THE PLATFORM

KAI runs the pentest. Then proves it.

Recon, exploitation, attack-chain analysis, and a reproducible PoC for every finding — written by an agent trained on OSCP, OSCE3, and CRTO methodology.

01 ReconMaps every asset, service, and entry point
02 ExploitChains weaknesses into real attack paths
03 ValidateReproduces every finding before reporting it
04 ReportShips PoC, remediation, and compliance mapping
WHY KAI

Built by Security Practitioners

Designed and trained by certified offensive security operators — OSCP, OSCE3, CRTO. The human pedigree the agent inherits.

KAI was designed and trained by offensive security professionals holding OSCP, OSCE3, and CRTO certifications. The agent reasons the way a senior pentester does — methodology first, tools second.

COVERAGE

Coverage across eight attack surfaces

Every technique mapped to OWASP, MITRE ATT&CK, CWE, and the compliance frameworks your auditors demand. KAI reasons about your target and picks the techniques most likely to succeed — not a fixed checklist.

Web Applications

24 TECHNIQUES
  • SQL injection (error / time / UNION-based)
  • XSS, CSTI, SSTI, prototype pollution
  • Authentication & 2FA bypass
  • Session token weakness
  • SSRF, file upload, deserialization
  • Cloud-storage misconfig (S3, GCS, Azure Blob)

APIs

11 TECHNIQUES
  • REST + GraphQL introspection abuse
  • OAuth 2.0 / OIDC / JWT cracking
  • BOLA / IDOR / function-level auth
  • Rate limiting & business-logic abuse
  • Webhook + signature bypass

Active Directory & Identity

18 TECHNIQUES
  • Kerberoasting + AS-REP roast
  • NTLM relay (SMB→LDAP, HTTP→ADCS)
  • Coercion: PrinterBug / PetitPotam / DFSCoerce
  • BloodHound-compatible enumeration
  • RBCD, Shadow Credentials, S4U2Self

Cloud (AWS / Azure / GCP)

22 TECHNIQUES
  • IAM privilege escalation paths
  • IMDSv1 / STS role-chaining abuse
  • S3 / Blob / GCS bucket leakage
  • Serverless function misconfig
  • EKS / AKS / GKE cluster takeover

Network & Protocols

19 TECHNIQUES
  • SMB / SSH / RDP / LDAP / FTP
  • TLS / DNS / DHCP weaknesses
  • mitm6 (IPv6 DHCPv6 takeover)
  • Database protocols: MSSQL, MySQL, PostgreSQL
  • Out-of-band testing via Interactsh

Containers & Orchestration

14 TECHNIQUES
  • Docker socket exposure + escape
  • Kubernetes RBAC abuse
  • Pod-to-pod lateral movement
  • Misconfigured ServiceAccount tokens
  • Helm chart secret leakage

Source Code & Repositories

12 TECHNIQUES
  • SAST: injection, auth, crypto flaws
  • Secret detection in code + git history
  • IaC misconfig (Terraform, K8s, Docker)
  • Dependency vulnerabilities + SBOM
  • License compliance scanning

CMS & Application Stacks

7 TECHNIQUES
  • WordPress core + plugin CVEs
  • Magento, Drupal, Joomla
  • Outdated framework versions
  • Plugin / theme vulnerability matching
  • Admin path enumeration
UNDER THE HOOD

Inside the KAI engine

Not a wrapper around a scanner. KAI is a multi-agent system that reasons about each target and dynamically selects the right attack techniques — guided by a 127-technique library indexed via embeddings.

127
Attack Techniques
YAML-defined, MITRE-mapped
23
Technology Categories
Web, API, AD, cloud, K8s, more
6
MCP Servers
Modular agent capabilities
3
Scan Modes
Comprehensive, Challenge, Targeted

Adaptive 4-phase agent loop

01 /
Initialization
Workspace provisioning, scope intake, credential setup
02 /
Reconnaissance
Asset discovery, service enum, tech stack fingerprinting
03 /
Vulnerability Testing
RAG-selected techniques run with adaptive replanning
04 /
Reporting
Findings + PoC + MITRE mapping + remediation guidance

MCP server architecture

Each capability runs as an isolated MCP server. Add your own via the plugin SDK.

code_analysis
SAST, secrets, IaC, deps, SBOM
browser_mcp
Playwright headless web testing
ml_mcp
Workspace state + RAG learning
postgres_mcp
Multi-tenant DB ops with RLS
interactsh_mcp
Out-of-band blind-vuln testing
revshell_mcp
Reverse shell payload generation

Three scan modes

The same engine, three intent modes — selected per scan via API or UI.

COMPREHENSIVEFull Adversary Emulation

Run every applicable technique against the target. Best for full-scope assessments and quarterly compliance audits.

CHALLENGEGoal-Oriented Mode

Define an objective ("reach Domain Admin", "exfil customer DB") and KAI chains techniques autonomously toward it.

TARGETEDSurface-Specific Scan

Focus on one technology, one host, or one finding type. Ideal for CI/CD gating and post-fix validation.

Technology coverage

All 23 categories the technique library covers — from web apps to AD, cloud to containers.

WebAPIActive DirectoryKerberosLDAPSMBRDPSSHFTPMSSQLMySQLPostgreSQLAWSAzureGCPDockerKubernetesWordPressDNSTLS/SSLNetwork ReconSource CodeIaC
WALKTHROUGH

See KAI in action

Six workspaces a security operator lives in — from triage to compliance reporting.

Vulnerability Triage

Filterable findings — severity, status, SLA, assignee, CWE, MITRE technique, host, scan, tag.

Proof of Exploitation

Captured request / response, screenshot, business impact, reproduction steps and CVSS 4.0 vector.

Analytics & MITRE Coverage

MTTR by severity, SLA performance, vulnerability aging, and bidirectional MITRE ATT&CK heatmap.

Audit-Ready Reports

Executive PDF, technical findings, JSON / SARIF for CI, compliance evidence per framework.

Asset Inventory

Hosts, services, owners, environment tags. Auto-discovery from scans, manual or API import.

Geographic Risk Heatmap

Custom risk-by-region visualization — see where your exposure concentrates at a glance.

USE CASES

More than audits — KAI runs your security program

One agent, six different jobs — pick a workflow to see how it works.

24/7 OBSERVATION

Continuous Production Monitoring

KAI runs autonomous re-tests on a schedule (hourly, daily or weekly) against your live infrastructure. New vulns trigger alerts the moment they appear — no waiting for the next quarterly engagement.

  • Heartbeat scans on configurable cadences
  • Diff-aware: only re-tests what changed
  • Slack / Teams / PagerDuty alerts on first detection
HOW IT COMPARES

KAI vs everything else

Side by side with traditional pentests, legacy vulnerability scanners, and the new wave of AI security copilots.

CapabilityKAITraditional PentestLegacy ScannersAI Copilots
CadenceContinuous (24/7)AnnualScheduledOn-demand
Validates exploitability with PoCYesYesNoPartial
Attack chain analysisYesYesNoPartial
False positive rateNear-zeroLowHighMedium
Compliance evidence (PCI / ISO / SOC 2 / NIS2 / DORA)YesPartialPartialNo
MITRE ATT&CK mappingYesPartialNoPartial
Scan turnaroundMinutes–HoursWeeksHoursHours
Cost per validated finding€€€€€€€€€
CI/CD integrationYesNoPartialPartial
Self-service / API accessYesNoYesYes
On-prem / air-gapped deploymentYesYesPartialNo
Reasons through novel CVEs (no signature DB)YesYesNoPartial

Traditional Pentest: human-led engagement, billed per project. Legacy Scanners: Nessus / Qualys / Rapid7 / Tenable. AI Copilots: assistant-style tools that help operators run scans (not autonomous).

ENTERPRISE READY

Built for regulated environments

Compliance, deployment flexibility, encryption, monitoring, identity and SLAs — every box your security committee needs to tick, ticked.

Compliance-Ready by Design

Pre-built control mappings for PCI-DSS 4.0, ISO 27001:2022, SOC 2, HIPAA, NIS2, DORA and ENS. Every finding ships with the regulatory clauses it impacts.

  • ISO 27001 ISMS-aligned
  • SOC 2 Type II audited
  • GDPR Art. 32 compliant
  • PCI-DSS 4.0 evidence pack

Deploy Anywhere

SaaS, single-tenant managed, on-premises, or air-gapped. The same codebase runs in our EU cloud or inside your own data centre with zero code changes.

  • EU multi-region SaaS (Frankfurt / Madrid)
  • Single-tenant managed VPC
  • On-prem Kubernetes (Helm chart)
  • Air-gapped operator with offline updates

Zero-Trust Security

AES-256 at rest, TLS 1.3 in transit, customer-managed encryption keys (BYOK), short-lived credentials, and per-tenant data isolation enforced at the database row level.

  • BYOK with AWS KMS / Azure Key Vault / HSM
  • TLS 1.3 only, mTLS on internal RPC
  • Row-level tenant isolation in Postgres
  • Per-engagement workspace sandboxing

Continuous Monitoring

Heartbeat scans on configurable cadences. KAI re-tests on every release, every asset change, or on a fixed schedule — and only re-tests what changed.

  • Hourly / daily / weekly schedules
  • Diff-aware delta scans
  • Slack / Teams / PagerDuty / Opsgenie alerts
  • Trend reports + posture dashboards

API-First & Extensible

REST and GraphQL APIs cover every operation. Webhooks, SDKs (Python, Go, TypeScript), and an open MCP-server framework let you plug in custom techniques.

  • REST + GraphQL with OpenAPI spec
  • Webhooks (HMAC-signed) + SDKs
  • MCP-server plugin framework
  • Terraform provider for infra-as-code

Enterprise Identity

SSO via SAML 2.0 and OIDC. SCIM 2.0 user provisioning. RBAC with custom roles. Per-action audit logs streamed to your SIEM in real time.

  • SAML 2.0 / OIDC / Azure AD / Okta
  • SCIM 2.0 user + group sync
  • Custom RBAC roles + JIT access
  • Audit log stream to Splunk / Datadog / Elastic

High Availability

99.95% production SLA. Multi-AZ deployments, automatic failover, zero-downtime upgrades, and dedicated capacity reservations for enterprise tier.

  • 99.95% SLA (production tier)
  • Multi-AZ active-active
  • Zero-downtime rolling upgrades
  • 24/7 status page + incident comms

Data Residency & Privacy

EU-only data plane available. No customer data leaves your selected region. Configurable data retention from 30 days to 7 years. GDPR Art. 28 DPA included.

  • EU-only or US-only data residency
  • Configurable retention (30d – 7y)
  • GDPR Art. 28 DPA + Sub-processor list
  • Right-to-erasure automated workflow
ECOSYSTEM

Plugs Into Your Security Stack

Source control, ticketing, alerting, cloud, and SIEM — KAI ships findings into the tools your engineering and SOC teams already use.

Source Code

GitHubGitHub
GitLabGitLab

Ticketing

JiraJira

Alerting

SlackSlack
T
Microsoft Teams
DiscordDiscord
EmailEmail
TelegramTelegram

Cloud & Infrastructure

AWSAWS
AzureAzure
Google CloudGoogle Cloud
DockerDocker
KubernetesKubernetes
TerraformTerraform
CloudflareCloudflare
DigitalOceanDigitalOcean

SIEM

SplunkSplunk
Q
IBM QRadar
S
Microsoft Sentinel
Elastic SIEMElastic SIEM
Sumo LogicSumo Logic
DatadogDatadog
Grafana LokiGrafana Loki
Google ChronicleGoogle Chronicle
L
LogRhythm
W
Wazuh
A
ArcSight
A
AlienVault
View All Integrations →
DEVELOPER SURFACE

Built for engineers

Every action in the UI is also one API call away. REST + GraphQL with HMAC-signed webhooks, official SDKs in Python / Go / TypeScript, native CI integrations, and a Terraform provider for infra-as-code scan policies.

  • OpenAPI 3.1 spec — generate your own clients
  • HMAC-signed webhooks with delivery retry log
  • GitHub Actions, GitLab CI, Jenkins, Azure DevOps
  • Terraform provider — version your scan policies
  • JSON / SARIF / CSV / XLSX exports per scan
Start a scanREST API
curl -X POST https://api.kaos.ad/v1/scans \
  -H "Authorization: Bearer ${KAI_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "target": "app.example.com",
    "scan_mode": "comprehensive",
    "scope": ["app.example.com", "api.example.com"],
    "techniques": "auto",
    "schedule": "weekly",
    "compliance_frameworks": ["pci-dss-4", "iso-27001"],
    "notify": {
      "slack": "#sec-alerts",
      "webhook": "https://hooks.example.com/kai"
    }
  }'

KAI Platform — FAQ

Common questions from security leaders evaluating KAI for their organization.

GET STARTED

Find what scanners can't.

Spin up an autonomous engagement in minutes. KAI delivers validated findings, working PoCs, and audit-ready reports — and our OSCE3 team is one click away when you need them.

Start Free TrialBook a DemoTalk to Sales
24/7
Autonomous testing
100%
Validated findings
MITRE
ATT&CK mapped