ModernPentestModernPentest

Running Pentests

Learn how pentests work, how to start them, and monitor progress

How Pentests Work

Every pentest is built on your asset map. Three agent roles turn a URL into a fully tested graph:

  1. Reconnaissance crawls your application and builds the asset map — pages, endpoints, services, and how they connect.
  2. The auditor reads the whole graph and decides what's worth attacking, emitting prioritized investigations.
  3. Provers confirm each investigation by actively exploiting it, then chain from what they confirm.

This works the same whether your application exposes a web surface, an API surface, or both — every page and endpoint becomes a node on one shared map.

Pentest duration varies based on application size. A small API might complete in 10-15 minutes, while a large web application could take 30-60 minutes.

Starting a Pentest

  1. Go to the Applications page
  2. Find your application card
  3. Click Start Pentest
  4. You'll be redirected to the pentest monitoring page

Screenshot: Starting a pentest

Each application can only have one pentest running at a time. Complete or wait for the current pentest before starting another.

Monitoring Progress

Once started, monitor your pentest in real-time on the pentest detail page. The centerpiece is your asset map in its live lens: agent avatars move across the graph as recon, the auditor, and provers work, and findings pulse on their node the moment a prover confirms one.

Screenshot: Live pentest on the asset map

Switch the demo below to Live scan to see how it looks:

Loading asset map…

The full topology after recon — every asset and how it connects. Color shows test coverage and findings.

The live dashboard

While a pentest runs, the asset map shows:

  • Current status - Pending, Running, Processing, or Completed
  • Agent avatars - Which agents are testing, scheduled for, or done with each node
  • Agent activity - A real-time rail of distilled events — discoveries, findings, status changes
  • Live findings - Vulnerabilities pulsing on their node as provers confirm them

Agent Pipeline

Each pentest runs through four phases:

  1. Reconnaissance

    • Crawls your application and builds the asset map
    • Identifies technologies, services, and authentication flows
    • Records discovery blockers where it can't reach further

  2. Auditing

    • The auditor reads the whole graph and emits prioritized investigations
    • Focuses effort on the highest-value, highest-risk assets

  3. Proving

    • Provers confirm each investigation by actively exploiting it
    • Findings appear in real-time as they're confirmed
    • Confirmed findings chain back to the auditor for deeper attacks

  4. Processing & Complete

    • Deduplicating, validating, and enriching findings with remediation
    • Final prioritized vulnerability list and report generation

Understanding Pentest Results

After your pentest completes:

  1. Review the summary - See vulnerability counts by severity
  2. Prioritize findings - Focus on Critical and High severity first
  3. Read remediation guidance - Each finding includes fix recommendations
  4. Generate reports - Download for team review or compliance

For detailed guidance, see Understanding Reports.

Scheduled Pentests

Automated pentests run based on your configured frequency (daily, weekly, or monthly). You can view upcoming scans, reschedule them, or run them immediately from the Schedule page.

See Managing Schedules for details on viewing and rescheduling automated pentests.

Next Steps

Last updated: June 14, 2026

WAF Bypass Configuration

Configure your Web Application Firewall to allow ModernPentest AI agents access

Managing Schedules

View upcoming pentests, reschedule scans, and track your testing history

On this page

How Pentests Work
Starting a Pentest
Monitoring Progress
The live dashboard
Agent Pipeline
Understanding Pentest Results
Scheduled Pentests
Next Steps