HackerOne unveils AI‑driven continuous pentesting service

HackerOne has launched Agentic Pentest as a Service, a continuous approach to penetration testing that combines AI agents with human security testers.

The company said the product marks the first release of what it calls continuous agentic pentesting. It forms part of a broader Agentic Offensive Testing programme.

HackerOne positions the new service between conventional pentesting engagements and fully autonomous security testing tools. It said enterprise security teams face a widening gap between development speed and security validation.

Traditional pentests deliver detailed results and reviewer confidence. HackerOne said they struggle to match the pace of change in modern environments. The company also said fully autonomous approaches often generate unverified results and excessive alerts.

Hybrid testing

HackerOne said Agentic PTaaS uses a coordinated system of AI agents and human experts. The company said the agents handle parts of the workflow across reconnaissance, setup, exploitation, and validation. It said human testers provide judgement and accountability.

The company said its agents use proprietary exploit intelligence. It said this comes from testing enterprise systems over a number of years. It also said it draws on a community of verified pentesters.

HackerOne said the mix of agent execution and human review keeps focus on exploitable security issues, rather than theoretical weaknesses. It framed this as a way to maintain trust in results while increasing testing frequency.

HackerOne said the service targets large and changing attack surfaces. It also said it fits organisations where assets change frequently and testing teams need coverage that stays current.

"Security teams aren't looking for more findings. They are seeking to reduce risk exposure," said Nidhi Aggarwal, Chief Product Officer, HackerOne. "Agentic PTaaS uses agentic execution to scale the parts of pentesting that slow teams down, enabling testing at a scale that would otherwise take days of manual effort to be completed in hours. That allows our experts to focus on validating exploitability and helping teams reduce real-world risk."

Production evaluation

HackerOne said it evaluated Agentic PTaaS using public and proprietary benchmarks. It also said it tested the approach in enterprise production environments. The company contrasted this with other agentic pentesting approaches that it said rely mainly on synthetic environments.

HackerOne said the service has already run in complex production settings across multiple industries. It cited common operational challenges such as unclear scoping, changing assets, and constraints on testing activity. It said those conditions produced higher-quality signals and more relevant findings.

The company also described an optional approach that involves secure integration of source code. It said this offers code-aware testing beyond surface-level scanning.

HackerOne said its agents identify vulnerable patterns in code and generate hypotheses for testing. It said AI agents and experts validate those hypotheses and produce findings aligned to how applications are built.

CTEM workflows

HackerOne said it delivers Agentic PTaaS through the HackerOne Platform. It said the service plays a central role in operationalising continuous threat exposure management.

The company said the service continuously validates exploitability and feeds that signal into prioritisation and remediation workflows. It said this shifts security programmes away from point-in-time assessments and toward an always-on model.

HackerOne said the model focuses on risks that matter most for enterprise teams as their systems and applications change.