This Is HUGE
← May 14, 2027 edition

hex-security

Agentic offensive security at scale

Hex Security Runs Penetration Tests 24/7 So You Stop Pretending Annual Audits Are Enough

By Danny Kowalski

CybersecurityPenetration TestingAISecurity
Visit Official Site →

The Macro: Annual Pentests Are Security Theater

Most companies treat penetration testing like an annual physical. Once a year, they bring in a team of security consultants who spend a few weeks poking at their systems, produce a PDF with findings, and leave. The company fixes the critical vulnerabilities, files the report for compliance, and goes back to shipping code.

The problem is obvious. Code changes daily. New endpoints go live. Configurations drift. The pentest report from three months ago is already stale. The attack surface has shifted. New vulnerabilities have been introduced. And the company will not find out until the next annual engagement, or worse, until an actual attacker finds them first.

This is not a hot take. Security professionals have been complaining about the limitations of point-in-time testing for years. But the economics of traditional pentesting make continuous testing impractical. Good pentesters charge $200-400 per hour. A thorough engagement costs tens of thousands of dollars. Running that continuously would bankrupt most companies.

Hex Security, backed by Y Combinator, is building AI agents that run penetration tests continuously. Instead of a once-a-year engagement, Hex Security’s agents work around the clock to find and verify critical vulnerabilities. The pitch is simple: always-on offensive security at a fraction of the cost of human pentesters.

The Micro: AI Agents That Think Like Attackers

The technical approach is agent-based offensive security. Hex Security’s AI agents simulate real attack chains against your applications and infrastructure. They probe for vulnerabilities, attempt exploitation, and verify whether the vulnerabilities are actually exploitable, not just theoretical.

This is an important distinction. Traditional vulnerability scanners like Qualys and Nessus find potential weaknesses by matching patterns. They generate long lists of findings, many of which are false positives or low-severity issues that would never be exploitable in practice. The noise-to-signal ratio is terrible, and security teams spend more time triaging scanner output than fixing real problems.

Hex Security’s agents go further by actually attempting exploitation, the way a human pentester would. They chain multiple vulnerabilities together. They test whether a SQL injection actually leads to data access. They check whether a misconfigured API endpoint can be leveraged into lateral movement. This produces findings that are verified and prioritized by actual risk, not theoretical severity.

The founding team includes Huzaifa Ahmad, Ahmad Khan, and Prama Yudhistira. The use of reinforcement learning in their approach suggests the agents improve over time, learning from successful and failed attack attempts to become more effective.

The competitive field is crowded. Tools like Pentera, AttackIQ, and SafeBreach offer breach-and-attack simulation. Bug bounty platforms like HackerOne and Bugcrowd provide continuous human testing. Traditional firms like Bishop Fox and NCC Group offer high-quality manual pentesting. Hex Security needs to demonstrate that AI agents can match the creativity and depth of skilled human pentesters while running at machine speed and cost.

The key risk is that AI agents might find the easy stuff but miss the creative, multi-step attack chains that human pentesters specialize in. The most dangerous vulnerabilities are often found through intuition and lateral thinking, not systematic scanning. If Hex Security’s agents are just better vulnerability scanners, they will not replace pentesting. If they can genuinely think like attackers, they will.

The Verdict

Continuous offensive security is the obvious future. The question is whether AI agents are good enough to deliver it today.

At 30 days: how many unique, verified vulnerabilities are Hex Security’s agents finding per customer, and how many of those were missed by the customer’s existing security tools? The delta between what Hex finds and what traditional tools find is the value proposition.

At 60 days: are the agents finding complex, multi-step attack chains, or only surface-level vulnerabilities? Depth of findings will determine whether this replaces pentesting or supplements it.

At 90 days: what is the false positive rate, and how much time are security teams spending on Hex Security findings versus their existing tools? If the findings are accurate and actionable, adoption will follow. If teams are drowning in noise, this is just another scanner with a better pitch.

I like the thesis. Annual pentesting is clearly insufficient, and the cost structure of human pentesting prevents continuous testing. If AI agents can close that gap, Hex Security will be in a very strong position.

Visit Official Site →
← Back to May 14, 2027 edition

More on this

BeeSafe AI Deploys Undercover AI Agents to Waste Scammers' Time

BeeSafe deploys AI agents that engage with scammers directly, wasting their resources and uncovering the financial accounts used for fraud. Backed by YC, Obvious Ventures, and America's Seed Fund.

Veria Labs Was Built by the Top Hackers in America and Now They Are Coming for Your Pentest Budget

Annual pentests are a compliance checkbox, not a security strategy. Veria Labs replaces them with AI agents that hack your application continuously, prove exploits are real, and suggest fixes. The founders are ranked number one in US competitive hacking, which is exactly the kind of credential that makes this believable.

Tinfoil Thinks the Only Way to Trust AI Privacy Is to Remove Trust Entirely

Every AI company promises your data is safe. Tinfoil skips the promise and gives you a mathematical proof instead.