{"id":2626,"date":"2026-06-16T01:21:21","date_gmt":"2026-06-16T08:21:21","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=2626"},"modified":"2026-06-16T04:15:34","modified_gmt":"2026-06-16T11:15:34","slug":"new-continuous-ai-pentesting","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/new-continuous-ai-pentesting\/","title":{"rendered":"Continuous AI Pentesting: What We\u2019re Building, and What It\u2019s Already Finding"},"content":{"rendered":"\n

Over the past months, I\u2019ve noticed a shift in customer conversations. Coverage, prioritization, emerging threats \u2014 those questions have given way to exposed MCP servers, unmanaged AI chatbots, and risks that don\u2019t show up as CVEs. Mythos comes up in every other call.<\/p>\n\n\n\n

The calculus changed. AI now writes a quarter of production code, with twice as many vulnerabilities. The exploitation window collapsed from days to hours. And while everyone\u2019s talking about Mythos, the models already in use can find zero-days for a few hundred dollars in tokens.<\/p>\n\n\n\n

At CyCognito we\u2019ve been building for this on two fronts:<\/p>\n\n\n\n

    \n
  1. Expanding AI asset coverage: <\/strong>building on our MCP server discovery release<\/a>, the platform now detects much more of the AI stack, including n8n, Ollama, MLflow, PyTorch, Triton, and more. That\u2019s 60+ detection models in production, and growing.<\/li>\n\n\n\n
  2. Continuous AI pentesting: <\/strong>a new capability that simulates an AI-powered attacker, which I\u2019m going to introduce to you in this post.<\/li>\n<\/ol>\n\n\n\n

    Field-tested. Receipts upfront.<\/strong><\/h2>\n\n\n\n

    The best way to get a feel for our new AI pentesting capabilities is to look at what they\u2019ve already uncovered. The examples I picked here cover different asset types and techniques, but they share a common theme: risk that no CVE scan would surface, specific to the environment and the business.<\/p>\n\n\n\n

    Here goes.<\/p>\n\n\n\n

    1. All CRM records, in the open<\/h3>\n\n\n\n

    A large enterprise had an externally reachable MCP server exposing an unauthenticated natural-language interface to its production environment.<\/p>\n\n\n\n

    Simulated prompt-injection drew verbose error responses, and those disclosed internal details about the backend. These surfaced the CRM behind the server and the calls needed to reach it.<\/p>\n\n\n\n

    From there, several million rows of account, opportunity, and per-item financial data were queryable through a handful of HTTP POST requests. No credentials required.<\/p>\n\n\n\n

    From an exposure management point of view, this is a reminder of the risk an exposed MCP server can pose. Depending on how it was set up, it can act as a privileged path into a critical backend system, often deployed outside security workflows and without sufficient authentication.<\/p>\n\n\n\n

    2. Sensitive data behind an exposed RAG index<\/h3>\n\n\n\n

    One organization had a CrewAI agent stack on the public internet. A security layer was added, but authentication was enforced only on the agent API itself, not on the knowledge base it was reading from. As a result, the store holding the agent\u2019s source documents was readable through anonymous requests.<\/p>\n\n\n\n

    This exposed the RAG index, which holds whatever an organization feeds the agent to draw on: customer data, internal communications, contracts, and operational knowledge. Anything the agent needs to do its job, all of it accessible to anyone with an internet connection.<\/p>\n\n\n\n

    3. Easy access to a building\u2019s security system<\/h3>\n\n\n\n

    At another organization, a physical security system controlling door locks, card readers, and CCTV was discovered on the public internet.<\/p>\n\n\n\n

    The system was deployed alongside the organization\u2019s AI document analysis tools and customer-facing chatbot, on the same surface and with the same lack of segmentation.<\/p>\n\n\n\n

    The review processes that missed the AI deployments also missed the physical access system.<\/p>\n\n\n\n

    How it works<\/strong><\/h2>\n\n\n\n

    I think the examples above paint a pretty clear picture. Findings like these don\u2019t come from CVE scanning. They require security experts (in this case agents), skilled enough to spot overlooked weaknesses and execute multi-step tests, applying reasoning and deep context.<\/p>\n\n\n\n

    Take the exposed CRM example above. The first step was to fingerprint an exposed MCP server and associate it with the organization. The next was to enumerate the tool catalog, which revealed the tools were wired to the MCP server. From there, a sequence of natural-language calls walked the data model and pulled the full dataset, validating the data exposure and the missing authentication.<\/p>\n\n\n\n

    To execute an attack chain like this you need to know which threads to pull, and know what those threads could be running through.<\/p>\n\n\n\n

    The AI pentesters we built allow us to do just that: at scale, with speed and across multiple environments in parallel.<\/p>\n\n\n\n

    \"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button>
     Continuous AI Pentesting: Solution architecture, at a glance.<\/em> [Click to expand]<\/em><\/figcaption><\/figure>\n\n\n\n

    Let me walk you through how it works.<\/p>\n\n\n\n

    It starts with expertise. For eight years, our team has uncovered weaknesses in some of the most complex enterprise environments. Manufacturers with intertwined physical and digital footprints. Multinationals acquiring more companies than IT can track. Fortune 500s a century old, with the IT debt to show for it.<\/p>\n\n\n\n

    We learned a lot, and that knowledge has been gradually baked into our platform, in its three core modules:<\/p>\n\n\n\n