Several months ago, HackerSec officially launched Pentest AI-First, a new methodology that combines offensive artificial intelligence with specialized human validation. At that time, we briefly mentioned the existence of a proprietary AI agent operating within our methodology. Today, we officially introduce Yaga, HackerSec's pentest agent.
What is Yaga
Yaga is an offensive artificial intelligence agent developed in-house by HackerSec to execute the first layer of the pentest. It is not just a rebranded scanner or a prompt interface connected to a language model. Yaga is an agent that performs technical reconnaissance, interprets the context of the application, conducts real exploits within the defined scope, and produces findings with technical evidence before any results reach the client.
In practice, Yaga accomplishes in hours what would take days of operational work. It operates across web applications, APIs, networks, cloud environments, mobile, IoT, and AI/LLM systems, adapting its execution according to the tested environment and the objectives of the pentest.
Why Autonomy Alone Isn't Enough
The offensive cybersecurity market is currently in a race for total autonomy. Platforms have emerged that promise 100% autonomous pentesting, where AI agents operate end-to-end without human intervention. Some of these platforms deliver relevant results in controlled scenarios and specific benchmarks. However, real pentesting is not benchmarking.
A real pentest involves environments with complex business rules, specific authentication flows, system integrations, regulatory contexts, and attack surfaces that evolve as the company grows. No AI agent, no matter how advanced, can interpret all these layers alone with the depth that a human expert can achieve.
Total autonomy solves part of the problem. It accelerates processes, expands coverage, and reduces operational time. But it also carries a risk: when the agent operates alone, without validation, it may misprioritize, interpret context incompletely, or fail to explore paths that require creative offensive reasoning. It is precisely in these scenarios that the most critical vulnerabilities tend to be found.
HackerSec's Model: AI That Attacks, Humans That Deepen
Yaga was built to operate within a model where autonomy and human validation coexist in a structured manner. It does not replace pentesters; it enhances them.
In the first stage, Yaga performs reconnaissance, enumeration, real exploits within the scope, and identification of confirmed vulnerabilities. Each finding is subjected to technical validation criteria before moving on in the process. This ensures that Yaga's results are already qualified for the next stage.
In the second stage, the human pentester from HackerSec comes into play. They validate each vulnerability, explore complex attack chains, test business logic, investigate scenarios that require offensive experience, and elevate the analysis to a level that AI alone cannot reach. This combination transforms speed into real depth.
What Sets Yaga Apart in Practice
Yaga was not designed to compete in lab benchmarks. It was developed to operate in real pentests, with real clients, in production environments with all the complexity that entails.
While other platforms measure success by automation rates or delivery speed, HackerSec measures it by the quality of the findings. A critical vulnerability that was only discovered because the human pentester connected a finding from Yaga with a business logic flaw is worth more than hundreds of automated findings without context.
This is the central point. Yaga amplifies the offensive capability of the team. It covers more surface area, identifies more initial vectors, and frees the pentester to focus on what truly requires human intelligence. The result is a pentest with greater coverage, more depth, and better alignment with the actual behavior of an adversary.
Integrated with the HAS Platform
Yaga operates within the HAS Platform, where clients can monitor the entire operation in real-time. Vulnerabilities found by Yaga and validated by pentesters appear with technical descriptions, CVSS scores, evidence of exploitation, and remediation recommendations. Clients can manage fixes, request retests, and generate reports directly through the platform.
Additionally, HAS connects with the tools that the team already uses. Vulnerabilities can be automatically sent to Jira, with real-time notifications in Slack and Microsoft Teams, and integration via MCP so that the client's own AI agents can query security data directly.
The Adversary Has Evolved
Cybercriminals are already using artificial intelligence to enhance reconnaissance, scale attacks, and exploit vulnerabilities more quickly. Testing environments with a purely manual approach is starting to fall short of the real scenario. However, testing with total autonomy, without the layer of human validation and deep analysis, also does not fully resolve the problem.
Pentest needs real AI to accelerate operations and human experts to take the analysis where AI cannot reach. This is precisely what Yaga delivers within HackerSec's Pentest AI-First methodology.
Yaga is already operating in real pentests within the HAS Platform. To see it in action, access the platform or talk to our team.