ModernPentestModernPentest

Running Pentests

Learn how pentests work, how to start them, and monitor progress

Running Pentests

Once you've added your application, you're ready to run security pentests. This guide covers how pentests work, execution, and monitoring.

How Pentests Work

ModernPentest uses intelligent agents that automatically adapt to your application's configuration:

Surface-Based Testing

Agents are assigned based on your configured attack surfaces:

Web Applications

  • A reconnaissance agent maps your site, discovering pages, forms, and technologies
  • Security testing agents are dynamically spawned based on discovered content
  • Testing adapts to what's found during reconnaissance

REST APIs

  • Endpoints are intelligently grouped by feature domain
  • Specialized agents test for BOLA, authentication flaws, and injection vulnerabilities
  • Each agent group runs in parallel for faster results

Pentest duration varies based on application size. A small API might complete in 10-15 minutes, while a large web application could take 30-60 minutes.

Starting a Pentest

  1. Go to the Applications page
  2. Find your application card
  3. Click Start Pentest
  4. You'll be redirected to the pentest monitoring page

Screenshot: Starting a pentest

Each application can only have one pentest running at a time. Complete or wait for the current pentest before starting another.

Monitoring Progress

Once started, monitor your pentest in real-time on the pentest detail page:

Screenshot: Pentest in progress

Live Dashboard

The pentest dashboard shows:

  • Current status - Pending, Running, Processing, or Completed
  • Active agents - Which security agents are currently testing
  • Agent activity - Real-time logs of what's being tested
  • Live findings - Vulnerabilities as they're detected

Agent Pipeline

Each pentest runs through a pipeline of specialized agents:

  1. Reconnaissance (Web) or Endpoint Grouping (API)

    • Maps your application structure
    • Identifies technologies and authentication flows
    • Plans subsequent testing phases

  2. Security Testing

    • Multiple agents test in parallel
    • Testing focuses on OWASP Top 10 vulnerabilities
    • Findings appear in real-time

  3. Processing

    • Deduplicating similar findings
    • Consolidating vulnerabilities across agents
    • Enriching with remediation guidance

  4. Complete

    • Final vulnerability list with priorities
    • Report generation available

Understanding Pentest Results

After your pentest completes:

  1. Review the summary - See vulnerability counts by severity
  2. Prioritize findings - Focus on Critical and High severity first
  3. Read remediation guidance - Each finding includes fix recommendations
  4. Generate reports - Download for team review or compliance

For detailed guidance, see Understanding Reports.

Next Steps

Last updated: December 8, 2025

Adding Applications

Register your product and configure attack surfaces for security testing

Understanding Reports

Learn how to interpret pentest reports, navigate findings, and take action on vulnerabilities

On this page

Running PentestsHow Pentests WorkSurface-Based TestingStarting a PentestMonitoring ProgressLive DashboardAgent PipelineUnderstanding Pentest ResultsNext Steps