Tier Scaling
Scaling Agents to Match Scope
Not every target needs 20 AI agents running for four hours. A quick check on a staging environment needs different coverage than a deep assessment of a production API handling financial data. TurboPentest's tier system scales the number of agents, the test duration, and the analysis depth to match the scope and criticality of each engagement.
Four tiers are available: Recon, Standard, Deep, and Blitz. Each tier determines which agents are deployed, how long they run, and whether advanced features like synthesis and supervision are enabled.
Recon Tier: 1 Agent, 30 Minutes
The Recon tier deploys a single generalist agent that analyzes all Phase 1 tool outputs. There is no supervisor, no synthesis pass, and no specialist depth. The generalist covers all vulnerability classes in a single pass, producing validated findings with severity ratings and remediation guidance.
Agent composition:
- 1 Generalist Security Analyst
Duration: 30 minutes total, wrap-up signal at 24 minutes
Use cases: Quick security checks, CI/CD pipeline gates, staging environment validation, initial assessment before committing to a deeper scan.
What you get: Validated findings across all vulnerability classes, but without the deep specialist analysis or cross-agent correlation of higher tiers. The generalist identifies the most obvious issues but may miss subtle domain-specific vulnerabilities that a specialist would catch.
Standard Tier: 4 Agents, 60 Minutes
The Standard tier replaces the generalist with three specialists covering the most common attack surfaces for web applications, plus a supervisor. The supervisor coordinates agent work, resolves conflicting findings, and ensures coverage across the attack surface.
Agent composition:
- Web App Agent
- API Security Agent
- Infrastructure Agent
- Supervisor (coordination, not a finding-producing agent)
Duration: 60 minutes total, wrap-up signal at 48 minutes
Use cases: Regular penetration tests, production web applications, compliance-driven assessments, quarterly security reviews.
What you get: Deep analysis of web, API, and infrastructure vulnerabilities with cross-agent lead posting. The three specialists cover the domains responsible for the vast majority of real-world exploitable findings. The supervisor ensures agents do not duplicate effort and that the final output is coherent.
Deep Tier: 10 Agents, 120 Minutes
The Deep tier deploys all 8 specialists plus a supervisor and synthesis pass. Every vulnerability domain has a dedicated agent, and the synthesis pass at the end combines all findings into a unified assessment with cross-references and attack chains.
Agent composition:
- Web App Agent
- API Security Agent
- Infrastructure Agent
- Code Analysis Agent
- Crypto/TLS Agent
- Auth/Access Control Agent
- Business Logic Agent
- Supply Chain Agent
- Supervisor
- Synthesis pass
Duration: 120 minutes total, wrap-up signal at 96 minutes
Use cases: Comprehensive security assessments, pre-launch security reviews, applications handling sensitive data, regulatory compliance pentests, white-box assessments with source code access.
What you get: Full specialist coverage across all 8 vulnerability domains. The Code, Crypto, Auth, Business Logic, and Supply Chain agents provide depth that Standard tier cannot match. The synthesis pass identifies cross-domain patterns and produces the most thorough assessment short of Blitz.
Blitz Tier: 20 Agents, 240 Minutes
The Blitz tier is the maximum-depth assessment. It deploys all 8 specialists for a breadth pass, then 8 additional depth-pass agents that go deeper on the breadth pass findings, plus an Exploit Chain Agent that specifically hunts for multi-step attack paths and a Verification Agent that validates all findings for accuracy.
Agent composition:
- 8 specialist agents (breadth pass)
- 8 depth-pass agents (one per specialist domain)
- Exploit Chain Agent
- Verification Agent
- Supervisor
- Synthesis pass
Duration: 240 minutes (4 hours) total, wrap-up signal at 192 minutes
Use cases: Critical production systems, financial applications, healthcare platforms, anything where maximum vulnerability discovery and verification are worth the investment.
What you get: The breadth pass identifies all findings that Deep tier would find. The depth pass agents then focus specifically on those findings, attempting more sophisticated exploit techniques, verifying exploitability, and documenting detailed proof-of-concept exploits. The Exploit Chain Agent reads all findings and constructs multi-step attack paths. The Verification Agent confirms severity ratings match actual demonstrated impact.
How the Orchestrator Selects Agents
The orchestrator uses the getRolesForTier() function to determine which agents to deploy. This function maps each tier to a specific list of agent roles:
- Recon returns only the generalist role
- Standard filters for web, API, and infrastructure roles
- Deep returns all roles except the generalist
- Blitz returns all specialist roles plus depth variants, the exploit chain agent, and the verification agent
The orchestrator also determines timing from a duration table: Recon gets 30 minutes, Standard gets 60, Deep gets 120, and Blitz gets 240. The wrap-up signal fires at 80% of the total duration, giving agents time to complete their final analysis cycle before the hard deadline.
Supervisor and Synthesis
The supervisor is present at Standard tier and above. It does not produce findings directly. Instead, it monitors agent progress, assigns focus areas, and coordinates to prevent duplicate work.
The synthesis pass is present at Deep and Blitz tiers. After all agents complete, synthesis combines findings from all agents, resolves duplicates, identifies cross-domain correlations, and produces the final structured report that includes the executive summary, attack surface map, and threat model.
Choosing the Right Tier
The right tier depends on the target's criticality, the available time budget, and the depth of analysis needed. Recon is for speed and quick checks. Standard covers the most common attack surfaces effectively. Deep provides comprehensive coverage for important applications. Blitz is reserved for high-value targets where no stone should be left unturned.
Each tier includes all Phase 1 tools — the 14-tool reconnaissance sweep is identical regardless of tier. The difference is entirely in how many agents analyze the results and how deeply they investigate.