You already know this problem, because you live it.
If you're a growing company, you pentest once a year… maybe twice if compliance demands it. You schedule the engagement, freeze changes, wait weeks, get a PDF. By the time the report lands, your application has already changed.
If you're a larger organization with an in-house security team, the picture is different but the constraint is the same. Your team is testing. They're good at it. But they're making hard choices every day about what to cover and what to skip, because they can't review every change across every area at the depth it deserves. They're triaging not just findings, but what to even look at.
On both sides, testing never keeps pace with shipping. Today, that changes.
The gap that widens with every deploy
Picture your commit history over the past year. Now picture your pentests, whether that's two external engagements or your in-house team's continuous effort.
Your engineering org might push thousands of lines a day. Your security team, no matter how skilled or well-resourced, can manually review a fraction of that at pentest depth.
Every change that didn't get tested is a version of your application that was never fully validated. If a vulnerability was introduced between tests, it sits in production until the next time someone reviews that path. The attack surface grows with every deploy. Security capacity doesn't scale with it.
This is a structural problem. You can't fix it with faster scans, better alerts, or more headcount. We need to change the model. Of 500 security and engineering leaders we surved, 76% deploy significant production changes every week or faster. Only 21% validate security on every release. And 85% said their security findings are already outdated by the time the analysis arrives.
That gap between ship and secure isn't theoretical. It's the window attackers walk through. And they're getting faster: this week, researchers revealed that a single hacker used Claude to breach multiple Mexican government agencies, exfiltrating 150GB of taxpayer and voter records. One person, one AI tool, thousands of automated commands. Attackers have superpower toys now. It's time defenders had theirs.
Enter Aikido Infinite
Last month, when we announced our Series B, we made a promise: the next chapter of Aikido would be about self-securing software. Software that protects itself as it's built and released. Today, we're delivering on that promise.
What it is
Aikido Infinite is continuous autonomous penetration testing with built-in remediation. Every time your application changes, autonomous agents pentest the deployment, validate what's actually exploitable, generate patches, and retest the fixes, all before code hits production: Pentest every release. Patch automatically.
No, it’s not DAST with LLM lipstick
For years, DAST was the closest thing the industry had to continuous security testing, and nobody ever said "this DAST is great" (sorry not sorry). The depth isn’t there. The signal-to-noise ratio isn’t there. The fix isn’t there. Infinite works differently: autonomous offensive agents that reason about application behavior, chain multi-step attack paths, leverage extensive tool suite, and validate exploitability through real exploitation. In one case, the agents discovered signature forgery was possible in a document signing application: Discovered changes in authentication -> Logged in as member -> Escalated privileges -> Confirmed broken authorization. This isn't your grandfathers 'dynamic scanning.'
How it works
When new code lands, Aikido Infinite analyzes the diff and identifies changes that impact your attack surface. Updated a README and button color? Skipped. Changed auth logic or API endpoints? Agents scope the impact and launch.
1. Discover: Infinite ingests context from Aikido's code-to-runtime platform (source code, application architecture, API specs, cloud config) and maps the full attack surface, including undocumented endpoints, hidden logic paths, and architectural anomalies too time-consuming for manual review. The agents reason about your system as a whole, understanding how components interact and where assumptions break down.
2. Exploit every path that changed: This is where Infinite diverges from scanner checks, which looks at components in isolation, one repo, one file, one theoretical risk at a time. In reality, security breaks at the seams. A single line change can affect every protected route in your application. Two changes that are individually safe can be dangerous in combination: a new API field here, a relaxed permission check there, and suddenly there's a cross-tenant data leak that neither change would have introduced alone.
These are the kinds of issues that pentesting exists to find, because they only surface in the real, running configuration where components interact as a whole. The problem has always been that testing every combination at that depth is hard and expensive. Infinite makes it the default. Specialized agents pursue every viable attack route across the affected surface: injection flaws, broken access control, auth weaknesses, SSRF, business logic errors, cross-tenant data exposure, all using real attack paths rather than fixed payloads. When an agent finds something, that intelligence feeds back into the loop, uncovering chained risks. Agents work in parallel across all security-relevant features simultaneously.
3. Validate: Every finding is confirmed through direct exploitation against the live target. Issues that can't be reproduced don't make it into the results.
4. AutoFix and retest: AutoFix generates a merge-ready PR with the specific code-level fix, targeted to your actual implementation. Developers review, merge, and agents automatically retest to confirm the fix holds. Within hours, a vulnerability goes from discovered to resolved to verified.
Because Infinite lives inside the Aikido platform, it has context that standalone pentesting tools simply don't. That infrastructure-to-code context is what makes the discovery deeper, the fixes more precise, and continuous testing actually viable.
What used to take weeks or quarters now happens in hours. The agents do the gruntwork. Your team reviews, merges, and moves on.
.png)
Release → Pentest diff→ Patch → Retest → Push to prod.
Proven on real-world code
These agents are already finding complex vulnerabilities in widely-used applications and frameworks, issues that had gone undetected even with years of community review and expert scrutiny.
In Coolify, our agents identified seven CVEs including privilege escalation and full host compromise via RCE as root, across 52,000+ exposed instances. In Astro, they found CVE-2026-25545, an SSRF in the Node.js adapter exposing internal network resources. In SvelteKit on Vercel, they traced SvelteSpill, a cache deception flaw across 150,000 lines of code affecting every default deployment. Vercel deployed a platform-wide fix after disclosure.
In a head-to-head comparison on a document signing application, the agents discovered a critical workflow integrity flaw that allowed e-signatures to be forged, along with 12 XSS instances. The manual pentesters, a senior team over two weeks, found one XSS and one SSRF. Seven of their nine findings were hardening checks, they missed the signature forgery entirely. (Full whitepaper here).
In all cases, these are deep, multi-step issues in mature codebases. The experts who missed them aren’t junior. They are senior professionals working under the same constraints every security team faces: limited hours, competing priorities, high pressure, and more code to review than any team can get through at depth.
For AI, that constraint disappears. Giving agents access to source code is instant, and they scale with the richness of the context they ingest. More code, more architecture context, better results, not higher cost. The expert testers focused on compliance and configuration because that's where their time went. The agents went deeper because they could.
Even the largest companies don't have enough experts to exhaustively test every code change pushed to their applications. Now, we can empower every team with access to deep analysis, always on, for every change. Think of it as a team of elite hackers 100% dedicated to your application, on-call around the clock.
%20copy-2%20(1)%20copy-2.gif)
What Infinite means for your teams
Attackers have superpower toys. This gives defenders theirs.
For security professionals: Infinite multiplies your team's testing capability. Agents handle the exhaustive validation across every release, expanding coverage automatically so your experts can focus on the crown jewels and judgement calls. Breadth, speed, deep testing on every diff that would otherwise consume the team's bandwidth, or just not get done. Security professionals get more capacity for creativity, business context, and the hardest problems. Infinite allows security teams to shift from resource-constrained "check critical" mode to "check everything” by default.
For developers: Your team is shipping 10x more code than a year ago. Infinite means you can be confident in the diff. No more security tickets showing up mid-cycle with unclear reproduction steps. Infinite finds issues, generates fixs, and opens the PR. You review it, merge it, and get back to building.
What's next?
Infinite is our flagship product and the realisation of a vision we've been building toward: self-securing software. ✨
Today, Infinite closes the loop between shipping and securing. Every run enriches Aikido's security knowledge base of your application with real findings, validated attack paths, and confirmed fixes. Where that knowledge base goes next, how it feeds back into the way code gets written (or generated) in the first place, well, you can probably imagine why we chose the name Infinite. As James Berthoty, founder of Latio Tech, alludes:
In a crowded market, Aikido Infinite is a genuinely unique approach to securing AI generated code, utilizing continuous AI pentesting to make every test better than the last, and code generation more secure by default.
Next time you hear from me, it will be with a cliché but well-designed "security through the software lifecycle as an infinity sign" graphic. We have a lot more to build. And we'll keep pushing until security works at the speed software demands, and developers deserve.
Want to try out Infinite today? You can start for free, book a demo, or enter the infinite next month at RSA in San Francisco.
xo Madeline, Aikido
And yes, the launch video is a parody of the Matrix:
