Architecture Overview

Security

Security is foundational to TurboPentest. This page details how we protect your data, isolate tool execution, and maintain compliance.

Container Isolation

Every security tool runs in its own Azure Container Instance:

  • No shared state - Each container is a fresh instance with no access to other containers
  • Dedicated resources - CPU and memory are allocated per tool, not shared
  • Network isolation - Containers can only communicate outbound to the target and inbound via callback webhook
  • Ephemeral - Containers are destroyed immediately after the tool completes

Code Handling

For white box pentests that connect to GitHub:

  • Source code is cloned into an ephemeral container at runtime
  • Code is never stored on persistent storage
  • The container (and all code within it) is destroyed after the tool completes
  • GitHub access tokens are scoped to the minimum required permissions

Data at Rest

  • Pentest results are stored in Azure Blob Storage with encryption at rest
  • Database records are stored in Azure PostgreSQL with encryption at rest
  • PDF reports and attestation letters are stored in encrypted Blob Storage
  • Users can delete their pentest data at any time

Data in Transit

  • All traffic uses TLS 1.2+ encryption
  • Azure App Service enforces HTTPS
  • Tool callback webhooks use HTTPS
  • API authentication uses API keys transmitted via headers

Secrets Management

  • Application secrets are stored as Azure App Service environment variables
  • No secrets are hardcoded in source code
  • GitHub tokens are encrypted in the database
  • API keys are hashed before storage

CI/CD Security

Every code change goes through an automated pipeline:

  1. ESLint - Static analysis for code quality and security patterns
  2. TypeScript - Full type checking catches type-related bugs at build time
  3. Vitest - 24 test suites run on every commit
  4. Production build - Full Next.js build ensures no runtime errors
  5. Automated deployment - Only code that passes all checks reaches production

Compliance

StandardStatusDetails
CMMC Level 1CompliantCybersecurity Maturity Model Certification
PCI DSSCompliant (SAQ A)Payment Card Industry Data Security Standard
SOC 2AlignedSecurity practices aligned with SOC 2 Trust Service Criteria

For complete compliance documentation, visit our Trust Center.

Responsible Disclosure

If you discover a security vulnerability in TurboPentest, please report it to security@integsec.com. We take all reports seriously and will respond within 48 hours.

Previous

Shannon AI

Next

Subscriptions & Credits

On this page