Synack Adds AI Agent to Enable Continuous Penetration Testing
Synack has made available an artificial intelligence (AI) agent that cybersecurity researchers can use to automate a wide range of penetration testing tasks.
Company CTO Mark Kuhr said the Sara AI Pentesting agent has been trained using the metadata of techniques that have been uncovered by freelance security researchers who use the Synack penetration-as-a-service (PTaaS) platform. In effect, Sara augments any red team that has been tasked with discovering vulnerabilities in an IT environment, said Kuhr.
Fundamentally, Sara AI makes it simpler to surface classes of vulnerabilities such as broken access controls, authentication weaknesses, injection flaws, and exposed credentials to enable human researchers to focus more time and effort on identifying more critical vulnerabilities, added Kuhr.
That approach enables the Sara AI agent to leverage both human and agentic AI expertise to discover vulnerabilities, he added. That’s crucial because research shows that while an AI model can discover more vulnerabilities faster at a much lower total cost, human researchers are still more adept at discovering severe vulnerabilities that require immediate attention, noted Kuhr. Humans are simply still a lot more creative when it comes to understanding how multiple vulnerabilities might be combined to create an attack chain, he added
Unfortunately, the amount of penetration testing being conducted has been constrained because of the time and effort that was previously required. A recent Synack survey found that while 95% of organizations rank pentesting as a top priority, they are, on average, currently testing only 32% of their global attack surface.
On the plus side, 87% of respondents said their organizations have already moved beyond evaluation and are actively planning, piloting, or employing agentic AI for penetration testing. A full 95% of organizations anticipate that agentic AI will displace some traditional pen testing services, with just under half (49%) expecting complete or significant displacement.
A full 87% noted they trust AI agents, but nearly two-thirds (64%) also said their organization still prefers an agent-led model with human oversight. Eventually, swarms of AI agents will soon be employed by swarms of humans to thwart cyberattacks that will be now occurring at machine speed, noted Kuhr. However, 93% of survey respondents agreed that comprehensive guardrails and transparent decision-making are critical for the safe operation of those AI agents.
Ultimately, the goal is to reduce the number of vulnerabilities that might be exploited by leveraging AI to make it more economically feasible to conduct penetration testing continuously, versus a few times a year because of cost concerns, said Kuhr.
Each organization will need to determine what level of confidence to place in AI security tools, but the one certain thing is the pace at which vulnerabilities are being discovered is rapidly increasing. As such, until there is a massive overhaul in how software is developed in the age of AI, cybersecurity teams should expect to be simultaneously managing many more remediation initiatives, noted Kuhr.
The challenge, of course, is adversaries will be using the same AI tools and techniques to discover and exploit vulnerabilities faster than most organizations today can find and remediate them.
