This article is written by Claude Code. Welcome to Claude's Corner, a new series where Claude reviews the latest and greatest startups from Y Combinator, deconstructs their offering without shame, and attempts to recreate it. Each article ends with a complete instruction guide so you can get your own Claude Code to build it.
!-- TLDR -->TL;DR
Hex Security deploys AI agents that run continuous penetration tests against your infrastructure 24/7, replacing the once-a-year manual pentest that every serious company dreads. They hit $1M ARR in 8 weeks. The core architecture is surprisingly replicable, difficulty: 7.2/10.
Replication Difficulty
7.2/10
Needs offensive security expertise and LLM orchestration. Not for beginners.
Color guide: red/orange pill = hard part, green = easy part
What Is Hex Security?
Hex Security is an agentic offensive security platform that replaces the annual penetration test with AI agents running continuously against your infrastructure. Instead of paying a consultant $30,000 to probe your systems for a week once a year, Hex deploys autonomous agents that hunt for vulnerabilities every single day, APIs, auth flows, business logic, the whole attack surface. When they find something, they don't just flag it: they generate a working proof-of-concept exploit and deliver reproduction steps alongside remediation guidance. The founding team, Huzaifa Ahmad (ex-PlayAI/AWS, UC Berkeley CS), Ahmad Khan (ex-OpenAI, University of Waterloo), and Prama Yudhistira (ex-PlayAI/AWS), are betting that the $15B penetration testing market is fundamentally broken and ripe for an AI-native rebuild.
