At a glance
- Runs AI pentests on demand to meet customer and audit timelines
- Combines AI pentesting with manual pentests for speed and depth
- Uses white-box testing to reduce false positives and improve credibility
- Delivers customer-ready pentest reports without waiting weeks
- Embeds Aikido across CI/CD and infrastructure for continuous coverage
Challenge
For Sunhat, security is not an internal checkbox. It is part of the product promise. Sunhat builds an AI-powered Collaborative Proof Platform that helps enterprise sustainability and compliance teams to prove trust and compliance to their own customers, partners, and regulators.
That makes Sunhat’s own security posture directly tied to revenue, reputation, and deal velocity. Sunhat sells to large, often multinational enterprises with high security expectations.
Customers regularly ask for pentest evidence before moving forward.
“Yes, customers ask us directly for pentest evidence. And honestly, I would do the same in their position.”
Ali, Co-Founder and CTO of Sunhat
Manual pentesting was already part of Sunhat’s security program. But it came with a familiar problem: timing.
Pentests take weeks to schedule and execute. Reports age quickly. And during sales cycles or audits, time pressure can turn security validation into a bottleneck.
“Some companies are not satisfied with a report that is a few months old,” Ali explained.
Sunhat wanted a way to provide fresh, credible security proof on demand, without compromising on quality.
Why Sunhat turned to AI pentesting
Sunhat was already using Aikido as part of its secure development lifecycle when AI pentesting became available.
“When we discovered that Aikido now offers AI-based pentesting, I was pretty curious to give it a try,” Ali said. “I was especially interested in comparing it to manual pentesting, which we had done previously.”
The goal was not to replace manual pentests.
“Both AI pentesting and manual pentesting have their place, which is why we do both,” Ali said.
Instead, Sunhat saw AI pentesting as a way to add speed, flexibility, and realism to their security validation process.
“To me, this is how pentesting and security testing should work in today’s age,” he added.
Running the AI pentest
Getting started with AI pentesting required little friction.
“It was simple to get started with Aikido Attack on our own. Engineers love it when they don’t have to jump through artificial hoops.”
Sunhat runs white-box AI pentests to maximize validity and relevance. The AI agents have access to source code context, allowing them to focus on realistic attack behavior rather than shallow scanning.
“We do white-box pentests as they provide higher validity. Seeing the logs and how the AI agents behave gives us more confidence that they try to cover as much as possible.”
Most importantly, AI pentests can be triggered when needed.
“Triggering an AI pentest is now a matter of minutes, making them extremely useful in time-sensitive situations.”
What the AI pentest delivered
Sunhat does not run pentests to check a box.
“We do pentesting not for fooling ourselves, but to find issues before malicious actors do,” Ali said.
In one AI pentest, Aikido identified a vulnerability in Sunhat’s PDF export generation process.
Sunhat uses a browser-as-a-service provider to launch headless Chromium instances for PDF generation. While the team had sanitized content such as the <head> element and tightly controlled allowed HTML elements, the implementation still permitted certain active elements like <iframe> and <img>.
Aikido determined that those elements could trigger outbound HTTP requests during PDF generation, potentially enabling server-side request forgery (SSRF) and response inclusion in the generated document.
This was not a surface-level misconfiguration. It was rooted in how the PDF generation flow interacted with browser behavior.
To mitigate the issue, Sunhat:
- Disabled JavaScript execution in Puppeteer during PDF generation
- Blocked external network requests using request interception
After deploying the fix, Sunhat triggered a retest.
“Having the AI agents confirm the improvements after deploying the fixes on our side is very validating.”
Aikido recognized the mitigation as effective during the retest, confirming that the SSRF vector had been closed.
“So far, we have not run into false positives,” Ali added. “It appears that the AI agents use the context provided by our source code well.”
Beyond pentesting: Aikido as the security platform
While AI pentesting is a critical capability, Sunhat uses Aikido as a broader security platform.
Aikido runs continuously across pull requests and scheduled infrastructure scans, aligning with Sunhat’s automation-first engineering culture.
“At Sunhat we are big believers in automation, and we feel Aikido fits right in,” Ali said.
Remediation guidance is practical and context-aware, especially in white-box scenarios.
“Since we do white-box pentests, the remediation steps feel accurate. Nobody likes generic advice that does not apply to you.”
This combination of continuous coverage and on-demand pentesting allows Sunhat to stay ahead of both security risk and customer expectations.
Results
For Sunhat, the impact of AI pentesting is best measured in speed, confidence, and credibility. AI pentesting allows Sunhat to:
- Respond quickly to customer and audit security requests
- Provide fresh, customer-ready pentest reports without long lead times
- Validate fixes rapidly through automated retesting
- Treat security as a continuous capability instead of a point-in-time exercise
“Similar to how our customers have to provide verifiable proof to their stakeholders, we want to provide up -to-date proof about our security posture to prove that we are a reliable business partner,” Ali said.
