Over the past months, I’ve noticed a shift in customer conversations. Coverage, prioritization, emerging threats — those questions have given way to exposed MCP servers, unmanaged AI chatbots, and risks that don’t show up as CVEs. Mythos comes up in every other call.
The calculus changed. AI now writes a quarter of production code, with twice as many vulnerabilities. The exploitation window collapsed from days to hours. And while everyone’s talking about Mythos, the models already in use can find zero-days for a few hundred dollars in tokens.
At CyCognito we’ve been building for this on two fronts:
- Expanding AI asset coverage: building on our MCP server discovery release, the platform now detects much more of the AI stack, including n8n, Ollama, MLflow, PyTorch, Triton, and more. That’s 60+ detection models in production, and growing.
- Continuous AI pentesting: a new capability that simulates an AI-powered attacker, which I’m going to introduce to you in this post.
Field-tested. Receipts upfront.
The best way to get a feel for our new AI pentesting capabilities is to look at what they’ve already uncovered. The examples I picked here cover different asset types and techniques, but they share a common theme: risk that no CVE scan would surface, specific to the environment and the business.
Here goes.
1. All CRM records, in the open
A large enterprise had an externally reachable MCP server exposing an unauthenticated natural-language interface to its production environment.
Simulated prompt-injection drew verbose error responses, and those disclosed internal details about the backend. These surfaced the CRM behind the server and the calls needed to reach it.
From there, several million rows of account, opportunity, and per-item financial data were queryable through a handful of HTTP POST requests. No credentials required.
From an exposure management point of view, this is a reminder of the risk an exposed MCP server can pose. Depending on how it was set up, it can act as a privileged path into a critical backend system, often deployed outside security workflows and without sufficient authentication.
2. Sensitive data behind an exposed RAG index
One organization had a CrewAI agent stack on the public internet. A security layer was added, but authentication was enforced only on the agent API itself, not on the knowledge base it was reading from. As a result, the store holding the agent’s source documents was readable through anonymous requests.
This exposed the RAG index, which holds whatever an organization feeds the agent to draw on: customer data, internal communications, contracts, and operational knowledge. Anything the agent needs to do its job, all of it accessible to anyone with an internet connection.
3. Easy access to a building’s security system
At another organization, a physical security system controlling door locks, card readers, and CCTV was discovered on the public internet.
The system was deployed alongside the organization’s AI document analysis tools and customer-facing chatbot, on the same surface and with the same lack of segmentation.
The review processes that missed the AI deployments also missed the physical access system.
How it works
I think the examples above paint a pretty clear picture. Findings like these don’t come from CVE scanning. They require security experts (in this case agents), skilled enough to spot overlooked weaknesses and execute multi-step tests, applying reasoning and deep context.
Take the exposed CRM example above. The first step was to fingerprint an exposed MCP server and associate it with the organization. The next was to enumerate the tool catalog, which revealed the tools were wired to the MCP server. From there, a sequence of natural-language calls walked the data model and pulled the full dataset, validating the data exposure and the missing authentication.
To execute an attack chain like this you need to know which threads to pull, and know what those threads could be running through.
The AI pentesters we built allow us to do just that: at scale, with speed and across multiple environments in parallel.
Let me walk you through how it works.
It starts with expertise. For eight years, our team has uncovered weaknesses in some of the most complex enterprise environments. Manufacturers with intertwined physical and digital footprints. Multinationals acquiring more companies than IT can track. Fortune 500s a century old, with the IT debt to show for it.
We learned a lot, and that knowledge has been gradually baked into our platform, in its three core modules:
- Exposure Assessment, which maps the external footprint, attributes every asset to the right part of the organization, and enriches it with business and stack context.
- Exposure Validation, which runs 100,000+ deterministic tests continuously, leaving AI pentesters free to focus on high-judgment work.
- Threat Intelligence, which taps into the history of existing and emerging vulnerabilities, as well as playbooks and statistical models, trained on past engagements to understand and predict attacker activities.
All three now become the foundational layer for continuous AI pentesting, producing inputs that feed into the Target Graph™: a contextual orchestration layer that constantly reevaluates the threat matrix and the exposed surface.
The Target Graph™ is the X-factor that puts the context and know-how to work. Playing the orchestrator role, it informs where AI pentesting should run, at what depth, and with which techniques, improving the efficiency of each run and the quality of the findings.
More importantly, by driving these decisions, the Target Graph™ makes it possible to run continuously across the full surface.
Minding the 99% gap
Continuous coverage matters because it addresses one of the biggest challenges with pentesting today. Manual testing is point-in-time by design, and now we’re seeing AI testing delivered the same way, as an on-demand service. This leaves the fundamental advantages of automation on the table: ramping up speed, but doing nothing for scale.
The issue there comes down to economics: the high token cost forces vendors and customers to apply AI testers selectively, typically only on the top 1% of priority assets. Meanwhile, as the examples above show, plenty of critical risks live outside the main applications, in the 99% that gets ignored.
The Target Graph™ is how we change this dynamic. By drawing on the contextual layout of the surface, and accounting for what deterministic validation already found, we enable AI pentesting to work efficiently and continuously, flexibly shifting test depth and techniques, dramatically increasing the cadence and scope of coverage.
Moreover, the same stream of exposure data also keeps the system current, providing the fresh inputs it needs to stay responsive to asset and surface-level changes, emerging threats, and signals from attacker activity in the wild.
And as effective as this sounds (and it is), it gets much better because the whole model is also built to be self-improving. The how is simple. Every new validated attack chain, surfaced by AI, gets codified into new deterministic tests. In turn, each new deterministic test we introduce frees AI capacity in future runs.
The pipeline already runs specialized agents for every type of exposed asset CyCognito covers: web applications and APIs, AI and LLM endpoints, cloud, VPNs, OT/IT systems, etc. Each producing valuable findings with full evidence, working always-on, across the full external surface.
What’s next
The work is moving fast, out of the lab and in real environments. This is the part that energizes me the most: the response when we put this new capability in front of our customers. The interest was immediate, and the organizations raising their hands to join us as design partners are names many of you would know.
Internally we are codenaming this ‘Project Kineto’, after the Kinetograph, the first motion picture camera that gave the world cinema, turning still snapshots into continuous motion.
This echoes our vision for AI pentesting: moving from a still snapshot to a dynamic picture, running continuously across your attack surface.
Those are all the updates I have for you today, but we plan to continue to share our progress, to keep you in lockstep with our work.
To follow along, join the waitlist for:
- Periodic progress notes from the research team
- A chance to apply for the design partner program
- Early access before general availability
