's source code repository and only run when a repository URL is provided:

Semgrep performs static application security testing (SAST) using community and custom rules. It detects security antipatterns like SQL injection via string concatenation, hardcoded credentials, and insecure cryptographic usage directly in the source code.

Trivy performs software composition analysis (SCA), scanning dependency lockfiles for known CVEs. It identifies vulnerable library versions and recommends upgrades to patched versions.

Gitleaks scans the repository for leaked secrets — API keys, passwords, tokens, and other credentials that may have been accidentally committed. It uses pattern matching and entropy analysis to detect secrets across the entire git history.

Parallel Execution and Callbacks

All 14 tools launch simultaneously. As each tool completes, it sends an HTTP POST callback to TurboPentest's callback endpoint with its tool name and completion status. The callback may include a cryptographic signature (HMAC-SHA256) for verification when a callback secret is configured.

TurboPentest tracks the status of each tool in the database. Once all 14 tools have reported completion (or failure), Phase 1 is complete and Phase 2 begins. Tool failures are non-fatal — if one tool crashes, the remaining 13 still provide their results. This resilience ensures that a single misbehaving tool never blocks the entire pentest.

Why Phase 1 Matters

Phase 1 output is the raw material that P4L4D1N agents consume in Phase 2. The breadth and quality of reconnaissance directly determines how deep and accurate the agentic analysis can be. A port scan finding an open Redis instance on port 6379 means nothing to Nmap — but when the API Agent sees that data, it checks for unauthenticated access and session token exposure. Phase 1 provides the facts; Phase 2 provides the intelligence.