Launching Scans

Starting a Pentest

Every TurboPentest engagement begins with three inputs: a target URL, an optional source code repository URL, and your choice of credit tier. Once you click "Start Pentest," the platform validates your target, deducts a credit from your account, and places the scan into the queue. From that point forward, the process is fully automated.

The target URL is the primary attack surface. TurboPentest resolves it to extract the hostname for network-level scanning while using the full URL for web application testing. If you provide a repository URL, the platform also runs static analysis tools (Semgrep for code patterns, Trivy for dependency vulnerabilities, and Gitleaks for leaked secrets) alongside the network and web scans.

The Scan Lifecycle

Every scan moves through a well-defined state machine with four possible states:

Queued

When a scan is created, it enters the queued state. During this phase, the platform provisions infrastructure: container groups are allocated in Azure, Docker images for the 14 Phase 1 tools are pulled, and the P4L4D1N agent container is prepared. The queued state typically lasts 30 to 90 seconds, depending on current platform load.

Scanning

Once infrastructure is ready, the scan transitions to scanning. This state encompasses both Phase 1 (automated tool reconnaissance) and Phase 2 (agentic penetration testing).

In Phase 1, all 14 dockerized security tools launch in parallel against your target. Each tool runs in its own container with specific resource allocations: Nmap for port and service discovery, ZAP and Nikto for web vulnerability scanning, Nuclei for template-based detection, FFUF for directory enumeration, TestSSL for TLS configuration analysis, Subfinder and HTTPX for subdomain discovery, Wafw00f for WAF detection, OpenVAS for network vulnerability assessment, and PentestTools for additional web checks. If source code was provided, Semgrep, Trivy, and Gitleaks run in parallel as well.

As each tool completes, it sends a callback to the platform. When all Phase 1 tools have reported back, Phase 2 begins. P4L4D1N ingests the combined reconnaissance data and deploys its specialist AI agents. The number and type of agents depend on your selected tier.

Complete

When P4L4D1N finishes its analysis, the scan transitions to complete. At this point, all findings have been validated, proof-of-concept exploits have been generated, severity scores have been assigned, and the full report is available. Finding continuity processing also runs at this stage, matching current findings against any previous scans of the same target.

Failed

If a critical error occurs during scanning (infrastructure failure, target unreachable, timeout exceeded), the scan enters the failed state. The platform records the failure reason, sends notification emails and Slack alerts, and refunds the credit to your account. You can view the failure reason on the scan detail page.

Choosing the Right Tier

TurboPentest offers four credit tiers, each representing a different depth of analysis:

Recon ($49) deploys 1 agent for 30 minutes with 0.5 agent-hours. This tier is designed for quick reconnaissance checks on smaller targets. It covers the basics but does not include deep exploit validation or chain discovery.

Standard ($99) deploys 4 specialist agents for 60 minutes with 4 agent-hours. This is the recommended starting point for most web applications. The four agents cover Web, API, and Infrastructure domains, providing solid coverage of the most common attack surfaces.

Deep ($299) deploys 10 agents for 120 minutes with 20 agent-hours. Deep tier adds additional specialist agents and significantly more time for thorough testing. This is appropriate for complex applications with multiple microservices, APIs, and infrastructure components.

Blitz ($699) deploys 20 agents for 240 minutes with 80 agent-hours. Blitz is the most comprehensive tier, including the Exploit Chain Agent and Verification Agent. It is designed for critical infrastructure, pre-launch security audits, and compliance-driven assessments where maximum coverage is required.

What Happens Behind the Scenes

Understanding the technical flow helps you interpret scan timing and results:

1. Credit validation — The platform confirms you have sufficient credits for the selected tier.
2. Scan record creation — A new scan record is created in the database with status queued and a unique UUID.
3. Infrastructure provisioning — Azure Container Instances are provisioned for Phase 1 tools and P4L4D1N.
4. Phase 1 execution — All 14 tools run concurrently. Each tool has its own timeout (typically 5 minutes) to prevent any single tool from blocking the pipeline.
5. Callback aggregation — As each tool completes, it posts results via a signed callback. An HMAC-SHA256 signature prevents unauthorized result injection.
6. Phase 2 handoff — Once all Phase 1 results are collected, P4L4D1N receives the combined reconnaissance data.
7. Agentic analysis — P4L4D1N deploys specialist agents, which run for the duration specified by the tier.
8. Report generation — Findings are processed, severity-scored, fingerprinted for continuity, and stored.

Each Phase 1 tool callback is cryptographically signed. The platform verifies the HMAC-SHA256 signature before accepting any result, ensuring that only legitimate tool containers can submit findings to your scan.