Architecture Overview

TurboPentest is a Next.js application deployed on Azure App Service. It orchestrates 15 containerized security tools via Azure Container Instances, with AI-powered analysis by Shannon (Claude Sonnet 4.5).

High-Level Architecture

Target DomainTurboPentest Web AppAzure App ServicePhase 1 Tool ContainersAzure Container Instances11 Black Box tools(nmap, zap, nuclei, nikto, ...)3 White Box tools(gitleaks, semgrep, trivy)Isolated containers withdedicated CPU/memoryAzure Blob StorageTool outputs, reportsShannon AI AgentClaude Sonnet 4.5Ingests Phase 1 tool outputsOwn tools: Nmap, Subfinder,WhatWeb, SchemathesisBrowser exploit validation(handles 2FA, OAuth)Parallel vuln agents:injection, XSS, SSRF, authCode-aware attack guidanceDeliverablesPDF ReportFindings + remediationAttestation LetterCompliance-ready proofRetest CommandsVerify your fixes

Execution Flow

  1. Domain verification - User proves ownership via DNS TXT record
  2. Phase 1 launch - 14 tool containers start in parallel on Azure Container Instances (11 black box, 3 white box if source code provided)
  3. Tool execution - Each tool runs against the target with defined timeouts and resource limits
  4. Callback - Tools report completion via webhook to the app
  5. Shannon agent (Phase 2) - Autonomous AI agent ingests Phase 1 outputs, runs its own tools, validates findings via browser-based exploitation, and produces a structured report
  6. Report generation - PDF report, attestation letter, and retest commands are generated
  7. Notification - User is notified via email, Slack, or webhook

Key Properties

  • Isolated execution - Each tool runs in its own container with no shared state
  • Ephemeral - Containers are destroyed after the pentest completes
  • Parallel - All tools run simultaneously for faster results
  • Deterministic - Same target produces consistent methodology coverage

Deep Dives

  • Infrastructure - Azure services, data flow, and deployment
  • Shannon AI - How the autonomous AI pentesting agent works
  • Security - Container isolation, data handling, and compliance

Previous

Integrations API

Next

Architecture Overview

On this page