Back to vendors
H

Hex Security

Visit site
Security / SOC agentindependentVerified 2026-07-10

Autonomous AI agents that run continuous penetration tests against web apps, APIs, and infrastructure, reasoning like security researchers to find and verify vulnerabilities and deliver working proof-of-concept exploits with remediation steps.

Hex Security (Y Combinator Winter 2026, San Francisco) builds autonomous AI agents for offensive security. Instead of a once-a-year manual penetration test, its agents run continuously against a customer's web applications, APIs, and infrastructure, reasoning like elite security researchers to discover and chain attack paths across the full attack surface. Every finding is validated with a working proof-of-concept, which the company says eliminates false positives, and is delivered with reproduction steps and remediation guidance. In its launch the company reported that its agents found critical vulnerabilities across dozens of well-known YC companies, including SQL injection exposing billions of records and a demonstrated proof-of-concept worm, estimating more than 3 billion dollars in prevented damages. The founding team includes Huzaifa Ahmad, Ahmad Khan, and Prama Yudhistira, with backgrounds at PlayAI, AWS, and OpenAI. The product operates at the domain hex.co and is distinct from the Hex notebook company at hex.tech.

Vendor details

Canonical URL

https://hex.co

Category

Security / SOC agent

Funding status

Private, early stage. Y Combinator Winter 2026 batch, backed by Y Combinator and Pioneer Fund. Founders Huzaifa Ahmad (ex-PlayAI and AWS), Ahmad Khan (ex-OpenAI), and Prama Yudhistira (ex-PlayAI and AWS).

Company status

independent

Use cases & customers

Primary use cases

Continuous autonomous penetration testingVulnerability discovery and verificationProof-of-concept exploit generationAttack-surface coverage for fast-shipping teams

Target customers

StartupsMid-market companiesSecurity-conscious engineering teams

Deployment options

SaaS

Integrations

Agents run against a customer's web applications, APIs, and infrastructure using offensive security tooling and exploits. No public developer API, SDK, or CI-CD integration was documented this session.

Capability coverage

4.0 / 14 capabilities · 29%

Integrations & Tool Callinghex.co and YC launch: agents run continuously against web apps, APIs, and infrastructure using offensive tooling and exploits; no CI-CD or broad integration surface documented. Partial
Workflow Orchestrationhex.co: agents discover and chain attack paths across the full attack surface in multi-step reasoning. Full
Knowledge Grounding & RAGAgents reason about vulnerability classes but no knowledge grounding or RAG is documented. Unable to verify
Human Oversight & Guardrailshex.co and YC job post: every finding is validated with a working proof-of-concept and offensive engineers review agent findings; no customer-configurable oversight. Partial
Security, Identity & GovernanceAs a security vendor, no platform SSO, RBAC, compliance certification, or governance is documented. Unable to verify
Observability & Auditabilityhex.co: findings ship with reproduction steps and remediation guidance that trace the exploit path; no agent-action audit log documented. Partial
Memory & State PersistenceContinuous operation implies state but no memory feature is documented. Unable to verify
Deployment & Data ResidencySaaS only; no self-host or documented. Unable to verify
Prebuilt Agents / Templates / Packshex.co: autonomous agents cover standard vulnerability classes such as SQL injection, broken access control, and authentication bypass. Partial
Triggers & Channel Coveragehex.co: continuous 24-7 operation against target systems; no CI-CD trigger documented. Partial
Model Flexibility & RoutingNo user-facing model choice or routing documented. Unable to verify
APIs / SDKs / MCP ExtensibilityNo public API, SDK, or MCP documented. Unable to verify
Testing, Debugging & Optimizationhex.co: validates and verifies every finding with a working proof-of-concept, reducing false positives. Partial
Browser / Computer-useOperates via exploits and requests; no browser or computer use documented. Unable to verify

Recent platform changes

No recent material changes tracked yet.

Pricing

Contact for pricing; free initial pentest offered

Contact onlyHigh variable costTrial available

Variable cost rationale

Cost scales with the size and complexity of the attack surface tested; no published rate.

Sales call required

Yes — required for paid access

Free / trial

Free initial pentest

Verified 2026-07-10

Contact us

Found a vendor we missed? Have feedback on the index? We'd love to hear from you.