Intruder launches AI pentesting to cut vulnerability triage

Intruder has launched AI Pentesting, available on its Cloud, Pro and Enterprise plans.

The London-based cyber security company says the service uses AI agents to investigate vulnerability scanner findings and determine whether identified issues pose a genuine risk. The initial release focuses on injection flaws, client-side attacks and information disclosure issues in web applications.

The agents interact directly with targets by sending requests, analysing responses and probing for exposed data. The process is designed to mirror how human penetration testers assess the impact of a finding.

The launch comes as security teams face growing pressure to respond more quickly to a rise in automated attacks. Intruder cited its Security Middle Child Report, which found that 49% of security leaders named AI and automation as their top investment priority for 2026, while 42% of midmarket security teams said they were stretched, overwhelmed or consistently behind.

Against that backdrop, attention has sharpened on the limits of periodic testing. Intruder argues that annual or quarterly penetration tests no longer fit a threat environment in which exploit timelines have shortened and organisations are releasing new applications and updates more frequently.

"Pentesting has long been an essential component of any security program," said Andy Hornegold, Chief Security Technologist at Intruder.

"But in the age of AI, attackers can move faster than ever, the volume of vulnerabilities is growing, and exploit windows have shrunk from months to days to hours. The old playbook of quarterly or annual pentests has long been unfit for purpose. The state of the threat landscape requires a new approach focused on delivering the depth of a manual pentest on demand," Hornegold said.

How it works

For injection issues, the agents attempt to reproduce scanner findings using techniques including error-based, timing-based and UNION-based methods. In client-side testing, the service is designed to determine whether missing frame-related headers create a clickjacking risk or whether a page is intentionally frameable.

For information disclosure issues, the agents review what data is exposed and assess how an attacker might use it. If credentials such as login details or API keys are found, the system attempts to verify whether they are valid.

Intruder positions the service as a way to reduce time spent on triage and false positives. It says validation work that would usually require a human analyst and hours of investigation can be completed in minutes, allowing security, IT and developer teams to focus on remediation.

Issue-level investigations are available now, while broader web application penetration testing is expected by the end of the current quarter. Those wider tests are intended to provide audit-ready evidence for compliance purposes.

Market pressure

The launch reflects a broader shift in cyber security as vendors try to apply AI to labour-intensive tasks that have traditionally depended on specialists. Penetration testing has remained relatively expensive and episodic compared with automated vulnerability scanning, partly because it requires analysts to test context, validate exploitability and judge impact.

By contrast, scanners tend to offer wider coverage but often generate findings that still need manual review. Intruder argues that AI can narrow that gap by adding a layer of automated investigation between broad scanning and a full manual engagement.

Customers can apply the service to new software releases, new cloud services and new findings as they emerge. Free trial users and paying customers on eligible plans receive AI Pentesting credits, with additional credits sold separately.

Founded in 2015, Intruder says it now serves more than 3,000 companies worldwide. The company offers exposure management tools spanning attack surface management, cloud security and continuous vulnerability management alongside the new AI pentesting functions.

The wider question for buyers is how far organisations will trust AI-led validation in workflows that have often relied on human judgement, particularly where compliance and audit evidence are involved. For now, Intruder is starting at the issue level, where the commercial case is clearest: cutting investigation time for scanner findings that might otherwise sit in queues while small security teams struggle to keep up.