Xint Pulse Brings One-Off Autonomous Pentesting to Web Apps


New offering gives security teams access to AI-powered black-box application testing without an annual enterprise agreement.

Listen to this article

Xint.io has launched Xint Pulse, an autonomous penetration testing service designed for organizations that need a one-time security assessment of a web application.

The service packages the black-box testing capabilities of the company’s broader Xint platform into individual application scans. The approach may appeal to startups, small and midsized businesses, and product security teams that need additional testing before a release, compliance submission, or vendor assessment but are not ready to enter a long-term testing agreement.

Xint Pulse is priced at $3,000 per application. The service includes the initial scan and as many as three retests within a 30-day period.

Testing the Application from an Attacker’s Perspective

Xint Pulse currently focuses on black-box testing. The customer provides the URL of a web application, and the platform examines the application without requiring access to its source code.

According to Xint, autonomous AI agents explore the application and evaluate potential attack paths in much the same way an external attacker might. The system uses large language models and a proprietary orchestration engine to identify, reproduce, and validate vulnerabilities.

This approach is a form of dynamic application security testing, or DAST. Unlike static analysis, which examines source code, black-box testing interacts with a running application and looks for vulnerabilities that can be exploited from the outside.

Xint says its platform is designed to go beyond conventional rules-based scanning by considering application context, user permissions, data flows, and business logic. These are areas where traditional automated tools can struggle, particularly when an exploit requires multiple steps or depends on how different application functions interact.

Reports Designed to Support Remediation

After a scan, customers receive a report containing severity scores, exploit trigger conditions, step-by-step reproduction instructions, potential impact, and recommended remediation measures.

The emphasis on validated and reproducible findings is significant. Security teams frequently spend considerable time determining whether automated scanner results represent genuine vulnerabilities or false positives. Providing the conditions necessary to reproduce a finding could help developers move more quickly from detection to remediation.

“When we launched Xint Enterprise late last year, we successfully demonstrated that we could take the expertise of the most decorated white hat hackers and turn it into the most complete autonomous application security for both black box and white box,” said Jeffrey Martin, vice president of product at Xint.io.

“With the launch of Pulse, we made these powerful capabilities accessible to all-size organizations with no compromise on the quality of findings or depth of scanning.”

Claims that an autonomous platform can deliver results comparable to those of an experienced human penetration tester are substantial and should ultimately be evaluated against an organization’s applications, risk profile, and testing requirements. Automated testing can expand coverage and accelerate repeatable assessments, but it may not eliminate the need for human judgment in high-risk or highly complex environments.

Making Pentesting More Accessible

Traditional penetration testing can be expensive and difficult to schedule, particularly for smaller organizations or teams working toward a fixed product-release deadline.

Xint Pulse addresses that gap by offering a defined test at a fixed price rather than requiring an annual agreement covering numerous applications. Potential use cases include pre-release validation, third-party risk assessments, customer security reviews, and compliance-related testing.

The company says a typical assessment produces results in less than 12 hours. Xint Pulse currently tests live web applications, although Xint plans to add white-box testing before the end of 2026. That capability would allow customers to upload source code for analysis intended to identify the underlying causes of vulnerabilities at the code level.

Because autonomous security tools capable of probing applications could be misused, Xint Pulse will not initially be available as an anonymous, self-service product. Prospective customers must contact the company, establish an account, and complete Know Your Customer identity verification before testing begins.

Built on Theori’s Offensive Security Research

Xint was developed by security researchers at Theori, an offensive cybersecurity company founded in 2016 by Carnegie Mellon University alumni.

The team has participated in competitions including DEF CON Capture the Flag, Pwn2Own, DARPA’s AI Cyber Challenge, and Zeroday.Cloud. Xint was also named the Best Automated Pentesting Platform in The Hacker News’ 2026 Cybersecurity Awards.

The introduction of Xint Pulse reflects a broader change in application security. As development teams release software more frequently—and incorporate growing amounts of AI-generated code—annual or occasional manual assessments may leave substantial gaps between tests.

Autonomous pentesting will not settle every question about application security. It may, however, give more organizations a practical way to test running applications when a full-scale penetration testing engagement is unavailable or disproportionate to the immediate need.

More information about Xint Pulse is available from Xint.io.


Additional Resource

Video Overview


Follow Brilliance Security Magazine on LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.