Sara Pentest is a penetration test powered by agentic AI and built on Synack’s PTaaS platform. The Sara architecture employs specialist agents to seek out OWASP vulnerabilities, with human oversight focused on validating these identified vulnerabilities.

The agents behind Sara Pentest are continuously tested in the same lab environments that make great human pentesters, such as PortSwigger and PentesterLab. Synack has already started to release blogs on how Sara has successfully solved individual labs such as the Portswigger Blind SQL Injection lab.

This benchmark data is from January 2026 and aims to provide clarity on how Sara performs across PortSwigger’s SQL Injection labs. In the coming weeks and months, we will also publish benchmarks for other vulnerability types that Sara uncovers such as: Broken Authentication, Command Injection, Default Credentials, File Upload, IDOR, RCE, SSRF, and SSTI. 

In PortSwigger Academy, the Practitioner difficulty shown below represents the “intermediate” tier of labs. We choose these labs to benchmark Sara against what a standard professional pentester should be able to complete. These labs require bypassing filters, chaining together different vulnerabilities, and even tool proficiency. A seasoned practitioner would be able to complete them in under 30 minutes, Sara completed 90% of the labs below in that time window (we missed the last one by just 18 seconds).

Sara works through these labs much like an experienced pentester would: probing for injection points, identifying the database type, and iteratively refining payloads until successful exploitation. Because Sara is powered by LLMs, each run can take slightly different paths to the same goal, trying alternative payloads, varying reconnaissance order, or adapting to unexpected responses. This mirrors how a team of human researchers might each solve the same challenge differently.

PortSwigger Statistics

Total Labs: 10

Successfully Solved Labs: 10

Completion Rate: 100%

Total Attempts:10

Date	Lab	Difficulty	Status	Attempts	Duration
01/16/2026	SQL injection attack, querying the database type and version on Oracle	Practitioner	Solved	1/1	12m 58s
01/16/2026	SQL injection attack, querying the database type and version on MySQL and Microsoft	Practitioner	Solved	1/1	14m 13s
01/16/2026	SQL injection attack, listing the database contents on non-Oracle databases	Practitioner	Solved	1/1	16m 25s
01/16/2026	SQL injection attack, listing the database contents on Oracle	Practitioner	Solved	1/1	22m 43s
01/16/2026	SQL injection UNION attack, determining the number of columns returned by the query	Practitioner	Solved	1/1	20m 3s
01/16/2026	SQL injection UNION attack, finding a column containing text	Practitioner	Solved	1/1	21m 42s
01/16/2026	SQL injection UNION attack, retrieving data from other tables	Practitioner	Solved	1/1	20m 16s
01/16/2026	SQL injection UNION attack, retrieving multiple values in a single column	Practitioner	Solved	1/1	20m 10s
01/16/2026	Blind SQL injection with conditional responses	Practitioner	Solved	1/1	25m 48s
01/16/2026	Blind SQL injection with out-of-band interaction	Practitioner	Solved	1/1	30m 18s

These benchmarks are just the beginning. Synack will periodically publish our lab results as Sara improves. 

Synack’s approach to pentesting encourages a blend of methodologies including some human-led and some agentic-led testing to efficiently cover the attack surface. Depending on the importance of the asset, speed, and deliverable needed, Synack can recommend a successful approach that works for your organization.