Evo COS: Context-Aware AI Pentesting for Continuous Offensive Security

💥💡The attacker side of AI security has already gone agentic. The question is whether you get there first. Today we launched Evo Continuous Offensive Security (COS). Context-aware AI Pentesting that gets outside your applications before an autonomous attacker can do it for you. Not a scanner. A purpose-built offensive security system that already knows your code. Business logic flaws, BOLA, IDOR, authorization gaps. The vulnerabilities AI-generated code is pushing into production can't be found by pattern matching. You have to understand what an application is supposed to do before you can determine how to abuse it. Point solutions rushing into this market are reasoning blind, without your data flows, your deployment environment, your trust boundaries, or your prior scan history. They can't tell you whether a finding is theoretical or genuinely exploitable in your stack. That's not just a minor limitation; it's the whole problem! And it's why every security leader I talk to is asking the same thing: How do we get ahead of what attackers can now do at machine speed? The answer starts with context. Evo COS ingests everything the Snyk platform already knows about your code: SAST findings, SCA results, prior DAST scans, asset intelligence. It uses a coordinated system of offensive grade frontier models and Snyk's own purpose-built models to reason about where real risk lives. Then it connects findings into attack narratives. Not "here are 47 vulnerabilities." But "here are the three paths that matter, here's why, and here's what to do." Emburse is in production with it today. Clearer visibility into exploitable vulnerabilities and how they chain together, giving their team the ability to prioritize what actually matters. Some of the largest tech and fin svcs customers in the world have been a design partner. A typical pentest runs 15 days. Agentic attackers don't wait for the other 350. This is the shift from point-in-time testing to continuous offensive security. The era of annual pentests was designed for human development cycles. AI doesn't develop on that schedule, and neither do the attackers targeting it. More details: https://lnkd.in/ef4WwkQv

💥💡The attacker side of AI security has already gone agentic. The question is whether you get there first. Today we launched Evo Continuous Offensive Security (COS). Context-aware AI Pentesting that gets outside your applications before an autonomous attacker can do it for you. Not a scanner. A purpose-built offensive security system that already knows your code. Business logic flaws, BOLA, IDOR, authorization gaps. The vulnerabilities AI-generated code is pushing into production can't be found by pattern matching. You have to understand what an application is supposed to do before you can determine how to abuse it. Point solutions rushing into this market are reasoning blind, without your data flows, your deployment environment, your trust boundaries, or your prior scan history. They can't tell you whether a finding is theoretical or genuinely exploitable in your stack. That's not just a minor limitation; it's the whole problem! And it's why every security leader I talk to is asking the same thing: How do we get ahead of what attackers can now do at machine speed? The answer starts with context. Evo COS ingests everything the Snyk platform already knows about your code: SAST findings, SCA results, prior DAST scans, asset intelligence. It uses a coordinated system of offensive grade frontier models and Snyk's own purpose-built models to reason about where real risk lives. Then it connects findings into attack narratives. Not "here are 47 vulnerabilities." But "here are the three paths that matter, here's why, and here's what to do." Emburse is in production with it today. Clearer visibility into exploitable vulnerabilities and how they chain together, giving their team the ability to prioritize what actually matters. Some of the largest tech and fin svcs customers in the world have been a design partner. A typical pentest runs 15 days. Agentic attackers don't wait for the other 350. This is the shift from point-in-time testing to continuous offensive security. The era of annual pentests was designed for human development cycles. AI doesn't develop on that schedule, and neither do the attackers targeting it. More details: https://lnkd.in/ef4WwkQv

A couple of months ago, we revamped our entire community strategy and rebranded our community as AI Sec Eng (AI Security Engineers), powered by Snyk, driven by a strong belief that AI will fundamentally transform both how we build software and how we uncover security vulnerabilities. And now we’re seeing that future take shape. Today, Evo by Snyk is unveiling Continuous Offensive Security — AI that probes applications the way attackers do, uncovering architectural flaws and business logic vulnerabilities that traditional scanners were never designed to catch. The full story is in the announcement, but what matters most to us is being backed by a company that isn’t just reacting to this shift — it’s helping define what security looks like in the AI era. If you work in security, or if you’ve ever stared at a growing list of vulnerabilities wondering which ones actually matter, this is worth your attention. Full announcement: https://lnkd.in/eKxJFyDH

The vulnerability deluge is coming. You have three to five months to get ahead of it. That's not a prediction. It's based on what we've seen firsthand testing the latest frontier AI models, including Anthropic's Claude Mythos, Claude Opus 4.7, and OpenAI's GPT-5.5-Cyber. The conclusion after months of rigorous testing: these models are extraordinarily capable at finding vulnerabilities and chaining them into critical exploit paths in near real-time. Here's what that means in practice. For the first time, a majority of findings in our May Patch Wednesday advisories came from frontier AI models scanning our own code across all 130+ products. We patched everything important. But we're one company. Across the entire open source and technology supplier ecosystem, the same scanning is coming, and not all of it will be defensive. The window before AI-driven exploits become the new norm is narrow. Here's what every organization should be doing right now: 1️⃣ Scan your own code before someone else does. Frontier AI finds vulnerabilities faster than manual penetration testing at a fraction of the cost. If you aren't using it defensively, assume your adversaries eventually will use it offensively against you. 2️⃣ Reduce your exposure surface aggressively. Unmanaged assets, misconfigured APIs, and shadow deployments are exactly the kind of targets these models surface quickly. Identify them and remediate before they become entry points. 3️⃣ Patch with urgency, not with your normal cadence. The three-to-five-month window demands a different operating tempo. Normal patch cycles were built for a different threat environment. 4️⃣ Transition to real-time security operations. If your SOC is still built around human-speed detection and manual escalation, the gap between attacker speed and defender speed is already a liability. That gap is about to widen significantly. One important distinction worth carrying into every executive conversation: frontier AI models are finding new attacks, not new attack techniques. That means defenders can innovate to stay ahead. But only if they move now. Lee Klarich has the full research and recommendations here. Worth reading before your next board conversation. https://lnkd.in/g3cHtPG2

The vulnerability deluge is coming. You have three to five months to get ahead of it. That's not a prediction. It's based on what we've seen firsthand testing the latest frontier AI models, including Anthropic's Claude Mythos, Claude Opus 4.7, and OpenAI's GPT-5.5-Cyber. The conclusion after months of rigorous testing: these models are extraordinarily capable at finding vulnerabilities and chaining them into critical exploit paths in near real-time. Here's what that means in practice. For the first time, a majority of findings in our May Patch Wednesday advisories came from frontier AI models scanning our own code across all 130+ products. We patched everything important. But we're one company. Across the entire open source and technology supplier ecosystem, the same scanning is coming, and not all of it will be defensive. The window before AI-driven exploits become the new norm is narrow. Here's what every organization should be doing right now: 1️⃣ Scan your own code before someone else does. Frontier AI finds vulnerabilities faster than manual penetration testing at a fraction of the cost. If you aren't using it defensively, assume your adversaries eventually will use it offensively against you. 2️⃣ Reduce your exposure surface aggressively. Unmanaged assets, misconfigured APIs, and shadow deployments are exactly the kind of targets these models surface quickly. Identify them and remediate before they become entry points. 3️⃣ Patch with urgency, not with your normal cadence. The three-to-five-month window demands a different operating tempo. Normal patch cycles were built for a different threat environment. 4️⃣ Transition to real-time security operations. If your SOC is still built around human-speed detection and manual escalation, the gap between attacker speed and defender speed is already a liability. That gap is about to widen significantly. One important distinction worth carrying into every executive conversation: frontier AI models are finding new attacks, not new attack techniques. That means defenders can innovate to stay ahead. But only if they move now. Lee Klarich has the full research and recommendations here. Worth reading before your next board conversation. https://lnkd.in/g3cHtPG2