DEVOPSdigest

Intruder announced AI Pentesting and released its first pentesting agents as the company works towards enabling continuous, AI-powered pentesting and red teaming across web apps, external and internal networks.

With this initial release, agents will actively investigate vulnerability scanner findings identified in Intruder using the same methods employed by human pentesters and security experts.

“Pentesting has long been an essential component of any security program,” said Andy Hornegold, Chief Security Technologist at Intruder. “But in the age of AI, where attackers can move faster than ever, the volume of vulnerabilities is growing and exploit windows have shrunk from months to days to hours. The old playbook that called for a quarterly or annual pentest has long been unfit for purpose. The state of the threat landscape necessitates a new approach, focused on delivering the depth of a manual pentest, on-demand.”

AI pentesting provides the investigative depth of a manual pentest whenever you need it. Security and IT teams can now pentest with every new release, every new cloud service, and every new finding, without the wait.

AI Pentesting also gives stretched teams time back. Triage, investigation, and validation are the slowest parts of the remediation cycle and have typically required a human analyst and hours of investigation. Intruder’s pentesting agents reduce investigation time to minutes so security, IT and developer teams spend less time working on false positives and more time fixing actual problems.

In this initial release, AI agents conduct pentesting investigations by interacting directly with the target, sending requests, analyzing responses, and probing for exposed data to build a picture of the issue's real-world impact. Pentesting agents can investigate a wide range of issues including:

- Injection issues: The agent validates injection flaws – vulnerabilities that let attackers manipulate an application's commands, queries, or instructions to gain unauthorized access, by reproducing scanner findings with error-based, timing-based, UNION-based, and other injection techniques.

- Client-side attacks: The agent validates client-side findings like clickjacking, attacks that target your application's users rather than the app itself. Scanners flag clickjacking whenever frame-related headers are missing, but some pages are intentionally frameable and pose no real risk. Traditional scanners can't make that distinction, but Intruder’s AI pentesters can.

- Information disclosure: Scanners flag when information such as configuration details or open cloud storage buckets are exposed to unauthorized users, but can't assess whether the exposed data is actually sensitive. Intruder’s AI pentesting agent confirms the scanner's finding, reviews what's exposed, and evaluates how an attacker could use it. If it finds credentials like login details or API keys, it will attempt to verify whether they're valid.

Intruder expects to release new capabilities regularly over the coming quarter, including full scale AI web application pentests that can be used as compliance and audit evidence.