Pentests, assets & phases
The anatomy of a pentest — its type and mode, its lifecycle states, the assets that define its scope, and the three phases agents work through.
Pentest
A pentest is a single engagement against a defined scope. Two attributes are set when you create it and never change:
- Type — what kind of target is being assessed:
web— a web applicationapi— an HTTP APIserver— a host or network service
- Mode — how the engagement is driven:
guided— you select the agents for each phase and advance one phase at a timeautomatic— default agents are assigned to every phase and run end to end without intervention
Lifecycle states
A pentest moves through a well-defined set of states. Only valid transitions are allowed.
| State | Meaning |
|---|---|
draft | Just created, not yet configured |
configured | Has a type, methodology and at least one asset; ready to run |
running | A phase is actively executing |
phase_completed | The current phase finished; awaiting the next one |
processing | Final results are being processed |
completed | Finished successfully (terminal) |
paused | Paused by the user |
cancelled | Cancelled by the user (terminal) |
archived | Archived after inactivity (terminal) |
failed | An error occurred during execution |
A pentest that sits idle while configured or running is archived automatically after a period of inactivity, and the owner is notified by email.
Assets
Assets define the scope — the concrete targets the agents are allowed to work against. A pentest needs at least one asset, and exactly one should be marked primary (is_primary: true), which the agents attack first.
Each asset has an asset_type:
asset_type | Example value |
|---|---|
url | https://example.com/app |
domain | example.com |
ip | 192.168.1.100 |
api | api.example.com/v1/ |
A single pentest can mix asset types — for example a primary domain plus a couple of supporting url and ip assets.
{
"assets": [
{"asset_type": "domain", "asset_value": "example.com", "is_primary": true},
{"asset_type": "ip", "asset_value": "192.168.1.100"},
{"asset_type": "url", "asset_value": "https://example.com/api"}
]
}Phases
Every pentest works through three ordered phases. Agents are assigned per phase, and the platform requires a minimum of 3 and a maximum of 4 agents per phase.
| # | Phase | What happens |
|---|---|---|
| 1 | Reconnaissance | Gather information about the target, passively and actively |
| 2 | Enumeration | Identify and map services, endpoints and resources |
| 3 | Analysis | Analyse the surface and confirm vulnerabilities |
Phases run in order: you cannot start a later phase before the previous one has its agents assigned and has run.
How modes map onto phases
The phases are the same in both modes — what differs is who drives the transitions between them.
For each phase you pick the agents, run it, review the output, then decide whether to continue. You process the findings yourself and finish the pentest when you’re done — you don’t have to run all three phases.
Default agents are assigned to all phases at once and executed back to back. Vulnerabilities are processed automatically at the end and the pentest is marked completed with no manual step.
In both modes, progress streams in real time while a phase runs. To see the findings that come out of the Analysis phase, head to Vulnerabilities; to understand the agents that do the work, see Agents, tools & MCP.