The autonomous AI pentest
The frontier engine, where autonomous offensive agents chain weaknesses, work through authentication, and find novel and business-logic flaws that commodity tooling cannot.
The Autonomous AI Pentest is the frontier end of the adversary spectrum. Autonomous offensive agents attack an authorised part of your surface the way a capable, AI-driven adversary would: they chain weaknesses together, work through authentication, and find novel and business-logic flaws that off-the-shelf tooling never surfaces. This is where AI reasoning is the differentiator, and it is the difference between knowing your surface passes commodity checks and knowing whether a determined attacker can still get through.
The outcome is a truthful answer to the question that keeps a security leader up at night. Not "does a scanner flag anything", but "if a real, well-resourced adversary took an interest in this, what would they actually achieve". For a risk owner that reframes exposure from a list of technical weaknesses to a demonstrated path. For an engineer it means the finding comes with the reasoning and evidence of how the agent got there, not just a signature match.
Frontier, not commodity
Aether AI models the offensive side as a spectrum, and the pentest sits at the frontier end of it. The Conventional Attack Surface engine is the other end: the commodity baseline. That layer continuously and non-destructively validates what a run-of-the-mill attacker with generally-available tooling could exploit. It checks for exploitable conditions, it does not chain them, defeat authentication, or reason about your business logic. It is deliberately the floor.
The frontier engine is the ceiling. Where commodity tooling stops at "this condition is present", the offensive agents keep going. They reason about how one weakness feeds another, they push through authentication instead of stopping at the login page, and they probe the logic of an application for the kind of flaw that only exists in how a specific system was built. That reasoning is exactly what a commodity scanner cannot do, and it is why the two layers answer different questions.
Two boardable statements
The two ends of the spectrum map to two boardable statements. Conventional Attack Surface establishes that the commodity baseline is defensible. The Autonomous AI Pentest shows where a more capable, AI-driven adversary would still get through once that baseline is clean. Keeping them separate is what stops "risk" from collapsing into a single vague number.
What the agents actually do
Three capabilities set the frontier engine apart from the commodity baseline.
Chaining weaknesses means the agents do not treat findings in isolation. A piece of exposed information, a misconfiguration, and an overlooked endpoint may each be harmless alone, but the agents reason about how they combine into a path an attacker could walk. That composition is the work, and it is where genuine exploitability tends to live.
Working through authentication means the agents do not stop at the front door. A large amount of real attack surface sits behind a login, and a check that never gets past authentication never sees it. The frontier engine treats getting through as part of the job.
Finding novel and business-logic flaws means the agents look for the problems that no signature describes: flaws in how a particular application handles state, trust, or workflow. These are the findings commodity tooling structurally cannot reach, because there is nothing generic to match against. AI reasoning is what makes them findable at all.
Heavier, slower, and scoped
The frontier engine is far heavier and slower than continuous validation, and that is by design. Reasoning through an application, chaining weaknesses, and working through authentication is deep work. It is not the always-on, per-asset sweep that the Monitor and Monitor Plus tiers run. It is a focused offensive engagement, and it takes the time that real depth requires.
Because it is that powerful, it runs only against explicitly authorised scope. The pentest does not roam. It operates against the surface you have deliberately authorised it to attack, and nothing else. Where the Conventional Attack Surface engine stays safe by being non-destructive against production assets, the pentest stays safe by being bounded to authorised scope. The safety model covers how offensive work is kept in bounds.
How a finding lands
A pentest finding lands with the chain the agent followed and the evidence for each step, not a bare severity label. The point is that you can see the reasoning, reproduce the path, and fix the specific weakness that made it work, rather than guessing at a generic rule.
Armed with what an attacker already holds
Attackers do not start from zero. They reuse and share information: leaked credentials, breach data, infostealer logs, known-exploited vulnerabilities. Aether AI's shared intelligence already feeds the defensive side, alerting you to that exposure. The direction for the offensive side is that the same intelligence arms the agents, so validation reflects what an attacker already holds and not only technical weaknesses.
Roadmap
Enriching the offensive agents with shared intelligence is partly in place today and partly on the roadmap. The intended direction is that a signal such as a compromised credential surfaced by a threat feed is designed to feed straight into how the agents validate exposure, so the pentest reasons from an attacker's real starting position rather than a clean-room one.
Scenario: retest what you already know about
You are rarely starting from a blank page. Most teams already hold a pile of findings: an internal vulnerability-management backlog, the results of a bug bounty programme, the report from the last human-led penetration test. The problem is that a static list ages badly. You do not really know which of those issues are still exploitable, which were quietly fixed, and which were marked resolved without ever being confirmed.
Aether AI turns that backlog into a starting position. You bring your existing findings, whatever their source, and the offensive agents put them to work in two ways.
First, they retest. Each finding you provide is re-attacked against the live target, so you get a truthful answer on every one: still exploitable, or genuinely closed. This replaces "we think that was fixed" with a demonstrated result, and it does it across findings that came from completely different processes, all in one place.
Second, they go deeper. A prior finding is not just something to re-check, it is a signpost. It tells the agents where a system was weak once, and they reason outward from there: the related endpoints, the pattern that produced the original flaw, the deeper issue the first finding was only a symptom of. Prior knowledge lets the agents spend their effort where exposure is most likely to still live, which is exactly how a determined adversary would use the same information.
Then the loop closes on the defensive side. Rather than handing you a fresh list, Aether AI's remediation guidance walks you through each fix step by step, and once you have made the change it retests to confirm the issue is actually gone. A finding does not leave the loop on your say-so, it leaves when a re-attack can no longer reproduce it.
What is here today, and where it is going
The retest, resolve and regression lifecycle is already how findings move through Aether AI, and @Aether walks a user through remediation today. The fuller vision, importing findings from any external source and having autonomous defensive agents drive the remediation and re-validation from end to end, is the direction this is heading. Where a step is not yet automated, it is written here as intent, not as a shipped feature.
What you see
Frontier pentest findings flow into the shared Risk Inbox alongside everything else, so a novel pentest result sits next to a directly exploitable conventional finding and can be filtered by severity, source, and update time. Each finding points at the source with evidence and a fix, and confirmed live findings feed the asset's 0 to 100 risk score on the same source-agnostic basis as any ASM or Conventional Attack Surface finding. A frontier finding and a commodity one are weighed by the same rules, so the score reflects real, current exploitability across the whole spectrum.
Related
Conventional Attack Surface
The commodity baseline: continuous, non-destructive validation of what a run-of-the-mill attacker could exploit.
Shared intelligence
The threat intelligence that arms both defence and the offensive agents.
Risk Inbox
One queue of findings across ASM and pentest, with severity, source, and update filters.
Risk scoring
The 0 to 100 asset risk score computed over confirmed, live findings.
Conventional Attack Surface
Continuous, non-destructive validation of what a commodity adversary could actually exploit on an asset.
Threat Radar
Continuous intelligence plugins correlated to a customer's attack surface, each producing a verdict card that both alerts defence and enriches the offensive side.