The Model We’ve Relied on Is Starting to Break
Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different.
AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the rules of cyber conflict. Attackers, powered by frontier models, are probing, chaining, and exploiting at a speed and scale that legacy testing was never built to match. Defenders, meanwhile, are still running point-in-time tests on a fraction of their environment.
That gap is the security story of the next five years, and we built Sara AI Pentesting, Synack’s Autonomous Red Agent, to close it.
Today, Sara is generally available to every Synack customer. → see Sara in action
The Pentesting Coverage Gap: Why Current Testing Models Fall Short
Every CISO I talk to, especially in enterprises and government agencies, is dealing with the same problem. They can only cover a small fraction of their attack surface regularly. Our recent research with Omdia puts the coverage gap at 32%, and that number will continue to grow.
Why Coverage Gaps Create Real Risk
The untested attack surface stays incredibly vulnerable. The crown jewels may not sit in that smaller subset of applications or network segments, but those untested assets give attackers a jump point to move laterally into the parts of the network, the applications, and the data that matter most.
This is a structural problem, not a resource one. You cannot scale point-in-time human testing to match the speed of AI-powered attackers. The math simply doesn’t work.
The perspective has to change from “how do we do more pentesting?” to “how do we keep pace with AI-enabled adversaries, and do it at scale?”
What Makes Sara Different from AI Scanners and Frontier Models
A lot of new entrants are claiming to have an “AI-powered pentesting” capability. The reality is that most of these are basic wrappers sitting on top of publicly available LLMs. It’s volume without validation, and a wall of findings no team has the time to chase. That approach reduces offensive security to a machine-versus-machine arms race.
I also hear questions like: “Why can’t I just point frontier models like GPT 5.5 at my environment and get the same result?” The answer is that a model isn’t enough. They still need frameworks, a harness, or instrumentation around them. The models will keep changing, but their impact stays limited without a strong foundation underneath. Sara is that foundation.
Sara is purpose-built for offensive security. It reasons like an attacker, chains vulnerabilities across an application, and validates real exploitability, not theoretical risk. And on the other side of Sara, real humans validate every result. Synack has had a zero false positive, high-signal ethos since day one, and Sara doesn’t deviate from that at all.
Thus far, the early access results have blown me away. In one recent customer engagement, Sara identified and exploited a chain of critical vulnerabilities, including SQL injection, account takeover, and stored cross-site scripting, inside a six-hour window. It did this without human intervention and overall, 70% of the findings from that engagement were rated high or critical.
Sara Changes the Economics of Defense
Sara is the solution I’ve always dreamed about for our customers: a capability they can actually afford to run continuously, across every asset, at a skill level that’s getting closer and closer to a real human researcher.
Historically, every Synack customer would have loved to buy Synack365, our continuous human pentesting product, but it was simply cost prohibitive at that scale. Sara changes the economics entirely. Comprehensive coverage across an organization’s entire attack surface is now something a security team can actually budget for, not aspire to.
We’re effectively flipping the economics of defense. For the first time, security teams can test continuously, across their entire environment, and know what’s actually exploitable before an attacker does. Picture a new critical vulnerability dropping in a widely-deployed system your team runs across 200 assets. The old way would involve a week of scanner tuning, thousands of “potential” findings, manual triage, and a month before anyone can tell the CISO which systems are actually exploitable. The Sara way tests every affected asset within the hour, attempting exploitation on each, and delivering a single answer to the CISO’s only real question: “which of these can an attacker actually break into right now?” The Synack Red Team (SRT) then takes Sara’s validated findings and digs into the business logic and chained attack paths Sara can’t reach.
That’s the shift. Coverage stops being a budget line item you sacrifice and starts being the default.
Agentic AI + Humans for Continuous Security Validation at Scale
At Synack, we firmly believe agentic AI on its own is not the answer. We know AI doesn’t catch everything, and by definition it isn’t creative.
AI for Breadth, the Synack Red Team for Depth
That’s why humans stay equally important in our model. At the same time, we know Sara finds flaws our researchers miss. The organizations that stay ahead will pair agentic AI for breadth with the Synack Red Team for depth and judgment.
Continuous security validation is becoming table stakes. Testing your crown jewels once a year is already indefensible, and it won’t survive regulatory scrutiny, board scrutiny, or the next high-profile breach. The teams that thrive will operate at machine speed: agentic AI for coverage, elite humans for the findings that actually matter. Everything else is noise. The gap between organizations that adopt this model and those that don’t will widen fast. Adversaries aren’t waiting. Neither should we.
Get Started with Sara AI Pentesting
Sara is generally available today on the Synack Platform. Every customer can put it to work, alongside the Synack Red Team, on the parts of their attack surface that have gone untested for too long.
For everyone else, this is the chance to run a real AI-powered pentest in your own environment, not a demo. Request a pentest to see what Sara uncovers across the 68% of your attack surface that’s going untested today.
The pentesting model we’ve relied on for years is breaking. The model that replaces it is already here. The work ahead is making sure every organization is ready for it.
