Hex Security
Agentic Offensive Security at Scale
About
Hex Security builds AI agents that run continuous penetration tests against your apps and infrastructure. Instead of a once-a-year penetration test, Hex Security's agents works 24/7 to find and verify critical vulnerabilities so you can prevent them before attackers.
Founders
AI Research Report
Problem & Solution
Problem and Solution Report
Hex Security addresses a critical failure in modern cybersecurity: the reliance on infrequent, manual penetration testing. Traditionally, companies conduct penetration tests once or twice a year to satisfy compliance requirements or check for vulnerabilities. However, in a world where code is committed multiple times a day and infrastructure is constantly evolving, a "point-in-time" test is insufficient. Attackers operate 24/7, while traditional security testing is static, leaving companies vulnerable to new exploits for months at a time. The company notes that preventable vulnerabilities contribute to over $10 trillion in annual losses globally.
The solution offered by Hex Security is an autonomous application security testing platform powered by AI agents. These agents are designed to "hack before attackers do" by running continuous penetration tests against a company's applications and infrastructure. Unlike traditional automated scanners that often produce noisy, low-context results, Hex Security’s agents emulate actual attacker behavior. They work 24/7 to find and verify critical vulnerabilities, such as SQL injections or broken access controls, and provide clear reproduction steps for developers to fix them.
A key differentiator of the Hex Security solution is its ability to chain exploits and demonstrate real-world impact. For example, the company claims its agents have already found vulnerabilities in dozens of YC companies, including SQL injections exposing billions of records and proof-of-concept worms that could infect entire networks. By integrating directly into the development lifecycle—monitoring every new code commit, API, and third-party integration—Hex Security ensures that security keeps pace with the speed of modern software development.
The value proposition of this approach is twofold: it significantly reduces the risk of a catastrophic data breach and it automates a highly specialized, expensive human task. By providing continuous verification, Hex Security allows organizations to move from a reactive security posture to a proactive one, preventing damages that the company estimates have already reached into the billions for its early users.
Market & Competitors
Market and Competitors Report
Hex Security operates in the rapidly evolving market for Autonomous Penetration Testing and Continuous Threat Exposure Management (CTEM). This market is a subset of the broader Application Security and Blockchain Security industries. As organizations increasingly adopt cloud-native architectures and rapid CI/CD pipelines, the demand for security tools that can operate at the speed of development has surged. The blockchain security market alone is expected to grow at a CAGR of 65.5%, reaching over $37 billion by 2029, reflecting the high stakes of securing digital assets and infrastructure.
The competitive landscape for Hex Security includes several categories of players. Traditional penetration testing firms (e.g., Bishop Fox, NetSPI) represent the legacy model that Hex aims to disrupt through automation. In the automated space, Hex competes with Breach and Attack Simulation (BAS) vendors and older DAST/SAST tools. However, its most direct competitors are newer startups focusing on autonomous pentesting and AI-driven offensive security, such as Horizon3.ai (NodeZero), Pentera, and Randori (acquired by IBM). These companies also aim to automate the discovery and validation of vulnerabilities.
In the blockchain and high-stakes application space, Hex Security may also compete with or complement bug bounty platforms like Immunefi, HackerOne, and Bugcrowd. While these platforms rely on human researchers, Hex Security’s value proposition is the 24/7 availability and consistency of AI agents. Another emerging class of competitors includes AI-native security startups that focus on "agentic" security, using LLMs to navigate codebases and find complex logic flaws that traditional scanners miss.
Hex Security’s competitive advantage lies in its "agentic" approach, which goes beyond simple scanning to emulate complex attacker behaviors and chain exploits. By providing actual proof-of-concept (PoC) demonstrations of vulnerabilities, it reduces the "false positive" fatigue common in automated tools. Furthermore, its early association with Y Combinator provides a strong initial customer base and a platform for rapid iteration. However, as a 2026-founded company, its primary challenge will be scaling its AI to handle the vast diversity of enterprise environments compared to more established competitors with larger datasets and longer track records.
Total Addressable Market
Quantitative and TAM Report
Hex Security operates at the intersection of AI-driven offensive security and application security. While the company is in its early stages, the Total Addressable Market (TAM) for its services is substantial, driven by the global shift toward automated and continuous security testing. The broader blockchain security market, which serves as a primary indicator for high-stakes application security, is projected to reach $37.42 billion by 2029, growing from $3.01 billion in 2024 at a staggering CAGR of 65.5%.
Another perspective on the market size comes from Fortune Business Insights, which valued the global blockchain security market at $5.05 billion in 2025. They project this market to grow to $8.41 billion by 2026 and potentially reach nearly $500 billion in the long term. Hex Security’s specific niche—autonomous penetration testing—targets a subset of this market, as well as the broader Application Security and DevSecOps markets, which are multi-billion dollar industries in their own right.
The methodology for estimating Hex Security's immediate TAM involves looking at the cost of data breaches and the volume of preventable vulnerabilities. Hex Security claims to have prevented an estimated $3B+ in potential damages in just a few weeks by identifying vulnerabilities in dozens of companies. This figure is derived from exposed record counts and IBM's "Cost of a Data Breach" benchmarks. By automating a process that traditionally costs tens of thousands of dollars per manual engagement, Hex Security can capture a significant portion of the security budgets currently allocated to annual or semi-annual manual penetration tests.
Financially, Hex Security is currently an early-stage venture, having recently participated in the Y Combinator W26 batch. PitchBook records indicate a latest deal amount of $125,000 from accelerator funding, with investors including Y Combinator and Northside Ventures. As the company scales its AI agents to more enterprises, its serviceable obtainable market (SOM) will likely expand from YC-backed startups to global enterprises facing the $10 trillion annual loss attributed to preventable vulnerabilities.
Founder Analysis
Founders and Professional Background
Hex Security was co-founded by a team of three technical experts: Huzaifa Ahmad, Ahmad Khan, and Prama Yudhistira. The team brings together a diverse set of skills ranging from cloud infrastructure and artificial intelligence to robotics and hardware engineering, which serves as the foundation for their AI-driven offensive security platform.
Huzaifa Ahmad, one of the co-founders, has a strong background in software engineering and AI. He previously held roles at major technology and financial institutions, including Amazon Web Services (AWS) and Capital One. Most recently, he was associated with PlayAI. Huzaifa is an alumnus of the University of California, Berkeley, where he developed the technical foundation necessary for building complex, scalable systems.
Ahmad Khan, another co-founder, contributes expertise in robotics and mathematics. He attended the University of Waterloo, an institution renowned for its engineering and math programs. His background in these rigorous disciplines likely informs the algorithmic and agentic nature of Hex Security’s autonomous penetration testing agents.
Prama Yudhistira completes the founding trio with a background in engineering and systems. His professional history includes experience at Codegen and the semiconductor giant AMD. This experience in low-level systems and high-performance computing is critical for developing security agents that must interact deeply with various layers of infrastructure and codebases. Together, the founders represent a highly technical team capable of executing the vision of "AI that hacks before attackers do."
Unlock Full AI Research Report
Enter your email to access the complete analysis.
We'll never spam you. Unsubscribe anytime.