Equixly
Also known as: Agentic AI Hacker
Autonomous offensive security platform whose Agentic AI Hacker continuously pentests APIs and web applications, chaining interactions to prove exploitable risk.
Equixly is an offensive security platform built around a proprietary Agentic AI Hacker that continuously attacks APIs and applications the way a skilled human adversary would, at machine speed and without a fixed scope or testing window. Rather than matching requests against known signatures like a scanner, a team of AI agents maps the attack surface, chains API interactions across services, manipulates business logic, and adapts its strategy as the architecture evolves, surfacing broken object level authorization, privilege escalation paths, and cross service exploit chains. The model is purpose built for offense: Equixly starts from an open weight model and specializes it with reinforcement learning trained on thousands of security tests, owns and runs it on its own infrastructure so customer traffic and findings never leave that environment, and designs the agent orchestration around it. Tests can be triggered from a CI/CD pipeline, coverage spans REST and GraphQL APIs, single page apps, server rendered web, and even LLM applications and MCP servers, and every finding ships with working proof of concept evidence aligned to the OWASP Top 10 API Security Risks.
Vendor details
Canonical URL
https://equixly.com
Category
Security / SOC agent
Funding status
Series A of EUR 10M led by 33N Ventures, with Alpha Intelligence Capital, JME Ventures, 360 Capital, and Fondazione Cassa di Risparmio di Firenze. Founded 2022, Verona, Italy. QC2 certification from Italy's National Cybersecurity Agency (ACN). Sample vendor in the Gartner Hype Cycle for APIs 2025 and Hype Cycle for Application Security 2025.
Company status
independent
Use cases & customers
Primary use cases
Target customers
Deployment options
Integrations
CI/CD pipeline triggering, Checkmarx integration, API definition or specification file ingestion, and procurement via Google, Microsoft, and Amazon cybersecurity marketplaces.
Sources & related URLs
Research sources
Capability coverage
7.5 / 14 capabilities · 54%
| Integrations & Tool CallingPlatform pages document triggering autonomous pentests from a CI/CD pipeline, a Checkmarx integration that brings testing into Checkmarx environments, API definition file ingestion, and procurement through Google, Microsoft, and Amazon cybersecurity marketplaces. Integration breadth is scoped to the security and dev toolchain. | Full |
|---|---|
| Workflow OrchestrationA team of AI agents maps the attack surface, chains API interactions across services, models multi step exploit chains, and adapts its strategy autonomously as it discovers new paths. The model and its agent orchestration are described as designed for each other. | Full |
| Knowledge Grounding & RAGGrounds testing in the customer's API definition and specification files and dynamically maps application behavior, with a reinforcement learning model trained on thousands of security tests. This is security domain grounding rather than a documented RAG over enterprise documents. | Partial |
| Human Oversight & GuardrailsFindings arrive with proof of concept evidence for human teams to prioritize and remediate, and Equixly recommends pairing continuous AI testing with targeted expert analysis for the most complex scenarios. No in product approval gate or scope guardrail construct is documented. | Partial |
| Security, Identity & GovernanceEquixly runs inference on its own infrastructure so customer endpoints, traffic, and findings never leave its environment, relies on no third party model, and holds QC2 certification from Italy's National Cybersecurity Agency (ACN). | Full |
| Observability & AuditabilityEvery finding is validated for exploitability and delivered with working proof of concept evidence framed for both executives and engineers, plus near real time results and a predictive remediation plan, giving clear visibility into what the agent did and found. | Full |
| Memory & State PersistenceThe AI Hacker learns how the target system behaves, retains an evolving map of the attack surface, and validates remediation as fixes are deployed, implying persistent state about the target. No general agent memory construct is separately documented. | Partial |
| Deployment & Data ResidencyDelivered as a SaaS platform running on Equixly's own infrastructure and procurable via cloud marketplaces. The vendor is EU based (Italy) with strong data isolation, but no explicit on premise or configurable data residency option is documented. | Partial |
| Prebuilt Agents / Templates / PacksEquixly is a single purpose Agentic AI Hacker. Coverage of OWASP Top 10 risks and multiple architectures is inherent capability rather than a user selectable catalog of prebuilt agents, templates, or packs. | Unable to verify |
| Triggers & Channel CoverageTests can be triggered directly from the CI/CD pipeline so new releases are challenged before reaching production, and the AI Hacker otherwise runs continuously and persistently 24/7 against live systems. | Full |
| Model Flexibility & RoutingEquixly runs a single proprietary offensive model that it builds, trains, and owns. Its explicit positioning is that it is not a customer selectable foundation model wrapper, so no model selection or routing is offered. | Unable to verify |
| APIs / SDKs / MCP ExtensibilityCI/CD pipeline triggering and the Checkmarx integration imply programmatic hooks, but no public API, SDK, or MCP extensibility for customers to build on the platform is documented. Equixly tests MCP servers as targets rather than exposing MCP for extension. | Partial |
| Testing, Debugging & OptimizationEquixly tests customer applications for security flaws and validates remediation, but it does not offer an agent testing, evaluation, or debugging harness for building or optimizing agents. Its internal reinforcement learning improvement is not a user facing capability. | Unable to verify |
| Browser / Computer-useEquixly attacks at the API and request level and models application behavior for REST, GraphQL, SPA, and server rendered targets. No browser automation or general computer use is documented. | Unable to verify |
Pricing
Contact sales; no public pricing. Request a demo or start a pentest. Also available on cloud cybersecurity marketplaces.
not disclosed; likely scoped by APIs or applications under continuous test
Cost watchouts
Scope expands with the number of APIs and applications and with continuous testing frequency. Marketplace procurement terms may differ from direct.
Variable cost rationale
Continuous testing subscription with no public rate; cost likely scales with the number of APIs and applications under test, but the pricing axis is not disclosed.
Sales call required
Yes — required for paid access
Free / trial
No public free tier; demo on request
Lowest paid plan
Not public
Key ambiguities
No public pricing. Whether billing is per application, per API, or platform tier is not disclosed.
Related vendors
- 7AI — Swarming agentic SOC from the Cybereason founders: sixty plus domain…
- Airrived — Agentic OS that unifies SOC, GRC, IAM, vulnerability management, IT,…
- Assail — Autonomous red teaming platform (Ares) whose AI agents discover,…
- Astelia — AI native exposure management platform from Israeli National Red…
- Capsule Security — Runtime security layer for AI agents that detects and blocks unsafe…
- Clutch Security — Universal non human identity security platform that discovers,…