Your infrastructure audited, your vulnerabilities detected by AI agents
Automated pentest, configuration audit, continuous detection. AI agents built on OWASP, MITRE ATT&CK and CIS frameworks. Systematic human validation. Agent source code delivered.
Why classic security audits cannot keep up
Annual pentest = 11 months blind spot
A classic pentest costs 15-30k€ and runs once a year. Between audits, your infrastructure evolves: new services, new vulnerabilities, new CVEs.
Understaffed SOC
Manual alert triage, mass false positives, weak signals ignored. Human capacity does not absorb the volume.
Human code review does not scale
On a 100k+ LOC repo, exhaustive security review becomes impossible. Classic SAST tools generate noise without grasping business intent.
Compliance = paperwork, not security
GDPR, ISO 27001, NIS2: audits run on documents and samples. The operational reality of the infrastructure is not continuously verified.
Six deliverables of a Colombani.ai AI Security engagement
Attack surface mapping
AI agents automatically inventory exposed assets: domains, subdomains, public services, open ports, detected technologies. Continuous update.
Configuration audit
CIS benchmarks on Linux/Windows OS, Kubernetes, cloud (AWS/GCP/Azure), IAM. Combination of deterministic rules and LLM contextual analysis.
Vulnerability detection
SAST + DAST + LLM contextual analysis. The agent grasps code intent and detects logical vulnerabilities that classic tools miss.
Assisted pentest
Recon, enumeration, exploit candidates by AI agent. Validation and exploitation by human expert. No uncontrolled autonomous bot.
Threat modeling
Automated STRIDE applied to architecture. Attack scenario generation, prioritization by business impact.
Actionable reports
Findings classified by CVSS. Step-by-step remediation guide. Readable by non-technical leadership. Continuous remediation tracking.
Five phases, systematic human validation
1. Scoping and ROE
Scope definition, written authorizations (Rules of Engagement), operational constraints. Deliverable: signed ROE, legal framework established.
2. Assisted reconnaissance
AI agents map the attack surface, identify technologies, list applicable CVEs. Deliverable: exposure map.
3. Vulnerability analysis
Combined SAST/DAST/manual audit + LLM context. False positive filtering by agent then human verification. Deliverable: prioritized findings list.
4. Human validation
No finding shipped without expert verification. POC reproduction, real impact assessment, noise removal. Deliverable: validated findings.
5. Report and remediation
Executive report + technical report. Step-by-step remediation guide. Free re-test after correction within 90 days. Deliverable: final report + re-test.
Typical engagements
Pre-production audit
Startup or SMB without internal CISO, launching a new service. Full audit of target infra, code and CI/CD chain. Delivered in 2 to 4 weeks.
Periodic cloud infrastructure pentest
AWS, GCP or Azure. Quarterly tests assisted by AI agents. Covers IAM, network exposures, managed service configurations. Executive + technical report.
Continuous security code review
CI/CD integration. AI agent analyzes every pull request, flags risky patterns (injection, auth, crypto). Automatic false positive triage.
Assisted compliance audit
GDPR, NIS2, ISO 27001. Agent continuously verifies operational compliance, not just documentation. Auto-generates audit evidence.
Six guarantees that make the difference
Professional liability coverage
Orus / Hiscox contract HA-RCP-02-2026-4972832, IT security and intrusion testing covered. Client engagement in an insured framework.
Recognized frameworks
OWASP Top 10 and ASVS, MITRE ATT&CK, CIS Benchmarks, ANSSI guidance. No proprietary, non-auditable methodology.
AI agents + human validation
Agent speed and coverage, expert judgement and validation. No findings delivered without manual verification.
Agent source code delivered
No black box. Your teams can replay, adapt or audit the logic of agents used during the engagement.
Bilingual reports, leadership-readable
Concise executive report + detailed technical report. FR and EN versions. Readable for leadership, board, external auditor.
Free re-audit within 90 days
After remediation, free verification of fixes within 90 days. Confirmation that identified vulnerabilities are closed.
Frequently asked questions
How does AI-assisted audit differ from a classic pentest? +
A classic pentest relies entirely on human time. An AI-assisted audit uses agents to automate reconnaissance, mapping, SAST triage and prioritization. The human expert focuses on validation, exploitation and impact analysis. Result: same quality level, broader coverage, faster delivery.
Is this legally compliant? +
Yes. Each engagement starts with a Rules of Engagement document signed by your leadership, defining scope, intervention windows and prohibited actions. No offensive action is launched without a written framework. Colombani.ai professional liability covers IT security and intrusion testing.
What types of infrastructure can be audited? +
Cloud infrastructure (AWS, GCP, Azure), managed or self-hosted Kubernetes, Linux and Windows servers, web applications and APIs, source code (Python, TypeScript, Go, Java, .NET), CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins). Specific contexts (industrial, embedded) require prior discussion.
How are LLM false positives handled? +
Triple filter: (1) deterministic rules in pre-analysis, (2) agent chain-of-thought verifying finding coherence, (3) systematic human validation before delivery. No unverified finding leaves the process. Noise rate in the final report is measured and reported.
Can local models be used for confidentiality? +
Yes. For contexts where no technical data must leave your infrastructure (sovereignty, classification), agents run locally on Ollama with Mistral, Qwen or Llama. Lower performance than cloud Claude but zero exfiltration. Decision made at scoping based on sensitivity.
How often should we re-audit? +
Full annual audit, quarterly targeted audits on fast-changing areas (cloud, code), continuous audits in CI/CD (every pull request). Free re-audit within 90 days after fix is included. Annual and quarterly subscriptions available.
Which attack surface do you want to evaluate?
1h of free scoping. You leave with a map of your public exposure, an audit effort estimate and the list of CVEs applicable to detected technologies.
Direct conversation with the founder. Hiscox professional liability active.