What Agentic Pentesting Says about the Threat Landscape

Penetration testing has always had a timing problem. You hire a firm, wait weeks for the engagement to start, the testers spend a few days poking around your environment, and you get a report. By then, your infrastructure has changed, new assets are exposed, and the snapshot you paid for is already stale.

Hadrian recently launched Nova to address that. It’s an agentic pentesting solution—autonomous, on demand, no scheduling friction. But when I spoke with Rogier Fischer, Hadrian’s co-founder and CEO, the product launch was almost secondary to what he was really arguing about: why the timing model for pentesting is broken in the first place.

The Speed Problem

Fischer has been doing ethical hacking since he was 12—Dutch companies at first, then PayPal, Microsoft, Google, collecting bug bounties as a teenager. That history informs how he frames what’s changed.

He pointed me to a site called zerodayclock.com that tracks how long it takes before a newly disclosed vulnerability gets actively exploited. “It’s going down, down, down—to the point that we expect, within a couple of years, it’s just going to be minutes, and now it’s still a day. But even a day, like 10 years ago, it used to be a year before you would see a new CVE being actively exploited.”

Annual pentesting made sense when attackers needed months to weaponize a vulnerability. It doesn’t hold up when they need hours—or possibly minutes.

Two Different Problems

Fischer draws a clear line between two types of testing that often get lumped together. The first is validating known vulnerabilities—CVEs, known misconfigurations, and known exploit techniques against existing software. That’s what Hadrian’s core platform already handles, running millions of attack simulations daily. Nova is built for the second type: finding bespoke vulnerabilities in custom-built software.

The urgency is different for each. Known vulnerability exploitation is accelerating fast. Custom software analysis matters, but the risk profile is different enough that Fischer thinks running deep agentic pentests on bespoke software on a monthly basis is reasonable—not because it’s ideal, but because the attack surface behaves differently.

Fischer is also clear that security through obscurity is no longer a viable fallback. Modern scanning operates at a scale where exposed assets get found regardless of how tucked away they are—and when they do, the attacker is usually targeting the vulnerable technology, not the organization specifically. You just happened to be running it.

Human in the Loop—For Now

Nova ships with human-in-the-loop verification. Every finding gets reviewed before it reaches the customer. Fischer backs that model, but he doesn’t pretend it’s permanent.

“He used his own experience as a developer as an example. He’s gone from carefully reading AI-generated code before accepting it to mostly just testing whether the functionality works—and if it does, trusting that the code is fine. That shift happened fast, and he expects the same pattern to play out in how security teams relate to agentic tools.”

That’s a candid thing for a CEO to say. The volume of what agentic tools produce will eventually outpace what humans can meaningfully review, and Fischer knows it. He’s building for that future while shipping something responsible for today.

The Case for Continuous Testing

Nova simulates how attackers move through environments by chaining vulnerabilities and escalating access with real asset context. It retains knowledge about systems and configurations across assessments, replicating how skilled offensive professionals prioritize and adapt during an engagement. Scope is customer-controlled, assessments can be re-run as environments change, and pricing is per test—no retainer.

Hadrian says its platform eliminates 99.5% of false positives and reduces time to resolution by 80%. The company holds SOC 2 Type II and ISO 27001 accreditations and has been named a Leader and Outperformer in the GigaOm Radar for Attack Surface Management for three consecutive years.

The underlying argument Fischer is making is that pentesting has never been more important, and the traditional model of doing it once or twice a year has never been less adequate. If attackers are probing continuously and AI is compressing the time between disclosure and exploitation down to hours, security teams that treat pentesting as a periodic exercise are working from a map that’s already out of date.

Whether Nova solves that problem at scale remains to be seen, but the problem itself is real.