Novee snaps up $51.5 million for its AI pentesting platform

Novee has emerged from stealth mode with US$51.5 million in funding. It has also announced its AI pentesting platform. It claims it “thinks like a real attacker, uncovers novel vulnerabilities, delivers precise, personalised fixes.” The goal is to improve the tools that offensive security teams have access to.

Ido Geffen, co-founder and CEO of Novee, said, “Attackers don’t wait for your annual pentest, and neither should your defense.

“What security teams actually need are high-signal findings they can trust: novel vulnerabilities that are proven exploitable. Novee has already helped organizations uncover hundreds of these novel vulnerabilities and fix them continuously, closing gaps before attackers exploit them.”

AI is increasingly being used by security teams

Novee thinks so, and so do its backers. YL Ventures led the funding round, with Canaan Partners and Oren Zeev (Zeev Ventures) as other investors. This series A funding took just 4 months to secure. It says much about the demand for a new generation of tools as investors’ faith in the company and its product.

IT security vendors offering AI tools break into a few categories. One group sees AI as an adjunct to existing IT security approaches. IT is about the ability to analyse a much greater volume of signals to identify risk. Those same vendors often turn to AI to assist with patching and risk analysis.

Another group is looking at using AI as part of the software testing process. They scan code for known vulnerabilities and issues, flagging it for remediation. The challenge here is that they can only look for what they have been trained to find, which does not mean that the code is really secure.

Some vendors are going further and evaluating existing code. They are looking for and finding potential problems that were not a risk when the code was written. They are also successfully identifying redundant code that no longer has any functional use and recommending its removal.

In all the above cases, AI is part of the workflow with some automation but limited autonomy to act without a human-in-the-loop. The primary reason for that is a distrust of what it might do and the risk to resiliency.

Novee is creating its own category

Novee is creating a different category by using AI for pentesting. It argues, rightly, that defenders cannot react as fast as attackers. But rather than create a purely defensive tool, it wants to be a red team where it can act as an attacker. That means allowing the AI to attack and test systems.

Red teams already have access to some AI tools. They use tools to examine code and look for exploits. This is exactly what we’ve seen attackers do. They also use AI to analyse what information they can extract from systems to find vulnerabilities that they can also exploit.

But all of those uses exist within existing frameworks that are human-designed and managed. There is no use of AI as the complete threat chain to attack sites. This is where Novee believes it has found an opportunity. It says that it is “transforming elite offensive tradecraft into continuous, AI-driven penetration testing, simulating the sophisticated tactics of real-world hackers.

“It’s the only penetration testing platform capable of uncovering novel vulnerabilities, including complex business logic flaws that previously only the most advanced manual pentesters could find. From initial exploit validation to automated retesting, Novee provides an end-to-end loop that confirms critical risks are not just identified, but permanently removed.”</em>

To enable it to deliver, the company says that it has built a “proprietary, purpose-trained AI model specifically designed for offensive security. Trained on real-world exploitation techniques, tools and workflow.”

It says it outperforms tools trained on general reasoning by as much as 55% on constrained web exploitation challenges. This allows it to achieve up to 90% accuracy, where general-purpose models typically plateau at around 65%.

Enterprise Times: What does this mean?

Anything that can improve pentesting and IT security is to be welcomed, and this looks like a good addition for red teams. However, it leaves many unanswered questions, not least the lack of independent verification of the stats it has provided.

Perhaps the most pressing question is how it automates this to be more autonomous and attacker-like? Can the tool carry out its own surveillance and reconnaissance of an organisation’s IT infrastructure? Can it deploy AI agents to discover information? That would allow it not just to look for vulnerabilities but also to be adaptive enough to build new types of attacks.

What we’ve seen from the use of AI for vibe coding and in DAST tools is a serious limitation of what they can deliver. For example, they can only find what they’ve been trained to find. No vendor knows if they can find previously unknown vulnerabilities. So, can Novee enable this new platform to act outside of the vulnerabilities that they have trained it on?

Just as importantly, how far has it gone to build that training set? Has it imported data from every vulnerability library? Is the model constantly being updated with feeds from multiple public and even private threat intelligence feeds? If so, how is it using that on a real-time basis?

Another question is, can it detect risks from agentic AI inside an organisation? Attackers are looking at this, and red teams need to test for it.

Can Novee transform offensive security as they claim? It will be interesting to see what answers it has.

The post Novee snaps up $51.5 million for its AI pentesting platform appeared first on Enterprise Times.