THE PLATFORM

KAI runs the pentest. Then proves it.

Recon, exploitation, attack-chain analysis, and a reproducible PoC for every finding — written by an agent trained on OSCP, OSCE3, and CRTO methodology.

Every vulnerability KAI reports is validated with a reproducible proof of concept — built by an agent designed and trained by certified offensive security practitioners.

Start Free TrialSee It In Action
KAI Platform dashboard — vulnerabilities, MITRE coverage, asset demographics

Validated, Not Theoretical

Every finding ships with a working proof of exploitation. No more 400-page reports of unverified CVE matches.

Thinks Like an Attacker

KAI chains weaknesses into full attack paths the way an OSCP-grade pentester would — not a checklist scanner.

Continuous, Not Quarterly

Trigger autonomous assessments on every release, every asset change, or on a schedule. CI/CD ready.

WHY KAI

Built by Security Practitioners

Designed and trained by certified offensive security operators — OSCP, OSCE3, CRTO. The human pedigree the agent inherits.

Trained on OSCP / OSCE3 / CRTO Methodology

KAI was designed and trained by offensive security professionals holding OSCP, OSCE3, and CRTO certifications. The agent reasons the way a senior pentester does — methodology first, tools second.

Real Exploitation, Real Impact

Attack Chain Discovery

Reports Engineering and Execs Trust

Universal Deployment Surface

KAI vulnerability finding with CVSS, MITRE ATT&CK and CWE mapping
COVERAGE

127 attack techniques across 8 surfaces

Every technique mapped to OWASP, MITRE ATT&CK, CWE, and the compliance frameworks your auditors demand. KAI reasons about your target and picks the techniques most likely to succeed — not a fixed checklist.

Web Applications

24 TECHNIQUES
  • SQL injection (error / time / UNION-based)
  • XSS, CSTI, SSTI, prototype pollution
  • Authentication & 2FA bypass
  • Session token weakness
  • SSRF, file upload, deserialization
  • Cloud-storage misconfig (S3, GCS, Azure Blob)

APIs

11 TECHNIQUES
  • REST + GraphQL introspection abuse
  • OAuth 2.0 / OIDC / JWT cracking
  • BOLA / IDOR / function-level auth
  • Rate limiting & business-logic abuse
  • Webhook + signature bypass

Active Directory & Identity

18 TECHNIQUES
  • Kerberoasting + AS-REP roast
  • NTLM relay (SMB→LDAP, HTTP→ADCS)
  • Coercion: PrinterBug / PetitPotam / DFSCoerce
  • BloodHound-compatible enumeration
  • RBCD, Shadow Credentials, S4U2Self

Cloud (AWS / Azure / GCP)

22 TECHNIQUES
  • IAM privilege escalation paths
  • IMDSv1 / STS role-chaining abuse
  • S3 / Blob / GCS bucket leakage
  • Serverless function misconfig
  • EKS / AKS / GKE cluster takeover

Network & Protocols

19 TECHNIQUES
  • SMB / SSH / RDP / LDAP / FTP
  • TLS / DNS / DHCP weaknesses
  • mitm6 (IPv6 DHCPv6 takeover)
  • Database protocols: MSSQL, MySQL, PostgreSQL
  • Out-of-band testing via Interactsh

Containers & Orchestration

14 TECHNIQUES
  • Docker socket exposure + escape
  • Kubernetes RBAC abuse
  • Pod-to-pod lateral movement
  • Misconfigured ServiceAccount tokens
  • Helm chart secret leakage

Source Code & Repositories

12 TECHNIQUES
  • SAST: injection, auth, crypto flaws
  • Secret detection in code + git history
  • IaC misconfig (Terraform, K8s, Docker)
  • Dependency vulnerabilities + SBOM
  • License compliance scanning

CMS & Application Stacks

7 TECHNIQUES
  • WordPress core + plugin CVEs
  • Magento, Drupal, Joomla
  • Outdated framework versions
  • Plugin / theme vulnerability matching
  • Admin path enumeration
USE CASES

More than audits — KAI runs your security program

One agent, six different jobs. From continuous monitoring and CI/CD gating to compliance evidence and M&A due diligence — KAI replaces the patchwork of point tools and quarterly engagements.

24/7 OBSERVATION

Continuous Production Monitoring

KAI runs autonomous re-tests on a schedule (hourly, daily or weekly) against your live infrastructure. New vulns trigger alerts the moment they appear — no waiting for the next quarterly engagement.

  • Heartbeat scans on configurable cadences
  • Diff-aware: only re-tests what changed
  • Slack / Teams / PagerDuty alerts on first detection
REGULATORY

Compliance & Audit Evidence

Auto-generate audit-ready evidence packages for PCI-DSS, ISO 27001, SOC 2, HIPAA, NIS2, DORA and ENS. Every finding maps to control families — auditors get reproducible proof, not a CVE list.

  • Pre-built mappings: PCI 4.0, ISO 27001:2022, SOC 2, HIPAA, NIS2, DORA, ENS
  • Auditor portal with read-only access and watermarking
  • Quarterly compliance posture trend reports
DEVSECOPS

CI/CD Security Gating

Block deployments on critical regressions. KAI plugs into GitHub Actions, GitLab CI, Jenkins, and Azure DevOps with a single step — fail the build on new high-severity findings.

  • GitHub / GitLab / Jenkins / Azure DevOps native steps
  • Per-environment policies (block prod, warn staging)
  • Auto-create JIRA / Linear tickets on regression
ASM

Attack Surface Management

Continuous discovery of internet-facing assets, shadow IT, and forgotten subdomains. KAI maps your perimeter every day and flags drift before an attacker finds it.

  • Subdomain enumeration + DNS / cert transparency monitoring
  • Cloud account asset discovery (AWS, Azure, GCP)
  • Exposure scoring + auto-prioritized remediation queue
IR

Post-Incident Validation

After a breach or near-miss, validate that remediation actually works. KAI re-runs the same techniques an attacker used and confirms each entry vector is closed — with proof.

  • Threat-actor TTP replay (mapped to MITRE ATT&CK)
  • Before / after exploitation evidence side-by-side
  • Lessons-learned report with detection gap analysis
RISK

M&A & Vendor Due Diligence

Pre-acquisition or third-party risk assessments delivered in days, not weeks. KAI inspects the target environment, surfaces hidden security debt, and quantifies remediation cost.

  • External-only or invited-internal assessment modes
  • Executive risk-quantification report (CVSS + business impact)
  • Comparative scoring against industry peer baseline
WALKTHROUGH

See KAI in action

Six workspaces a security operator lives in — from triage to compliance reporting.

Vulnerability Triage

Vulnerability Triage

Filterable findings — severity, status, SLA, assignee, CWE, MITRE technique, host, scan, tag.

Proof of Exploitation

Proof of Exploitation

Captured request / response, screenshot, business impact, reproduction steps and CVSS 4.0 vector.

Analytics & MITRE Coverage

Analytics & MITRE Coverage

MTTR by severity, SLA performance, vulnerability aging, and bidirectional MITRE ATT&CK heatmap.

Audit-Ready Reports

Audit-Ready Reports

Executive PDF, technical findings, JSON / SARIF for CI, compliance evidence per framework.

Asset Inventory

Asset Inventory

Hosts, services, owners, environment tags. Auto-discovery from scans, manual or API import.

Geographic Risk Heatmap

Geographic Risk Heatmap

3D globe visualization (custom WebGL) — see where your exposure concentrates by region.

UNDER THE HOOD

Inside the KAI engine

Not a wrapper around a scanner. KAI is a multi-agent system that reasons about each target and dynamically selects the right attack techniques — guided by a 127-technique library indexed via embeddings.

127
Attack Techniques
YAML-defined, MITRE-mapped
23
Technology Categories
Web, API, AD, cloud, K8s, more
6
MCP Servers
Modular agent capabilities
3
Scan Modes
Comprehensive, Challenge, Targeted

Adaptive 4-phase agent loop

01 /
Initialization
Workspace provisioning, scope intake, credential setup
02 /
Reconnaissance
Asset discovery, service enum, tech stack fingerprinting
03 /
Vulnerability Testing
RAG-selected techniques run with adaptive replanning
04 /
Reporting
Findings + PoC + MITRE mapping + remediation guidance

MCP server architecture

Each capability runs as an isolated MCP server. Add your own via the plugin SDK.

code_analysis
SAST, secrets, IaC, deps, SBOM
browser_mcp
Playwright headless web testing
ml_mcp
Workspace state + RAG learning
postgres_mcp
Multi-tenant DB ops with RLS
interactsh_mcp
Out-of-band blind-vuln testing
revshell_mcp
Reverse shell payload generation

Three scan modes

The same engine, three intent modes — selected per scan via API or UI.

COMPREHENSIVEFull Adversary Emulation

Run every applicable technique against the target. Best for full-scope assessments and quarterly compliance audits.

CHALLENGEGoal-Oriented Mode

Define an objective ("reach Domain Admin", "exfil customer DB") and KAI chains techniques autonomously toward it.

TARGETEDSurface-Specific Scan

Focus on one technology, one host, or one finding type. Ideal for CI/CD gating and post-fix validation.

Technology coverage

All 23 categories the technique library covers — from web apps to AD, cloud to containers.

WebAPIActive DirectoryKerberosLDAPSMBRDPSSHFTPMSSQLMySQLPostgreSQLAWSAzureGCPDockerKubernetesWordPressDNSTLS/SSLNetwork ReconSource CodeIaC
HOW IT WORKS

The Agent Capabilities

Under the hood: nine engine-level capabilities that make KAI behave like a senior offensive operator instead of a static scanner.

Autonomous Agent Engine

KAI plans, reasons, and pivots like a human pentester — recon, discovery, exploitation, and reporting end-to-end with zero handholding.

Validated Proof of Exploitation

Every finding ships with a working PoC, captured artifacts, and a reproducible step list. No theoretical CVSS, no dead-end alerts.

Attack Chain Discovery

KAI links individual weaknesses into multi-stage attack paths, so you see the actual business impact a real adversary would achieve.

MITRE ATT&CK Coverage

Every technique KAI executes is mapped to MITRE ATT&CK tactics and CWE — giving you a defensible coverage matrix per engagement.

Continuous Testing

Trigger autonomous assessments on every release, asset change, or schedule. CI/CD-native and purpose-built for modern dev velocity.

Remediation Guidance

Each finding includes prioritized fix recommendations, code snippets, and configuration changes tailored to your tech stack.

Compliance-Ready Reports

Generate audit-ready output for SOC 2, ISO 27001, PCI-DSS, and HIPAA — with evidence artifacts auditors actually accept.

Multi-Tenant Workspaces

Per-project scoping, role-based access, and encrypted asset isolation. Built for security teams running dozens of engagements in parallel.

Extensible Plugin Architecture

Add custom techniques, MCP servers, and tooling adapters. KAI is built on an open agent framework you can extend — not a black box.

HOW IT COMPARES

KAI vs everything else

Side by side with traditional pentests, legacy vulnerability scanners, and the new wave of AI security copilots.

CapabilityKAITraditional PentestLegacy ScannersAI Copilots
CadenceContinuous (24/7)AnnualScheduledOn-demand
Validates exploitability with PoC
Attack chain analysis
False positive rateNear-zeroLowHighMedium
Compliance evidence (PCI / ISO / SOC 2 / NIS2 / DORA)
MITRE ATT&CK mapping
Scan turnaroundMinutes–HoursWeeksHoursHours
Cost per validated finding€€€€€€€€€
CI/CD integration
Self-service / API access
On-prem / air-gapped deployment
Reasons through novel CVEs (no signature DB)

Traditional Pentest: human-led engagement, billed per project. Legacy Scanners: Nessus / Qualys / Rapid7 / Tenable. AI Copilots: assistant-style tools that help operators run scans (not autonomous).

See KAI find a real vulnerability on your stack

14-day free trial — no credit card required. Setup takes minutes; your first scan starts on the same call.

Start Free TrialBook a Demo
VULNERABILITY LIFECYCLE

Find. Triage. Fix. Audit.

KAI is not a one-shot scanner. It manages the full lifecycle — from first discovery to risk acceptance, retest, and audit-ready closure.

MITRE ATT&CK Coverage Matrix

Bidirectional mapping. See which ATT&CK techniques your environment is exposed to, and which ones you've hardened. Per-tactic coverage scoring across all your assets.

Every finding auto-mapped to T-codes; coverage matrix updates in real time.

Risk Acceptance Workflow

Formal exception management. Document why a finding won't be fixed, get sign-off from the right approvers, and set automatic expiration so accepted risks resurface for review.

Approve / reject / revoke flow with expiration dates and audit trail.

Re-Testing Management

Track retest requests against fixes. Engineering pushes a patch, marks it ready; KAI re-runs the exact same exploit and confirms the issue is closed — with before/after evidence.

Auto-scheduled retests on fix-claimed status; PoC replay with diff.

Field-Level Change History

Forensic audit trail. Every change to every vulnerability — who changed severity, who reassigned, when status moved to fixed — captured with timestamps and operator attribution.

Required by PCI 4.0, ISO 27001 A.5.27, SOC 2 CC7.4.

SLA Tracking & MTTR

Per-severity SLA targets you define (e.g., 24h for critical, 7d for high). Automated MTTR calculation, SLA-breach alerts, and team performance dashboards for security leadership.

Live MTTR by severity; SLA-breach reasons logged; trend over time.

Findings → Tickets → Resolution

Native conversation thread on every finding. Plus deep integration with JIRA, Linear, ServiceNow, GitHub Issues — auto-create on discovery, auto-close on remediation verification.

Bidirectional sync; status mirrored both ways; webhook-driven.

DELIVERABLES

What comes out of every scan

Six deliverables auto-generated for engineering, leadership and auditors. Same scan, different audiences — no extra work for your team.

Executive Summary (PDF)

Board-ready overview. Risk posture, top 5 findings, business impact, remediation cost estimate, trend vs. previous quarter.

Technical Findings Report

Complete reproduction package per finding — CVSS 4.0 vector, exploitation steps, captured artifacts, screenshots, and remediation guidance.

JSON / SARIF Export

Machine-readable feed for CI/CD pipelines, ticketing systems, SIEM correlation. SARIF 2.1 spec for GitHub / GitLab native rendering.

Compliance Evidence Pack

Per-framework cross-walk: PCI-DSS 4.0, ISO 27001:2022, SOC 2, HIPAA, NIS2, DORA, ENS. Auditor-ready, watermarked, retention-controlled.

MITRE ATT&CK Coverage Matrix

Tactic-by-technique heatmap of your environment's exposure. Compare quarter-on-quarter to demonstrate detection-engineering improvement.

Per-Finding Evidence Bundle

Forensic-grade evidence package: HTTP request / response pairs, OOB callbacks, screenshots, payloads, system output, and chain-of-custody log.

Export formats

PDFDOCXHTMLJSONSARIFCSVXLSXMarkdown
ENTERPRISE READY

Built for regulated environments

Compliance, deployment flexibility, encryption, monitoring, identity and SLAs — every box your security committee needs to tick, ticked.

Compliance-Ready by Design

Pre-built control mappings for PCI-DSS 4.0, ISO 27001:2022, SOC 2, HIPAA, NIS2, DORA and ENS. Every finding ships with the regulatory clauses it impacts.

  • ISO 27001 ISMS-aligned
  • SOC 2 Type II audited
  • GDPR Art. 32 compliant
  • PCI-DSS 4.0 evidence pack

Deploy Anywhere

SaaS, single-tenant managed, on-premises, or air-gapped. The same codebase runs in our EU cloud or inside your own data centre with zero code changes.

  • EU multi-region SaaS (Frankfurt / Madrid)
  • Single-tenant managed VPC
  • On-prem Kubernetes (Helm chart)
  • Air-gapped operator with offline updates

Zero-Trust Security

AES-256 at rest, TLS 1.3 in transit, customer-managed encryption keys (BYOK), short-lived credentials, and per-tenant data isolation enforced at the database row level.

  • BYOK with AWS KMS / Azure Key Vault / HSM
  • TLS 1.3 only, mTLS on internal RPC
  • Row-level tenant isolation in Postgres
  • Per-engagement workspace sandboxing

Continuous Monitoring

Heartbeat scans on configurable cadences. KAI re-tests on every release, every asset change, or on a fixed schedule — and only re-tests what changed.

  • Hourly / daily / weekly schedules
  • Diff-aware delta scans
  • Slack / Teams / PagerDuty / Opsgenie alerts
  • Trend reports + posture dashboards

API-First & Extensible

REST and GraphQL APIs cover every operation. Webhooks, SDKs (Python, Go, TypeScript), and an open MCP-server framework let you plug in custom techniques.

  • REST + GraphQL with OpenAPI spec
  • Webhooks (HMAC-signed) + SDKs
  • MCP-server plugin framework
  • Terraform provider for infra-as-code

Enterprise Identity

SSO via SAML 2.0 and OIDC. SCIM 2.0 user provisioning. RBAC with custom roles. Per-action audit logs streamed to your SIEM in real time.

  • SAML 2.0 / OIDC / Azure AD / Okta
  • SCIM 2.0 user + group sync
  • Custom RBAC roles + JIT access
  • Audit log stream to Splunk / Datadog / Elastic

High Availability

99.95% production SLA. Multi-AZ deployments, automatic failover, zero-downtime upgrades, and dedicated capacity reservations for enterprise tier.

  • 99.95% SLA (production tier)
  • Multi-AZ active-active
  • Zero-downtime rolling upgrades
  • 24/7 status page + incident comms

Data Residency & Privacy

EU-only data plane available. No customer data leaves your selected region. Configurable data retention from 30 days to 7 years. GDPR Art. 28 DPA included.

  • EU-only or US-only data residency
  • Configurable retention (30d – 7y)
  • GDPR Art. 28 DPA + Sub-processor list
  • Right-to-erasure automated workflow
ECOSYSTEM

Plugs Into Your Security Stack

Source control, ticketing, alerting, cloud, and SIEM — KAI ships findings into the tools your engineering and SOC teams already use.

Source Code

GitHubGitHub
GitLabGitLab

Ticketing

JiraJira

Alerting

SlackSlack
T
Microsoft Teams
DiscordDiscord
EmailEmail
TelegramTelegram

Cloud & Infrastructure

AWSAWS
AzureAzure
Google CloudGoogle Cloud
DockerDocker
KubernetesKubernetes
TerraformTerraform
CloudflareCloudflare
DigitalOceanDigitalOcean

SIEM

SplunkSplunk
Q
IBM QRadar
S
Microsoft Sentinel
Elastic SIEMElastic SIEM
Sumo LogicSumo Logic
DatadogDatadog
Grafana LokiGrafana Loki
Google ChronicleGoogle Chronicle
L
LogRhythm
W
Wazuh
A
ArcSight
A
AlienVault
View All Integrations →
DEVELOPER SURFACE

Built for engineers

Every action in the UI is also one API call away. REST + GraphQL with HMAC-signed webhooks, official SDKs in Python / Go / TypeScript, native CI integrations, and a Terraform provider for infra-as-code scan policies.

  • OpenAPI 3.1 spec — generate your own clients
  • HMAC-signed webhooks with delivery retry log
  • GitHub Actions, GitLab CI, Jenkins, Azure DevOps
  • Terraform provider — version your scan policies
  • JSON / SARIF / CSV / XLSX exports per scan
Start a scanREST API
curl -X POST https://api.kaos.ad/v1/scans \
  -H "Authorization: Bearer ${KAI_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "target": "app.example.com",
    "scan_mode": "comprehensive",
    "scope": ["app.example.com", "api.example.com"],
    "techniques": "auto",
    "schedule": "weekly",
    "compliance_frameworks": ["pci-dss-4", "iso-27001"],
    "notify": {
      "slack": "#sec-alerts",
      "webhook": "https://hooks.example.com/kai"
    }
  }'

KAI Platform — FAQ

Common questions from security leaders evaluating KAI for their organization.

Scanners match against signature databases and known CVE patterns — they tell you what could be vulnerable. KAI runs an autonomous offensive workflow: it reasons about the target, chains weaknesses, and validates each finding by executing a real proof-of-exploit. The result is dramatically lower false-positive rates and findings your engineering team can actually action.

Yes. KAI ships with non-destructive testing profiles that skip DoS, brute-force lockout, and resource-exhaustive techniques unless you explicitly authorize them. Per-environment policies (production / staging / dev) let you set different aggression levels. Every action is logged in the immutable audit trail with timestamps and operator attribution.

Yes. Pre-built mappings for PCI-DSS 4.0, ISO 27001:2022, SOC 2, HIPAA, NIS2, DORA and ENS. Each finding maps to the relevant control families. Auditors can be granted read-only watermarked access to the platform; you can also export PDF / DOCX / JSON evidence packages on demand.

Yes. We provide a Helm chart for Kubernetes deployment in your own cluster, plus an air-gapped operator that ships with offline model weights and update bundles. The same UI, APIs, and reports work identically in SaaS, single-tenant managed VPC, on-prem and air-gapped modes.

Because KAI ships a working proof-of-exploit with every finding, false positives are near-zero by construction — if the agent can't actually exploit the issue, the finding isn't reported. Our internal benchmarks vs. legacy scanners show a >95% reduction in noise reaching the security team.

SaaS: 15 minutes from signup to first scan. Single-tenant managed: 1-2 days. Self-hosted Kubernetes: half a day with a Solutions Engineer on the call. Onboarding includes integration with your SSO, ticketing system, SIEM, and CI/CD pipeline. Time to first finding depends on the target — clean estates may surface few or none, legacy stacks usually surface several within the first scan cycle.

GET STARTED

Find what scanners can't.

Spin up an autonomous engagement in minutes. KAI delivers validated findings, working PoCs, and audit-ready reports — and our OSCE3 team is one click away when you need them.

Start Free TrialTalk to Sales
24/7
Autonomous testing
100%
Validated findings
MITRE
ATT&CK mapped