AI Agent Learns to Hack AI Apps Like a Real Adversary

Novee Security launched an AI agent that autonomously penetration tests LLM-powered applications, chaining together multi-step attack sequences that traditional security tools can't simulate. The agent, demonstrated at RSA Conference 2026, maps target applications by reading documentation and probing APIs, then executes sophisticated attacks like planting malicious data in one system component before prompting an AI agent to access it with embedded instructions. Unlike static scanners that fire single payloads, this agent adapts its approach based on each application's specific architecture and role-based access controls.

This addresses a real scaling problem in AI security. Most enterprise teams with hundreds of AI applications can only penetration test each one annually, while the underlying models, integrations, and behaviors change continuously. Traditional web application security tools weren't designed for LLM interaction patterns, and human pentesters are too expensive and scarce to keep up with AI development velocity. The agent supports applications built on any LLM provider and integrates into CI/CD pipelines for continuous testing.

What's notable is the sophistication Novee claims — the agent doesn't just throw prompts at applications but actually models how they work internally. This suggests they've built something closer to an autonomous security researcher than a glorified fuzzer. The timing makes sense: as prompt injection and indirect prompt injection attacks become more common, security teams need tools that think like attackers, not just scan for known vulnerabilities.

For developers shipping AI features, this represents the maturation of AI-specific security tooling. Instead of retrofitting web app scanners or waiting months for human pentesters, teams can now test continuously against adversarial AI techniques. The question is whether Novee's agent can actually find the subtle, context-dependent vulnerabilities that make LLM applications uniquely vulnerable — or if it's just automated prompt injection with better marketing.