BetaWe're currently in beta. Signing in will place you on our waitlist.
Running Pentests & Reading Results

Live Agent Activity

Watching Agents Work

One of TurboPentest's most distinctive features is full transparency into what the AI agents are doing during a pentest. Unlike traditional scanners that show a progress bar and deliver results at the end, TurboPentest streams every agent action, finding, lead, and chat message to your browser in real-time. The live agent panel transforms a black-box scan into an observable, auditable process.

When a scan enters the "scanning" state and Phase 2 begins, the live agent panel becomes available on the scan detail page. Each active agent appears as a card showing its specialization, current status, and recent activity. As agents work, you see their reasoning unfold: which tools they are running, what they are investigating, and what they have found so far.

The Live Agent Panel

The live agent panel is organized around several key components:

Agent Status Cards

Each deployed agent has a status card showing its name (e.g., "Web App Agent," "API Agent," "Infrastructure Agent"), its current phase of work, and a real-time activity indicator. The status cycles through states like "Analyzing reconnaissance data," "Running additional tools," "Testing payloads," and "Validating findings." This gives you immediate visibility into how far along the test is and what each agent is focusing on.

Activity Stream

The central activity stream shows a chronological feed of agent actions. Every significant event appears here: tool executions, payload tests, finding discoveries, leads posted to the blackboard, and inter-agent communication. Each entry includes a timestamp, the agent that generated it, and a human-readable description of what happened.

For example, you might see entries like:

  • Web App Agent — Testing reflected XSS on /search?q= with 12 payload variants
  • Infrastructure Agent — Discovered open Redis on port 6379, posting lead for API Agent
  • API Agent — Picked up lead from Infrastructure Agent, checking session storage in Redis
  • Exploit Chain Agent — Combining XSS finding with CSRF token leak into attack chain

Finding Alerts

When an agent validates a new finding, a prominent alert appears in the panel with the finding's severity, title, and a brief description. Critical and high-severity findings trigger visual emphasis so they are immediately noticeable even if you are not actively watching the stream.

Server-Sent Events (SSE)

The live agent panel is powered by Server-Sent Events, a lightweight streaming protocol that delivers updates from the server to your browser without polling. When you open the scan detail page, your browser establishes a persistent SSE connection to the platform's streaming endpoint.

The SSE stream carries several event types:

Agent Status Events update the status cards when an agent changes what it is doing. These fire frequently as agents move between analysis, tool execution, and validation phases.

Chat Message Events contain the agents' reasoning and communication. These messages are posted to the P4L4D1N blackboard and streamed to the panel simultaneously. They form a complete audit trail of the agents' decision-making process.

Finding Events announce validated vulnerabilities as they are discovered. Each event includes the finding's severity, title, affected URL, and source agent.

Lead Events show cross-agent collaboration in action. When one agent posts a suggestion for another to investigate, the lead event shows what was discovered and which agent should follow up.

Progress Events provide overall scan progress indicators, including the number of Phase 1 tools completed, agents deployed, and findings discovered so far.

Reading the Agent Chat

The agent chat stream is one of the most valuable parts of the live panel. It shows the agents' actual reasoning in natural language. By reading the chat, you can understand:

  • Why an agent decided to investigate a particular endpoint
  • What payloads it crafted and why it chose them
  • How it interpreted the target's responses
  • Whether a finding was confirmed or ruled out and why

This transparency is critical for security teams that need to understand and defend the findings in their report. When a developer questions whether a finding is real, you can point to the exact agent reasoning that led to the discovery and the proof-of-concept that confirmed it.

Practical Tips for Monitoring

You do not need to watch the entire scan. The live panel is there for transparency and debugging, not as a requirement. The final report contains everything the agents discovered, regardless of whether you watched in real-time.

Check in during the first few minutes. The early activity stream reveals how agents are interpreting the reconnaissance data and what attack surfaces they are prioritizing. If something looks unexpected (agents focusing on a domain you did not intend to test), you can cancel and restart.

Use finding alerts as early signals. Critical findings that appear early in the scan often indicate significant security gaps. You do not need to wait for the full report to start planning remediation for the most severe issues.

The chat log persists after the scan completes. You can review the full agent activity stream after the scan finishes. This is valuable for post-scan analysis and for understanding the context behind specific findings.

Connection Resilience

If your browser connection drops during a scan (network interruption, closing the tab, navigating away), no data is lost. The agents continue working regardless of whether anyone is watching. When you reconnect by returning to the scan page, the panel reloads with the current state and resumes streaming new events. The complete chat and activity history is always available from the server.

Previous

Launching Scans

Next

Interpreting Findings

On this page