Skip to main content

Overview

This guide walks you through conducting your first penetration test with PentAGI. You’ll learn how to create a testing flow, configure targets, monitor execution, and interpret results.
Ensure you have completed the Installation and have proper authorization to test the target system.

Prerequisites

Before starting:
Legal and Ethical RequirementsOnly perform penetration testing on systems you own or have explicit written authorization to test. Unauthorized testing is illegal and unethical.

Step 1: Access PentAGI

1

Open web interface

Navigate to https://localhost:8443 in your browser.
2

Login with credentials

Use the default credentials (change after first login):
3

Navigate to Flows

Click on the Flows menu to access the penetration testing workspace.

Step 2: Create Your First Flow

A “flow” in PentAGI represents a complete penetration testing engagement.
1

Create new flow

Click the + New Flow button in the Flows interface.
2

Configure flow parameters

Enter the basic information:
  • Name: Give your test a descriptive name (e.g., “Web App Security Assessment”)
  • Description: Add details about the test scope and objectives
  • Target: Specify the target system (e.g., http://10.10.10.10:8080)
3

Define testing objectives

In the flow prompt, specify what you want to test. For example:
You need to find critical or valuable vulnerabilities in a Web Application http://10.10.10.10:8080

Follow this action plan:

1. Collect all endpoints of the application
   - Navigate through all application pages
   - Test all features and functions
   - Document endpoints and input fields

2. For each endpoint, check for:
   - Path Traversal (attempt to read /etc/passwd)
   - Cross-Site Request Forgery (CSRF)
   - Cross-Site Scripting (XSS)
   - SQL Injection (use sqlmap)
   - Command Injection (use commix)
   - Server-Side Request Forgery (SSRF)
   - XML External Entities (XXE)
   - Unsafe file upload

3. Document findings with:
   - Vulnerability type and severity
   - Reproduction steps
   - Example payloads
   - Potential impact
4

Start the flow

Click Start Flow to begin the automated penetration test.

Step 3: Monitor Execution

PentAGI autonomously executes the penetration test. You can monitor progress in real-time.

Understanding the Flow Hierarchy

Flow Components

The top-level engagement representing the entire penetration test.Status indicators:
  • Active: Test is running
  • Completed: All tasks finished
  • Failed: Critical error occurred

Real-Time Monitoring

1

View task progress

The flow interface shows:
  • Current task being executed
  • Completed tasks (green checkmarks)
  • Pending tasks (gray)
  • Failed tasks (red X)
2

Inspect subtask details

Click on any task to expand and view:
  • Subtasks and their agents
  • Command outputs
  • Tool results
  • Agent reasoning and decisions
3

Review action logs

Each action shows:
  • Command or tool executed
  • Full output/response
  • Timestamps
  • Success/failure status

Step 4: Understanding Results

As PentAGI progresses through the test, it discovers and documents findings.

Example: SQL Injection Discovery

Here’s how PentAGI identifies and reports a SQL injection vulnerability:
1

Initial testing

Task: “Check sorting functionality for SQL Injection”The executor agent runs sqlmap:
sqlmap -u "http://10.10.10.10:8080/?order=id" --batch --random-agent
2

Vulnerability confirmation

Result: SQL injection detected in ‘order’ parameterPentAGI identifies:
  • Injection types: Boolean-based blind, Error-based, Time-based blind
  • Backend DBMS: MySQL 5.6+
  • Example payload: order=id AND 5670=(SELECT (CASE WHEN (5670=5670) THEN 5670 ELSE (SELECT 9089 UNION SELECT 6214) END))-- silk
3

Impact assessment

PentAGI automatically:
  • Attempts data extraction
  • Tests privilege escalation
  • Documents potential impact
Finding: Admin credentials extracted (admin:secureadminpassword)

Viewing Findings

Within the flow interface:
  • Findings appear under their respective tasks
  • Color-coded by severity (red=critical, orange=high, yellow=medium)
  • Click to expand full details

Step 5: Exporting Results

1

Navigate to completed flow

Go to the Flows list and select your completed test.
2

Export report

Click the Export button to download:
  • Full HTML report
  • JSON data for integration
  • Markdown summary
3

Share findings

Use the exported report to:
  • Present findings to stakeholders
  • Track remediation progress
  • Document compliance testing

Common Testing Scenarios

Web Application Testing

Test web application at http://example.com for:
- SQL Injection in all parameters
- XSS in input fields and URLs
- CSRF on state-changing operations
- Authentication bypass techniques
- Session management vulnerabilities

Assess REST API at https://api.example.com:
- Authentication and authorization flaws
- Input validation issues
- Rate limiting effectiveness
- Information disclosure
- Business logic vulnerabilities

Scan network range 10.10.10.0/24:
- Port scanning with nmap
- Service enumeration
- Version detection
- Common vulnerability identification
- Exploit attempt on identified services

Using Professional Tools

PentAGI has access to 20+ professional pentesting tools:

sqlmap

Automated SQL injection testing and exploitation

nmap

Network discovery and security auditing

metasploit

Penetration testing framework

commix

Command injection exploitation

nikto

Web server vulnerability scanner

gobuster

Directory and file brute-forcing
PentAGI automatically selects appropriate tools based on the testing scenario.

Interpreting Agent Decisions

PentAGI uses multiple specialized agents that reason about their actions:

Example Agent Reasoning

Observation: “Application uses GET parameter ‘order’ for sorting”Analysis: “GET parameters are common SQL injection vectors. The sorting functionality directly interacts with database queries.”Decision: “Delegate SQL injection testing to executor agent with sqlmap tool.”

Troubleshooting

Possible causes:
  • Target system is unreachable
  • Firewall blocking tool execution
  • Agent waiting for tool to complete
Solutions:
  • Check target system connectivity
  • Review agent logs for errors
  • Consider increasing timeout values
  • Pause and manually verify target access
Possible causes:
  • Target is well-secured
  • Testing scope too limited
  • Agent needs more specific guidance
Solutions:
  • Expand testing prompt with more scenarios
  • Provide specific endpoints or features to test
  • Use more advanced techniques in prompt
  • Try different testing approaches
Possible causes:
  • Tool not available in container
  • Invalid tool syntax
  • Resource constraints
Solutions:
  • Check container has required tools
  • Review tool output for syntax errors
  • Increase container resources
  • Use alternative tools

Next Steps

Custom Assistants

Create specialized testing assistants

Advanced Techniques

Learn advanced pentesting workflows

Best Practices

Security and ethical guidelines

Distributed Setup

Scale testing with worker nodes

Build docs developers (and LLMs) love

Get started for freeTalk to us