Imagine the scene: A developer at a large financial institution merged a routine code update. Nothing alarming yet, just a minor change that, on its own, meant little.
But Terra Security’s AI agents were watching.
AI agents flagged the change, verified a potential vulnerability, and then did something a human penetration tester probably wouldn’t have done. They kept looking. Eventually, they found two more vulnerabilities nearby, each individually insignificant. But they spotted a pattern and connected all three together.
“1+1+1 = 1,000,” said Shahar Peled, co-founder and CEO of Terra Security. The result was a Remote Code Execution (RCE), a cybersecurity vulnerability that allows an attacker to run malicious code on a target system or server from a remote location. It is considered one of the most critical vulnerability classifications of its type.
The customer found out from their vendor, not from an adversary.
Founded in 2024, the Tel Aviv and New York-based startup has raised $38 million across a rapid Seed and Series A, and counts Fortune 100 enterprises among its customers. Its core product is an agentic offensive security platform where swarms of AI agents are trained to think and act like “ethical hackers”, running continuously across a company’s attack surface.
The traditional model of penetration testing (hiring an external team once or twice a year to probe for weaknesses) was never designed to catch what Terra caught in that unnamed financial institution. “Until 2025, it happened on an annual basis mostly,” Peled explained. “Once a year, you hire someone externally to work for a week or two weeks... The reason you couldn’t do it continuously is that you couldn’t really train software to hard-code how adversaries think and act.”
But AI has changed all that. Terra Security’s agents scan for known vulnerabilities and simulate the reasoning of an attacker, chaining together findings and verifying whether a vulnerability is actually exploitable rather than merely theoretical.
But Peled is careful not to overclaim, and beat me to my own next question. “Are AI agents today better than any ethical hacker in the world? They’re not,” he said. “They don’t yet possess the creativity of the best ethical hackers. But they can be more scalable than anyone in the world. They can run continuously. They never sleep. They’re already better than the vast majority of ethical hackers in the world.”
With AI, there are no longer cyberattackers who wait for annual review windows. Adversaries now use tech to find entry points faster, adapt in real time, and strike before defenders can patch. A point-in-time test is, by definition, already outdated the moment it concludes.
Terra’s idea is that continuous, AI-driven offensive security is the only architecture that matches the pace of modern attacks. The chained vulnerability Peled mentioned in our conversation was only catchable because an agent was watching the moment the code changed - and not six months later, when a consultant finally showed up.
“I still see too many organizations that say, ‘Okay, now we have AI in offensive security’,” he concluded, and as a slight warning to CISOs still budgeting for annual pen tests. “[They say] ‘I want to do the same thing I’ve done before, just faster, better, cheaper’. And that scares me.”
