Intruder introduces AI-powered pentesting agents as a GCHQ-supported startup automates security assessments worth $50,000 that were previously done manually.

      TL;DR: Intruder, a UK cybersecurity startup backed by GCHQ, has introduced AI pentesting agents that mimic traditional manual pen testing techniques in just minutes. The cybersecurity market is rapidly moving towards automating vulnerability detection as AI narrows the gap between offensive and defensive capabilities.

      Manual penetration tests range from $10,000 to $50,000, requiring weeks to schedule and days to conduct, resulting in reports that often become outdated as soon as they are issued. London-based Intruder, which emerged from GCHQ’s Cyber Accelerator program, has launched AI-driven pentesting agents that simulate the methods of human pen testers, delivering results within minutes.

      CEO Chris Wallis is set to showcase this technology at KnowBe4’s KB4-CON conference on May 13, presenting a straightforward proposition: the depth of a manual pentest, available on demand at a significantly lower cost.

      This launch coincides with a moment when the cybersecurity sector observes AI rapidly evolving offensive capabilities more swiftly than defenses can keep pace. Anthropic’s Claude Mythos Preview has identified thousands of zero-day vulnerabilities across all major operating systems and browsers in a single evaluation.

      Autonomous pentesting startup xBow attained unicorn status in March 2026 after securing $120 million in funding. The pressing question now is not whether AI will replace human pen testers, but whether this transformation can happen quickly enough to bridge the divide between the vulnerabilities AI uncovers and the speed of remediation by organizations.

      The product

      Intruder’s AI pentesting agents analyze vulnerability scanner results using techniques akin to those employed by human testers. When a scanner flags a potential issue, the AI interacts directly with the target system, sending requests, analyzing responses, and probing for exposed data to assess whether the issue is a legitimate exploit or a false positive. The investigations encompass injection attacks, client-side vulnerabilities, and information disclosure.

      Historically, the difference between a vulnerability scanner and a penetration test lies in the ability to validate whether a flagged problem can be exploited. Scanners generate extensive lists of potential issues, many being false positives or low-risk concerns that occupy security teams’ time without enhancing their security posture. A pen tester evaluates those findings to determine their significance. Intruder’s AI agents streamline that evaluation process.

      Currently, issue-level investigations are available, while comprehensive web application penetration testing, where agents link multiple findings to create attack paths across an application, is anticipated by the end of the current quarter. The company views this as an initial phase, with plans for future releases to broaden the agents' autonomous investigation capabilities.

      The company

      Founded in 2015 by Wallis, who transitioned from ethical hacking to corporate security, Intruder was selected for GCHQ’s Cyber Accelerator—a program designed to support commercially viable cybersecurity startups. In 2023, the company was recognized as the fastest-growing cybersecurity firm in the UK on Deloitte’s Tech Fast 50 list.

      Intruder now safeguards over 3,000 organizations, generating around $16 million in revenue in 2024, up from $10 million in 2023, and growing from $900,000 in 2020. Remarkably, it has only raised $1.5 million in external funding, a notable achievement in an industry where competitors often secure hundreds of millions before achieving profitability. Essentially, Intruder operates as a bootstrapped entity.

      Its platform integrates attack surface management, cloud security, continuous vulnerability scanning, and AI pentesting into one interface. The company targets mid-market organizations—those large enough to face significant cyber risks yet too small to invest in $50,000 manual pentests and dedicated security teams that are typically within reach of enterprise clients.

      Intruder’s own research, as detailed in its Security Middle Child Report published in March 2026, indicates that 42% of mid-market security teams feel stretched, overwhelmed, or consistently behind.

      The market

      The penetration testing market is valued at roughly $2.5 to $3 billion, with an annual growth rate of 12 to 16%. The AI-native segment is expanding even more rapidly. xBow achieved a $1 billion valuation with $237 million in funding. Pentera, which conducts automated attack simulations without needing agents on endpoints, has surpassed $100 million in annual recurring revenue. Horizon3.ai’s NodeZero has conducted over 170,000 autonomous penetration tests in production environments.

      The economics underlying manual pentesting are fundamentally flawed. With an estimated global cybersecurity workforce gap of 3.4 million positions, there aren’t enough qualified pen testers to satisfy demand, even if every company could afford their services. Approximately 32% of companies still conduct testing only once a year. Those that test quarterly often spend more on pentesting than many organizations allocate for their entire security toolset. AI reduces costs, but it brings to light an unanswered question: if AI identifies vulnerabilities more quickly than humans, does it also do so more swiftly than attackers?

      The push for regulated cybersecurity AI in 2026 reflects the tension between speed