Simbian unveils AI agent for continuous pentesting

Simbian has launched an AI Pentest Agent that runs penetration tests on demand and continuously, as organisations contend with faster software release cycles and a growing volume of reported vulnerabilities.

The product is positioned as an automated penetration testing service that uses business context to focus findings on each customer's risks and priorities. Results are typically available in hours.

For many organisations, penetration testing remains a periodic exercise-often once or twice a year-driven by compliance requirements. That cadence can leave gaps as systems change and new common vulnerabilities and exposures (CVEs) emerge.

Simbian said its AI Pentest Agent addresses this "window of exposure" by running tests whenever needed rather than at fixed intervals. It described the software as an autonomous reasoning engine that adapts its testing as an application responds.

"The industry has long been forced to choose between the depth of a manual pentest and the speed of a shallow scan," said Ambuj Kumar, CEO and Co-Founder of Simbian. "Simbian eliminates that trade-off. Our AI Pentest Agent doesn't just follow a script; it reasons and adapts like a human hacker, leveraging context to uncover risks that actually matter to the business. We are giving enterprises the ability to find and close risks before attackers can ever exploit them."

Partner assurance

The AI Pentest Agent was developed with LRQA, which provides risk management and cybersecurity services. Simbian said LRQA provided independent assurance that the agent aligns with globally recognised penetration testing standards and responsible AI principles.

According to Simbian, LRQA's input covered methodology and guidance on how the product operates during tests. LRQA also offers CREST-certified services, which some organisations use as a benchmark for penetration testing quality and process.

"By combining Simbian's autonomous AI with LRQA's deep expertise in threat-led cybersecurity, we are helping organizations move from periodic testing to continuous risk insight," said Howard Hughes, Managing Director for LRQA's cybersecurity division. "This partnership brings together intelligent automation and experienced human judgement, ensuring the AI Pentest Agent operates to recognized ethical hacking standards and delivers assurance that boards and security teams can trust."

How it works

Simbian draws a distinction between its approach and legacy vulnerability scanners. It said scanners can generate alerts based on static rules and do not always confirm whether an issue is exploitable in practice, which can create noise for security teams.

In contrast, Simbian said the agent changes its testing logic in real time as it interacts with an application. It said this can help identify complex business logic flaws that fixed scanners can miss.

Simbian said the product produces a prioritised remediation guide rather than a list of theoretical warnings, and that findings reflect the organisation's business context.

Controls and data

Simbian said the agent includes features designed for use in production environments. It said "Transparency by Design" gives security teams access to a reasoning trace showing why the AI chose a specific attack path.

It also said the product includes a built-in "safe mode" and is engineered to operate without disrupting critical applications. Data remains secure throughout the testing process and is not used to train public large language models, according to the company.

Roll-out options

The AI Pentest Agent is available for web applications. Deployment options include SaaS, dedicated SaaS, and on-premises, according to the company.

Simbian also plans to demonstrate the AI Pentest Agent during a webinar titled "First Look: AI Powered Penetration Testing."