The Cost of Waiting for a Security Test
Imagine scheduling a doctor’s appointment, waiting three weeks for the slot, spending two days in the exam room, and receiving a diagnosis that arrived too late to matter. That is the reality of manual penetration testing for most organizations today. A single manual pen test costs between $10,000 and $50,000. The scheduling window stretches across weeks. The execution phase takes days. And the final report, by the time it lands on a security manager’s desk, already describes a system that has changed.
This structural inefficiency has created a dangerous gap. Organizations that cannot afford the price tag or the wait time simply skip the test altogether. Others run one test per year, treating compliance as a checkbox rather than a genuine security practice. Neither approach works in an era when attackers move at machine speed.
Intruder, a London-based cybersecurity company that graduated from GCHQ’s Cyber Accelerator program, has launched a product designed to close that gap. The company’s new ai pentesting agents replicate the methodology of a human pen tester and deliver results in minutes rather than days. The technology will be presented by Intruder’s CEO Chris Wallis at KnowBe4’s KB4-CON conference on May 13.
What the AI Pentesting Agents Actually Do
The distinction between a vulnerability scanner and a penetration test has always been the difference between flagging a potential problem and proving it can be exploited. Vulnerability scanners are useful tools, but they produce long lists of findings. Many of those findings are false positives. Others are low-risk issues that consume a security team’s time without meaningfully improving the organization’s defense posture.
A human pen tester takes those scanner findings and determines which ones actually matter. The tester probes the system, sends crafted requests, analyzes responses, and attempts to exploit the vulnerability to confirm it is real. That investigative step is where the real value of a pen test lives. It is also the step that costs thousands of dollars and takes days to complete.
Intruder’s ai pentesting agents automate that investigative step. When the platform’s vulnerability scanner flags a potential issue, the AI agent interacts directly with the target system. It sends requests, analyzes the responses, and probes for exposed data. The agent determines whether the finding represents a genuine exploitable flaw or a false positive. This process covers injection attacks, client-side vulnerabilities, and information disclosure.
The company describes this as a first wave. Issue-level investigations are available now. Broader web application penetration testing, in which the agents chain multiple findings together to map attack paths across an entire application, is expected by the end of the current quarter. Subsequent releases will expand the scope of what the agents can autonomously investigate.
Why This Timing Matters
The cybersecurity industry is watching AI transform the attack side of the equation faster than the defense side can adapt. This imbalance is not hypothetical. Anthropic’s Claude Mythos Preview found thousands of zero-day vulnerabilities across every major operating system and browser in a single evaluation pass. That is a capability that did not exist eighteen months ago.
On the commercial side, xBow, an autonomous pentesting startup, reached unicorn status in March 2026 after raising $120 million. Pentera has surpassed $100 million in annual recurring revenue. Horizon3.ai’s NodeZero has run over 170,000 autonomous penetration tests. The market is moving, and it is moving fast.
The global cybersecurity workforce gap is estimated at 3.4 million unfilled positions. That number means there are simply not enough human pen testers to go around. Even if every organization had the budget for a manual test, there would not be enough qualified people to perform them. Automation is not a convenience here. It is a necessity.
The question is no longer whether AI will replace human pen testers. It is whether the replacement will happen fast enough to close the gap between the vulnerabilities AI can find and the speed at which organizations can fix them.
The Company Behind the Agents
Chris Wallis founded Intruder in 2015 after working as an ethical hacker and later moving into corporate security. The company was selected for GCHQ’s Cyber Accelerator, a program run by the UK’s signals intelligence agency to identify and support cybersecurity startups with commercial potential. That backing carries weight in an industry where trust and credibility are everything.
Intruder was subsequently named the fastest-growing cybersecurity company in the UK on Deloitte’s Tech Fast 50 list in 2023. The company now protects more than 3,000 organizations. It generated approximately $16 million in revenue in 2024, up from $10 million in 2023. That growth trajectory becomes even more striking when you look at the starting point: $900,000 in revenue in 2020.
Perhaps the most notable number is the one that is missing. Intruder has raised only $1.5 million in external funding. In an industry where competitors routinely raise hundreds of millions before reaching profitability, Intruder is bootstrapped in all but name. The company has grown from under a million dollars in revenue to sixteen million with almost no outside capital. That suggests a discipline in product-market fit that venture-fueled growth sometimes masks.
The company’s platform unifies attack surface management, cloud security, continuous vulnerability scanning, and now ai pentesting agents in a single interface. The goal is to give security teams one place to work rather than a stack of disconnected tools.
The Midmarket Problem Intruder Solves
Intruder’s market position is the midmarket. These are organizations large enough to face serious cyber risk but too small to afford the $50,000 manual pentest. They have security teams, but those teams are stretched thin. Intruder’s own Security Middle Child Report, published in March 2026, found that 42% of midmarket security teams describe themselves as stretched, overwhelmed, or consistently behind.
Consider a company with 500 employees and a security team of three people. That team is responsible for vulnerability management, incident response, cloud security configuration, employee training, and compliance reporting. A manual pen test would consume a meaningful portion of their annual security budget and produce a static report that is outdated within weeks. The alternative, doing nothing, is worse.
The ai pentesting agents change that calculation. A team can run a test on demand, get results in minutes, and prioritize fixes based on confirmed exploitable flaws rather than a long list of potential issues. The depth of a manual pentest becomes available at a fraction of the cost, without the scheduling delay.
How the Agents Compare to Human Testers
No one is claiming that AI agents replace the creativity and intuition of an experienced human pen tester. A skilled ethical hacker thinks like an attacker. They find paths that a scanner would never consider. They chain seemingly unrelated weaknesses into a coherent attack. They understand the business context of the system they are testing.
What the agents do is handle the repeatable, methodical parts of the job. They investigate every scanner finding with the same thoroughness every time. They do not get tired. They do not miss a step because they are rushing to meet a deadline. They can run a full investigation across an entire attack surface in the time it takes a human tester to set up their tools.
For organizations that currently run zero penetration tests because of cost or scheduling constraints, the agents represent a massive improvement. For organizations that run one annual test, the agents enable continuous testing. The frequency shifts from once a year to on demand.
The broader web application testing capability, expected by the end of the current quarter, will bring the agents closer to what a human tester does. Chaining findings together to map attack paths across an application is a more complex task than investigating individual issues. If Intruder delivers on that capability, the line between automated and manual testing will blur further.
You may also enjoy reading: 7 Ways Nio Onvo L80 Undercuts Tesla in China.
The Market Context for AI Pentesting
The penetration testing market is valued at approximately $2.5 to $3 billion, growing at 12 to 16 percent annually. That growth is driven by increasing regulatory requirements, the expanding attack surface created by cloud adoption, and the growing awareness that traditional vulnerability scanning is not enough.
But the market is also fragmented. There are hundreds of boutique pen testing firms, each with a handful of testers. There are large consultancies that bundle pen testing with broader security services. There are tool vendors that sell vulnerability scanners and call them penetration tests. And now there are AI-native companies building autonomous testing capabilities.
xBow reached a $1 billion valuation on $237 million total funding. Pentera has crossed $100 million in annual recurring revenue. Horizon3.ai has run over 170,000 autonomous tests. These numbers signal that the market is ready for automated alternatives to manual testing.
Intruder’s approach differs from these competitors in two ways. First, the company is capital efficient. With only $1.5 million raised, Intruder has grown to $16 million in revenue and 3,000 customers. That suggests a product that sells itself rather than one that requires massive sales and marketing spend. Second, Intruder is not building a standalone pentesting tool. The ai pentesting agents are part of a broader platform that includes attack surface management, cloud security, and continuous vulnerability scanning. The pentesting capability enhances the platform rather than standing alone.
What This Means for Security Teams
For the security teams that Intruder serves, the practical implications are straightforward. A team can log into the platform, see their full attack surface, run a vulnerability scan, and have the AI agents investigate the findings automatically. The output is a prioritized list of confirmed exploitable flaws rather than a raw scan report with thousands of entries.
That changes the workflow. Instead of spending hours triaging scanner findings, the team can move directly to remediation. Instead of waiting weeks for a pen test report, they can run a test on a Friday afternoon and have results before the weekend. Instead of guessing which vulnerabilities matter, they know which ones have been confirmed as exploitable.
The agents also enable a cadence that was previously impossible. Continuous testing means that when a new system is deployed, it can be tested immediately. When a critical vulnerability is disclosed, the team can run a targeted test to see if they are affected. When a configuration change is made, the impact can be assessed in real time.
This is not a future capability. The issue-level investigations are live now. The broader web application testing is expected within weeks. Security teams that are currently stretched, overwhelmed, and consistently behind have a practical option to close the gap.
The Broader Implications for Cybersecurity
The launch of Intruder’s ai pentesting agents is one data point in a larger trend. AI is compressing the timeline of cybersecurity operations on both sides of the equation. Attackers are using AI to find vulnerabilities faster and craft more convincing social engineering campaigns. Defenders are using AI to automate detection, response, and now penetration testing.
The question is whether defense can keep pace. The workforce gap of 3.4 million unfilled positions means that human-only defense is not a viable long-term strategy. Automation is the only lever available to scale security operations without scaling headcount.
Intruder’s approach is notable because it targets the midmarket rather than the enterprise. Enterprise organizations have the budget to buy expensive tools and hire specialized talent. Midmarket organizations do not. They need solutions that work out of the box, integrate into existing workflows, and deliver immediate value without requiring a dedicated team to manage them.
The ai pentesting agents fit that profile. They are not a standalone product that requires training and configuration. They are a feature of a platform that the organization is already using for vulnerability management and attack surface monitoring. The learning curve is minimal. The value is immediate.
Chris Wallis will present the technology at KnowBe4’s KB4-CON conference on May 13. The presentation will likely focus on the practical use cases and the results the agents have delivered in early deployments. For security professionals attending the conference, it will be an opportunity to see whether the product lives up to the promise.
The cybersecurity industry has spent years talking about the need to shift left, to automate, to close the gap between offense and defense. Intruder’s launch suggests that the automation piece is finally arriving. The question now is how quickly organizations will adopt it and whether the adoption rate will be fast enough to matter.
