Hex Security
Autonomous AI agents that run continuous penetration tests against web apps, APIs, and infrastructure, reasoning like security researchers to find and verify vulnerabilities and deliver working proof-of-concept exploits with remediation steps.
Hex Security (Y Combinator Winter 2026, San Francisco) builds autonomous AI agents for offensive security. Instead of a once-a-year manual penetration test, its agents run continuously against a customer's web applications, APIs, and infrastructure, reasoning like elite security researchers to discover and chain attack paths across the full attack surface. Every finding is validated with a working proof-of-concept, which the company says eliminates false positives, and is delivered with reproduction steps and remediation guidance. In its launch the company reported that its agents found critical vulnerabilities across dozens of well-known YC companies, including SQL injection exposing billions of records and a demonstrated proof-of-concept worm, estimating more than 3 billion dollars in prevented damages. The founding team includes Huzaifa Ahmad, Ahmad Khan, and Prama Yudhistira, with backgrounds at PlayAI, AWS, and OpenAI. The product operates at the domain hex.co and is distinct from the Hex notebook company at hex.tech.
Vendor details
Canonical URL
https://hex.co
Category
Security / SOC agent
Funding status
Private, early stage. Y Combinator Winter 2026 batch, backed by Y Combinator and Pioneer Fund. Founders Huzaifa Ahmad (ex-PlayAI and AWS), Ahmad Khan (ex-OpenAI), and Prama Yudhistira (ex-PlayAI and AWS).
Company status
independent
Use cases & customers
Primary use cases
Target customers
Deployment options
Integrations
Agents run against a customer's web applications, APIs, and infrastructure using offensive security tooling and exploits. No public developer API, SDK, or CI-CD integration was documented this session.
Sources & related URLs
Capability coverage
4.0 / 14 capabilities · 29%
| Integrations & Tool Callinghex.co and YC launch: agents run continuously against web apps, APIs, and infrastructure using offensive tooling and exploits; no CI-CD or broad integration surface documented. | Partial |
|---|---|
| Workflow Orchestrationhex.co: agents discover and chain attack paths across the full attack surface in multi-step reasoning. | Full |
| Knowledge Grounding & RAGAgents reason about vulnerability classes but no knowledge grounding or RAG is documented. | Unable to verify |
| Human Oversight & Guardrailshex.co and YC job post: every finding is validated with a working proof-of-concept and offensive engineers review agent findings; no customer-configurable oversight. | Partial |
| Security, Identity & GovernanceAs a security vendor, no platform SSO, RBAC, compliance certification, or governance is documented. | Unable to verify |
| Observability & Auditabilityhex.co: findings ship with reproduction steps and remediation guidance that trace the exploit path; no agent-action audit log documented. | Partial |
| Memory & State PersistenceContinuous operation implies state but no memory feature is documented. | Unable to verify |
| Deployment & Data ResidencySaaS only; no self-host or documented. | Unable to verify |
| Prebuilt Agents / Templates / Packshex.co: autonomous agents cover standard vulnerability classes such as SQL injection, broken access control, and authentication bypass. | Partial |
| Triggers & Channel Coveragehex.co: continuous 24-7 operation against target systems; no CI-CD trigger documented. | Partial |
| Model Flexibility & RoutingNo user-facing model choice or routing documented. | Unable to verify |
| APIs / SDKs / MCP ExtensibilityNo public API, SDK, or MCP documented. | Unable to verify |
| Testing, Debugging & Optimizationhex.co: validates and verifies every finding with a working proof-of-concept, reducing false positives. | Partial |
| Browser / Computer-useOperates via exploits and requests; no browser or computer use documented. | Unable to verify |
Pricing
Contact for pricing; free initial pentest offered
Variable cost rationale
Cost scales with the size and complexity of the attack surface tested; no published rate.
Sales call required
Yes — required for paid access
Free / trial
Free initial pentest
Related vendors
- 7AI — Swarming agentic SOC from the Cybereason founders: sixty plus domain…
- Airrived — Agentic OS that unifies SOC, GRC, IAM, vulnerability management, IT,…
- Assail — Autonomous red teaming platform (Ares) whose AI agents discover,…
- Astelia — AI native exposure management platform from Israeli National Red…
- Capsule Security — Runtime security layer for AI agents that detects and blocks unsafe…
- Clutch Security — Universal non human identity security platform that discovers,…