Writings from Tenzai researchers on autonomous offense and hard security vulnerabilities.
.png)
Tenzai Hits #1 on HackerOne - In Under 90 Days
We gave the Tenzai AI hacker a HackerOne account and let it run. In under 90 days — our first full quarter on the platform — it reached #1 among all AI security companies, with findings ranging from a new CVE to a one-click RCE chain to database access covering trillions of records. Here's what it found, and what we learned.

The Generalist Advantage in Agentic Pentesting
A real-life Tenzai agentic pentesting case study: From open registration to RCE on Oracle infrastructure via AI agent IDOR, SSH override, and cross-domain chain - six domains, one run.
.avif)
Tenzai Launches AI Application Testing, Chaining Vulnerabilities Across Web, API, and AI Surfaces
The Tenzai AI hacker expands to AI apps. Testing these applications well means treating the AI surface and the classic web surface as one connected target, since the findings that matter are almost always chains.

One Endpoint. Zero Credentials. Eight Confirmed Vulnerabilities.
Our AI Hacker found this, fixed it, and then (bragged) wrote about it: one endpoint, leaking tech stack info, whispering all its secrets to anyone who knew how to listen!
.avif)
Mythos Preview: What Every CISO Should Do Now
The change happening in offensive security right now is not just speed; it's capability. Here's Tenzai's guide for CISOs and their teams, sequenced deliberately, to keep up with AI-driven attackers.
.avif)
Inside the Top 1%: Engineering Tenzai’s AI Hacker to Compete with Elite Humans
Across six platforms, Tenzai's AI hacker achieved scores placing it within the top 1% of participants, outperforming more than 125,000 human competitors.
.avif)
Test In Prod Or Live A Lie
Bottom line: You cannot secure modern applications by reviewing code alone.
.avif)
When “We Already Passed the Pentest” Isn’t Enough
Internal applications are dangerous precisely because they’re trusted by default. Even strong security programs have blind spots - and AI changes what’s possible to see.
.avif)
Bad Vibes: Comparing the Secure Coding Capabilities of Popular Coding Agents
A security benchmark of popular AI coding agents—Cursor, Claude Code, Codex, Replit, and Devin—found 69 vulnerabilities across 15 apps. Every agent shipped vulnerable code: broken auth, SSRF, missing controls, and more. Here’s what broke—and why it matters.