How is Hadrian different from a traditional pentest?

Traditional pentests are point-in-time snapshots — a two-week engagement captures your surface on one day. Hadrian runs continuously with AI agents that enumerate your entire attack surface, chain individual findings into critical exploits, and model financial exposure. We deliver results in 48-72 hours, not weeks.

How much does Hadrian cost?

Hadrian Scout is US$99/month (annual) for 1 web property, unlimited subdomain discovery, and Sentinel Monitoring. Core is US$1,500/month (annual) with Deep Scans, more Sentinel runs, authenticated testing, automated retesting, and executive reporting. Pro is US$4,500/month (annual) with 4 web properties, expanded Deep Scans and Sentinel runs, compliance mapping, priority alerts, and dedicated customer success. Enterprise plans add human review and custom scope.

How quickly can Hadrian deliver results?

Most engagements surface critical findings within 48 hours. Autonomous hardening is typically completed within the same week, including regression test verification.

Do I need to install anything?

No. Give us a domain and we handle the rest — no agents to install, no configuration, no onboarding sprint.

Hadrian — AI Offensive Security

Q: What does autonomous hardening mean?

After identifying vulnerabilities, our AI agents can apply fixes directly to your infrastructure — CSP tightening, header hardening, session cookie fixes, dangling DNS cleanup — with regression tests verifying each fix holds. Your team reviews the changes, or we execute autonomously.

Now accepting applications for IMDA GenAIxDL Quick Win

Learn more →

Hadrian's Vigil

hadrian — scan

$ hadrian scan --target [redacted].com
[+] Subdomain enumeration       739 discovered
[+] Live surface mapping         412 responding
[+] Credential hunt              2 API key pairs (GitHub)
[+] API policy analysis          cross-origin misconfiguration detected
[+] Session architecture         cookie flags misconfigured
[+] Dangling asset               CNAME pointing to unclaimed external resource
[!] Chain detected:
    3 medium findings → single critical exploit path
    → account takeover, no victim interaction required
[!] Estimated exposure:  EUR 620M – 2.5B
[!] Severity:            CRITICAL (CVSS 9.8)
█

scroll

Your attack surface is bigger than you think.

And growing faster than your team can track.

Shadow IT sprawl

Every new SaaS tool, regional microsite, and API integration expands your perimeter. Most of it is unmapped.

Pentests are snapshots

A two-week engagement captures your surface on one day. Your attackers check every day.

Findings without context

A list of CVEs doesn't tell your board what's at stake. Individual findings understate chain risk by 10–100×.

The Pipeline

From Surface Discovery to Hardened Posture

DISCOVER

SYNTHESIZE

HARDEN

How Hadrian works

DISCOVER

Map your entire attack surface

AI agents enumerate subdomains, APIs, credentials, cookies, CORS policies, and misconfigurations. We discover what your pentest missed — in hours, not weeks.

hadrian — surface-scan

$ hadrian scan --target acme.corp --deep
[+] Resolving root domain: acme.corp
    → 4 A records, 2 CNAME chains
[+] Subdomain enumeration complete
    → api.acme.corp        [200 OK]
    → staging.acme.corp    [200 OK]
    → dev-legacy.acme.corp [200 OK]
    → auth.acme.corp        [200 OK]
    → internal.acme.corp   [401]
[!] CORS misconfiguration — api.acme.corp
    Origin: null allowed (wildcard + creds)
[!] Dangling DNS — legacy-cdn.acme.corp
[!] Exposed .env — staging.acme.corp/.env
[+] Cookie audit: 12 session tokens
    → 9 missing Secure flag
    → 7 missing HttpOnly flag
Scan complete. 47 findings. 3 critical.
█

SYNTHESIZE

Chain findings into critical exploits

Individual findings understate risk by 10-100x. Our AI correlates disparate issues into multi-step attack chains with CVSS scoring and financial exposure modeling.

INDIVIDUAL FINDINGS

F-01Dangling DNSCVSS 4.3

F-02CORS wildcardCVSS 5.8

F-03Exposed .env keyCVSS 7.2

AI correlation

CRITICAL CHAIN — CVSS 9.1Full Account Takeover

1Claim dangling DNS → point to attacker host

2CORS wildcard + null origin → steal session token

3.env key → authenticate as internal service

HARDEN

Fix it. Prove it. Automatically.

AI agents apply fixes directly — CSP tightening, header hardening, session cookie fixes, dangling DNS cleanup — with regression tests verifying each fix holds. Posture score: before and after.

POSTURE SCORE

42BEFORE

94AFTER

APPLIED FIXES

CSP header enforced

Secure + HttpOnly cookies

Dangling DNS record removed

CORS policy restricted

Regression tests passing

hadrian — surface-scan

$ hadrian scan --target acme.corp --deep
[+] Resolving root domain: acme.corp
    → 4 A records, 2 CNAME chains
[+] Subdomain enumeration complete
    → api.acme.corp        [200 OK]
    → staging.acme.corp    [200 OK]
    → dev-legacy.acme.corp [200 OK]
    → auth.acme.corp        [200 OK]
    → internal.acme.corp   [401]
[!] CORS misconfiguration — api.acme.corp
    Origin: null allowed (wildcard + creds)
[!] Dangling DNS — legacy-cdn.acme.corp
[!] Exposed .env — staging.acme.corp/.env
[+] Cookie audit: 12 session tokens
    → 9 missing Secure flag
    → 7 missing HttpOnly flag
Scan complete. 47 findings. 3 critical.
█

What Hadrian covers.

Autonomous Recon

Subdomain enumeration, DNS mapping, historical URL discovery, API surface identification, credential hunting across public sources.

Pricing

Automated security coverage for every stage.

Start with AI-powered surface monitoring, then scale into Deep Scans, authenticated testing, and compliance workflows as your security posture matures.

Scout

AI-powered surface monitoring for your external footprint.

US$99/mo

billed annually

1 web property
Unlimited subdomain discoveryHadrian discovers all visible subdomains under your verified web property. Scout limits cadence and depth, not discovery.
1 Sentinel run / monthAI-assisted reconnaissance that maps your surface, detects drift, and flags new exposures automatically.
Clear issue summaries
Self-serve setup

Core

Continuous offensive testing — replaces your annual pentest.

US$1,500/mo

billed annually

Everything in Scout, plus:

Unlimited subdomain discoveryDiscovery stays uncapped; Core adds deeper analysis, authenticated testing, and more frequent monitoring.
2 Deep Scans / monthFull-scope AI offensive security — attack surface discovery, exploit-chain reasoning, evidence-backed findings, and remediation priorities.
6 Sentinel runs / monthDrift checks plus safe retesting of known vulnerabilities. Remediations are verified and new exposures don't wait for the next engagement.
Authenticated testingTesting behind login walls — authorization flaws, privilege escalation, session handling, and business logic risks.
Executive PDF report
Automated remediation guidance
Slack + email alerts
Fully automated coverageCore does not include human analyst review. Enterprise adds review, custom operating model, and SLA commitments.

Pro

Multi-environment coverage with compliance and integrations.

US$4,500/mo

billed annually

Everything in Core, plus:

4 web properties
Unlimited subdomain discoveryDiscovery remains uncapped across verified properties; Pro increases scan volume, integrations, and compliance workflows.
4 Deep Scans / month
12 Sentinel runs / month
Compliance mappingMap findings to SOC 2, ISO 27001, PCI DSS, MAS TRM, and other frameworks your auditors require.
Priority alerts
Dedicated CSM

Enterprise

Custom coverage, human review, and SLA commitments.

Custom

Everything in Pro, plus:

Unlimited web properties
Custom authorization scopeSubsidiaries, mobile apps, private deployments, and special environments are scoped explicitly.
Custom scan cadence
Mobile app scanningWe decompile your Android and iOS apps to check for vulnerabilities, hardcoded secrets, insecure data storage, and certificate pinning issues.
Multi-domain & subsidiary coverage
Phishing campaignsAI-generated phishing simulations with open/click/credential tracking and behavioural analytics.
Threat intelligence feedCurated threat intel correlated against your monitored attack surface.
Cloud posture scanReview cloud accounts across AWS, GCP, or Azure for misconfigurations, overly permissive IAM, and exposed storage.
SIEM & webhook integrationsPush high-signal findings into Splunk, Sentinel, or your team's existing tools.
Human review layerVantalab analyst review for scoped engagements, executive interpretation, and custom assurance needs.
Private edge deploymentOn-premise or air-gapped Axiom Edge node for customers who can't let raw evidence leave their environment.
Custom SLA & dedicated team

Recent engagement — identity anonymized

One engagement. One chain. Billions in exposure.

739Subdomains discovered

38Findings identified

5→1Findings chained into one critical exploit

€620M–2.5BEstimated exposure

“Hadrian discovered a critical vulnerability chain across 739 subdomains that exposed the PII, payment methods, and digital wallets of millions of customers — with full read-write access to their accounts. Their existing pentest vendor had found nothing.”

Three individually Medium-severity findings across DNS infrastructure, API configuration, and session management. One Critical chain. Their existing pentest vendor had found none of them.

Built for engineers who know what they're looking at.

hadrian API

$ hadrian scan --target example.com --mode deep --output json

{
  "target": "example.com",
  "subdomains": 739,
  "findings": 38,
  "chains": [
    {
      "id": "CHN-001",
      "severity": "CRITICAL",
      "cvss": 9.8,
      "components": [
        "API origin policy misconfiguration",
        "Dangling DNS asset → unclaimed external provider",
        "Session cookie flag misconfiguration"
      ],
      "impact": "Cross-origin account takeover — no victim interaction required",
      "exposure_eur": { "low": 620000000, "high": 2500000000 }
    }
  ]
}

Full API docs available after access is granted. Webhook, SIEM, and CI/CD integrations included.

See what your pentest missed.

Most engagements surface something critical within 48 hours.

Request Platform Access