Blog

Security Insights

Deep dives, expert analysis, and practical guidance on exposure management, adversarial validation, and the future of AI-driven exposure management.

CompliancePenetration Testing

ISO 27001 Penetration Testing Requirements

ISO 27001:2022 never names penetration testing, yet it is how you evidence Annex A 8.8 and 8.29 at a surveillance audit. The honest read on required vs expected, with the 2013 lineage and the Oct 2025 deadline.

May 20, 20268 min

CompliancePenetration Testing

PCI DSS Penetration Testing Requirements

PCI DSS v4.0.1 Requirement 11.4 is the rare standard that names penetration testing outright: internal and external annually plus after change, segmentation at 12 or 6 months, mandatory since 31 Mar 2025.

May 5, 20267 min

CompliancePenetration Testing

HIPAA Penetration Testing Requirements

HIPAA never says "penetration test," but the Security Rule's risk analysis and its REQUIRED evaluation standard expect technical testing of every system touching ePHI. Here is the precise read.

Apr 20, 20267 min

Best AI Pentesting Tools in 2026 - Ranked Priced and Compared

Penetration TestingCTEM

Best AI Pentesting Tools in 2026: Ranked, Priced & Compared (12 Tools)

Which AI pentesting tool actually reduces risk in 2026? We reviewed 12 platforms on autonomy, proof quality, pricing, and what happens after a vulnerability is found.

Apr 9, 202627 min

CTEMPenetration Testing

Is Claude Mythos the End of Pentesting?

Claude Mythos found thousands of zero-days in Linux, browsers, and Apache. Does that make pentesting platforms obsolete? Understanding why models, harnesses, and platforms are three different things -- and why smarter AI makes Strobes more valuable, not less.

Apr 8, 202612 min

CompliancePenetration Testing

SOC 2 Penetration Testing Requirements

SOC 2 never names penetration testing in any criterion, yet auditors treat it as the load-bearing evidence for CC4.1 and CC7.x. Here is the gap between the letter and the audit.

Apr 5, 20267 min

Offensive SecurityCTEM

Strobes AI: The Agent Stack Specialized for Offensive Security

A deep-dive into the multi-agent architecture behind Strobes AI — 12 purpose-built offensive security agents, the Skills system, Human in the Loop governance, and the architectural properties that make continuous exposure management viable at scale.

Mar 27, 20268 min

Offensive SecurityPenetration Testing

Agentic Pentesting with Strobes AI

What happens when you point Strobes AI at a real web app and let it run a full OWASP WSTG assessment with zero hand-holding? 32 tasks, 21 phases, 42 confirmed vulnerabilities — all autonomous.

Mar 25, 20269 min

AI Harness for Offensive Security - Strobes blog cover showing multi-agent architecture concept

Offensive SecurityPenetration Testing

Building an AI Harness for Offensive Security: What It Takes to Turn LLMs Into Reliable Pentest and Validation Operators

The model is 20% of the problem. Here is the engineering story behind the orchestration, tooling, middleware, and infrastructure that turns a capable LLM into a reliable penetration testing operator.

Mar 22, 202614 min

Three-angle crawl strategy: static analysis, swarm crawling, browser handover into Strobes orchestrator

Penetration TestingOffensive Security

Why Crawling Is the Hardest Part of AI-Powered Pen Testing (And How We Fixed It)

AI agents are brilliant at reading code but terrible at navigating browsers. Here's how Strobes combines static analysis, CDP-based swarm crawling, and human browser handover to build a complete attack surface map before testing begins.

Mar 20, 202612 min

Offensive SecurityPenetration Testing

What Is a Red Team Assessment? (And How It Differs From Pentesting)

A red team assessment is a goal-based attack simulation that tests whether your SOC would catch a real adversary. Here is what one looks like end to end, with the detection gaps it exposes.

Jan 5, 20268 min

Network PentestingPenetration Testing

Wireless Penetration Testing Guide

A weak Wi-Fi key cracked from the parking lot can undo every firewall you own. Here is the wireless penetration testing workflow, with real hcxdumptool and hashcat output and the EAP-TLS fix that ends it.

Oct 7, 20257 min