The Generalist Advantage in Agentic Pentesting
A real-life Tenzai agentic pentesting case study: From open registration to RCE on Oracle infrastructure via AI agent IDOR, SSH override, and cross-domain chain - six domains, one run.
A real-life Tenzai agentic pentesting case study: From open registration to RCE on Oracle infrastructure via AI agent IDOR, SSH override, and cross-domain chain - six domains, one run.
The Tenzai AI hacker expands to AI apps. Testing these applications well means treating the AI surface and the classic web surface as one connected target, since the findings that matter are almost always chains.
Our AI Hacker found this, fixed it, and then (bragged) wrote about it: one endpoint, leaking tech stack info, whispering all its secrets to anyone who knew how to listen!
The change happening in offensive security right now is not just speed; it's capability. Here's Tenzai's guide for CISOs and their teams, sequenced deliberately, to keep up with AI-driven attackers.
Across six platforms, Tenzai's AI hacker achieved scores placing it within the top 1% of participants, outperforming more than 125,000 human competitors.
Bottom line: You cannot secure modern applications by reviewing code alone. Many vulnerabilities only emerge in production systems - in the interactions between services, identity boundaries, cloud configurations, and in runtime behavior under pressure and focused attacks. At Tenzai, we focus on active validation, testing real systems in realistic environments to
Internal applications are dangerous precisely because they’re trusted by default. Even strong security programs have blind spots - and AI changes what’s possible to see.
A security benchmark of popular AI coding agents—Cursor, Claude Code, Codex, Replit, and Devin—found 69 vulnerabilities across 15 apps. Every agent shipped vulnerable code: broken auth, SSRF, missing controls, and more. Here’s what broke—and why it matters.