Search
scroll it
cybersecurity-network-connected-nodes.webp

What’s New with Sara Pentest: Closing the Coverage Gap, One Test at a Time

11
May 2026
Greg Copeland
0% read

Key Takeaways

  • Sara Pentest and Sara Pentest+ are now generally available for web and host assets, so customers can launch fast, repeatable AI pentests directly inside the Synack Platform.
  • A redesigned Assessment Creation Workflow, built-in reachability with alerting, and new coverage analytics cut the path from scoping to launch.
  • Sara delivers human-validated, exploitable findings in 2-3 days and the early success signals (same-day patch verification requests) are already showing up in customer engagements.

Sara Pentest and Sara Pentest+ Are Now Generally Available

Since releasing Sara Pentest as general availability earlier this month, we’ve also shipped a set of platform updates that make it easier to scope, launch, and act on Sara findings at scale. This post walks through what’s new with the Synack PTaaS platform, and how customers are already using Sara.

Both Sara Pentest and Sara Pentest+ are available to test web and host assets, and they can be launched directly inside the Synack Platform. This allows customers to facilitate frequent and rapid re-testing of critical assets to help keep them continuously secure.

What Customers Get with Sara: AI Pentesting and Human Validation

Sara is made up of AI agents that can quickly test your attack surface, serving up results in a matter of days so you don’t have to wait weeks for a traditional pentest to conclude. It’s also a more cost-effective way to expand penetration testing to more assets. And to complement Sara, Synack PTaaS also offers access to human-led testing through our on-demand Synack Red Team.

Here’s a breakdown of what Sara delivers:

  • Expanded test coverage to assets that were previously out of scope or untested
  • Human-validated, exploitable findings in 2–3 days, not weeks
  • A pentest of record for compliance frameworks like CMMC Levels 1 and 2 and OWASP-aligned testing
  • Automatically generated reports to support your compliance needs for frameworks like GDPR, SOC 2, ISO27001, and HIPAA

Platform Updates That Make Sara Pentest Work Harder for You

A few updates inside the PTaaS Platform make the experience faster to scope, easier to launch, and more useful after the test ends.

  • A redesigned Assessment Creation Workflow (ACW). ACW now supports running multiple tests on a single assessment, including Sara Pentest, Sara Pentest+, SynackST, and ST+. Reachability is built into the workflow, and you can see assessment-level data without leaving the page. The result is fewer clicks from intent to launch.
  • Comprehensive reachability with alerting. All submitted web and host assets are now automatically analyzed for reachability, with email alerts and clear categorization in the UI. This way you can see which assets are ready to test, which are not, and why, before a test starts spending credits.
  • Coverage Analytics. New summary views for web and host coverage drill down into traffic and ports, and extended filtering makes it easy to spot coverage gaps and turn them into the next Sara Pentest.

Take a self-guided tour of the Assessment Creation Workflow 

Launching a Sara Pentest Takes Minutes, Not Weeks

Creating a test in the updated Synack PTaaS Platform has never been simpler. From your home page, click Create Test, choose from the menu of available pentesting options (including Sara Pentest, Sara Pentest+, SynackST, and ST+), fill out a short form, and submit. Credits are deducted based on the test you select and how often you choose to run it.

Once the test is complete, exploitable findings are available directly in the platform. You can review them in the new assessments experience, drill into evidence, or download a consolidated report in the format your stakeholders expect. From there, the platform manages the rest of the vulnerability workflow, including patch verification, so your team can confirm a fix has actually closed the gap rather than just marking a ticket done.

Top Use Cases for Sara Pentest

In engagements with early-release customers we’ve seen a few noteworthy use cases for how security teams are putting Sara Pentest to work. Here are four worth sharing:

Use Sara Pentest to Extend the Value of a Human-Led Test

Some early customers are running an SRT-led pentest on an asset first, then using Sara Pentest to keep testing that same asset on a regular cadence afterward. The SRT engagement establishes the baseline, and Sara picks up from there to confirm whether new vulnerabilities have shown up since the last test. Other customers are handing Sara an asset that has already been through a Synack14 to put both the AI and the human researchers to the test. Either way, the pattern is the same: Sara extends the value of a single human-led pentest into ongoing assurance, without taking SRT capacity away from the assets that need it most.

Test Pre-Production Apps Before They Ship

Business units are running Sara Pentests on pre-prod applications before they go to production, so security issues get fixed before customers ever touch them. Once the app is live, it moves into a regular cadence with Synack365 or another continuous SRT-led test. Most of these pre-prod apps are externally accessible, which makes them a natural fit for Sara.

Give Sara Pentest Tier 2 Assets and Save SRT for Tier 1

Customers tell us they want to keep using SRT to test their Tier 1 crown jewels, where business logic and creative chained attacks matter most. For recently acquired Tier 2 assets that have never been pentested, they’re using Sara Pentest as a quick way to ensure coverage. The combination gives them depth where it counts and breadth across everything else.

Maintain a Pentest of Record for Smaller Apps

For audit purposes, customers want a pentest of record on the long tail of smaller applications that historically never made it into the testing budget. Sara Pentest changes that economic equation. Now there is a documented, AI-powered and human-validated pentest on file for every app that needs one, not just the highest-priority handful.

What Customers Are Saying About Sara Pentest

The early signals from Sara Pentest customers are encouraging. Teams are reading their Sara reports and acting on them quickly, often the same day. We’re also seeing patch verification requests come in fast, which is the clearest sign that findings are clear, exploitable, and worth fixing. Internal tickets are getting opened against Sara findings the way they would for any vulnerability the SRT surfaces. In other words, Sara findings are landing where they should: on the engineering backlog, with enough context to remediate.

That’s the bar for any AI-powered testing capability. Findings have to be real, exploitable, and actionable. Anything less is more noise for an already stretched security team to triage.

Get a Free Sara Pentest Before June 5

Sara Pentest and Sara Pentest+ are available now in the Synack PTaaS Platform. Existing customers can launch a Sara Pentest from their account today, and the new ACW streamlines the process.

If you haven’t seen Sara in your own environment yet, we’re offering a free Sara Pentest before June 5. It is the fastest way to find out what agentic AI pentesting, validated by elite human researchers, will surface across the parts of your attack surface that have gone untested for too long.

See Sara AI Pentesting in action → Start a free Sara AI Pentest trial

Frequently Asked Questions

What’s the difference between Sara Pentest and Sara Pentest+?

Both are generally available for web and host assets, and both deliver human-validated, exploitable findings. The difference is the testing scope and application complexity. Sara Pentest is recommended for testing unmanaged or untested, including single-purpose web applications. A single Sara Pentest includes up to 25 unauthenticated web apps, or a small/basic authenticated web app with straightforward functionality, minimal input surfaces, and limited business logic. Sara Pentest+ extends that coverage to large/full-featured web applications. A single Sara Pentest+ includes up to 50 unauthenticated web apps, or a large or full-featured authenticated web app that are form-dense, support multiple user roles, or incorporate expanded business logic.

Does a Sara Pentest count as a pentest of record for compliance?

Yes. Sara Pentest can be used as a pentest of record for compliance frameworks including CMMC Levels 1 and 2 and OWASP-aligned testing. Sara Pentest also automatically generates reports to support compliance with frameworks such as GDPR, SOC 2, ISO 27001, and HIPAA.

You may also like
A Look Behind the Curtain: How Sara Agentic AI Triage Works A Look Behind the Curtain: How Sara Agentic AI Triage Works Blog
Why AI Alone Won’t Fix the Security Problem Why AI Alone Won’t Fix the Security Problem Blog
How Sara Pentest is Changing the Game for AI Pentesting How Sara Pentest is Changing the Game for AI Pentesting Blog
Inside the Sara Pentest 5 Step Workflow  Inside the Sara Pentest 5 Step Workflow  Blog