Synack launches Sara AI Pentesting for wider coverage

JOSEPH GABRIEL LAGONSIN News Editor Synack has launched Sara AI Pentesting for general availability, combining artificial intelligence with human validation for security testing. The release follows early deployments with selected customers and signals a shift from periodic penetration testing to a more continuous model. Organisations often test only part of their digital estate, even as attackers automate the discovery and exploitation of vulnerabilities. Synack is positioning Sara as a way to expand that coverage by using an autonomous system to identify potential weaknesses before passing findings to human reviewers. The approach reflects a broader shift in cyber security as defenders try to keep pace with attacks that are becoming faster and more automated. Traditional penetration testing has long been constrained by cost, time and the limited availability of specialist researchers, leaving companies to focus on only a subset of systems at any given time. Sara is designed to work across web applications and infrastructure, carrying out reconnaissance, mapping attack surfaces and validating initial exploits before findings are reviewed by Synack's researcher network. The service forms part of the company's broader PTaaS platform, through which customers buy penetration testing as an ongoing service rather than a one-off engagement. Jay Kaplan, chief executive officer and co-founder of Synack, framed the issue as one of insufficient visibility across expanding attack surfaces. "The problem isn't a lack of tools, it's a lack of coverage," Kaplan said. "Attack surfaces are expanding faster than organizations can test them, while AI is accelerating how vulnerabilities are discovered and exploited. Sara AI Pentesting changes that equation by expanding coverage with AI and then using human validation to ensure that what's found actually matters." Early results During the early access period, Sara produced results comparable with experienced security researchers in some real-world cases, according to Synack. In one engagement, the system identified and exploited a chain of three serious flaws without human guidance: a SQL injection issue that exposed credentials, a password reset weakness that enabled account takeover and a stored cross-site scripting vulnerability. Synack said those findings were then validated and reported in a form ready for remediation. It also said 70% of findings during early deployments were rated high or critical. Across those deployments, the system repeatedly uncovered categories of weaknesses that commonly lead to significant business risk, including broken access controls, authentication weaknesses, injection flaws and exposed credentials. These are among the most common routes attackers use to move from initial access to broader compromise of systems and accounts. Testing model The launch highlights a growing push in cyber security to combine AI tools with human oversight rather than rely on either alone. Vendors across the sector are trying to show that automation can improve the breadth and frequency of testing, while experienced researchers still provide judgement on exploitability, severity and remediation priorities. For buyers, one of the main questions is whether automated systems can produce findings useful enough to ease pressure on internal security teams rather than add to it. Synack said Sara focuses on exploitable vulnerabilities rather than theoretical risks, with human experts directed toward the most important gaps. The service can operate at a fraction of the cost and several times the frequency of a traditional pentest, Synack said, though it did not provide pricing details. That argument around cost and cadence is likely to be central to adoption as companies weigh security spending against expanding estates across cloud, applications and internal infrastructure. Market access Sara is available through the Synack PTaaS platform and is listed on major cloud marketplaces operated by Amazon Web Services, Microsoft and Google Cloud. Marketplace availability can simplify procurement for large customers that already manage software and security spending through those channels. Founded by former National Security Agency operatives, Synack said it has logged nearly 10 million hours of testing across sectors including financial services and defence. The company has built its business around a vetted community of security researchers, with Sara now handling parts of the reconnaissance and exploit validation process before work is escalated for human assessment.

View Original Article