The window between a vulnerability becoming public and being actively exploited has collapsed from years to hours. AI-assisted tooling can now write a working exploit within minutes of a patch dropping. Periodic testing cycles and static severity scores cannot keep up with that.

You already know you have thousands of findings. The real question is which ones can be exploited in your environment right now and how fast you can prove it.

Our Spring Release is Ethiack's answer. Every capability that shipped in Q1 pushes our clients' Continuous Threat Exposure Management (CTEM) programmes closer to the speed and adaptability attackers now operate with, anchored in the one thing scanners and snapshot pentests can't give you: Adversarial Exposure Validation. Every capability we're building in Q2 extends that further: deeper Hackian transparency, broader coverage, tighter integration with the security stack you already run.

Here is what shipped in Q1, what we're seeing across customer attack surfaces, and what comes next.

What shipped in Q1

Hackian got 50% faster and now goes behind the login wall

Hackian, our agentic AI pentester, received a core upgrade that delivered a 50% performance improvement in internal benchmarks. That means deeper attack-path coverage and more chained exploitation inside every testing window, without extending engagement time.

New Authenticated On-Demand Pentests let you securely pass credentials to Hackian so the highest-value surfaces, the ones behind your login portals, are now tested with the same rigour as your public perimeter. These upgrades powered multiple successful pentesting engagements across Q1.

Beacon v2: validating the internal attack surface without opening the firewall

Internal networks are often the least validated, not because they matter less, but because traditional testing demands inbound firewall rules or heavyweight agents. Beacon v2 removes that trade-off. It operates with outbound-only connectivity and deploys in minutes through a single setup script, Ansible playbook, raw Kubernetes YAML, or Helm chart. Internal network ranges are discovered automatically in the deployment environment.

Validating what attackers can exploit once they're inside is now as simple as validating what they can exploit from outside.

A Risk Score rebuilt around real exploitability

CVSS measures theoretical severity. It does not tell you whether a vulnerability is being actively targeted today. Our Risk Score engine now integrates CISA KEV and EPSS alongside traditional severity signals, producing a prioritisation score that reflects what is actually being exploited in the wild. Combined with Hackian's validated exploitability, it gives your team prioritisation trained on the real world, not a theoretical scoring system.

Every score traces back to its component signals, giving compliance and audit teams defensible evidence behind every prioritisation decision. Noise in, signal out.

Compliance reports that move at the speed of your exposure

Validated findings are only useful when they tie directly to the frameworks you're accountable to. From the Ethiack Portal, you can now generate reports aligned to PCI DSS, scoped to your cardholder data environment with a clear validation trail, and to OWASP Top 10 and WSTG, producing prioritised, remediation-ready views for web application exposure. Auditors get evidence. Security and development teams get a consultant-grade view of what to fix first.

URL-path granularity across the attack surface

Attack surface management is only as valuable as its granularity. You can now explore every URL path identified under any asset directly in the Portal: a complete map of exposed endpoints, directories, and application entry points. It closes a common blind spot: an asset that looks low-risk at the domain level but carries real exposure deeper in the application.

Operational workflows built for accountability

Validation at scale needs clear ownership. Q1 shipped a full timestamped Audit Log across the Portal, covering asset changes, test configurations, and finding updates. Specific findings can now be assigned to individual members, ensuring ownership and faster remediation. A new Viewer Role gives executives, stakeholders, and external auditors read-only access to tests and findings without modification rights. And our vulnerability-to-ticket pipeline has been rebuilt end to end, adding a native Service Desk Plus integration and improving sync reliability across every existing integration. This work lays the foundation for the broader integration expansion later this year, including ServiceNow.

What we're validating in the wild

Cross-referencing Mandiant's M-Trends 2026 findings with what our platform validates across client infrastructure tells a clear story. Theoretical severity and actual exploitability are very different problems.

Core enterprise systems stay in the crosshairs

M-Trends 2026 names internet-facing enterprise application servers (specifically SAP NetWeaver and Oracle E-Business Suite) as the primary target category for both espionage and financially-motivated threat actors. Our platform telemetry corroborates this. Oracle E-Business Suite (CVE-2022-21587) and SAP Solution Manager (CVE-2020-26836) consistently rank among the most frequently validated findings across client infrastructure. Attackers weaponise new exploits in these platforms, but organisations remain exposed to older, well-documented vulnerabilities in the same systems - vulnerabilities our engine confirms are exploitable today.

Automation infrastructure is being weaponised at machine speed

As the exploitation window collapses, attackers integrate new vulnerabilities into live campaigns within hours of disclosure. We are currently validating exposure to the Next.js React2Shell RCE (CVE-2025-55182), alongside multiple remote code execution vulnerabilities in n8n, the open-source workflow automation platform (CVE-2026-21877 and CVE-2026-21858). Business automation platforms sit at the centre of supply chain pivots and credential theft. Continuously testing them for real exploitability is now baseline CTEM.

The edge is still the soft underbelly

M-Trends 2026 identifies edge and core network devices as a strategic entry point precisely because they often lack EDR visibility and get patched late. Our continuous testing data confirms the pattern. Across client environments we consistently validate OpenSSH Terrapin (CVE-2023-48795), RegreSSHion OpenSSH RCE (CVE-2024-6387), and, perhaps most telling, Apache HTTP Server NULL Pointer Dereference (CVE-2018-8011). A 2018 CVE still showing up in 2026 is itself the finding. Age does not imply remediation. It implies assumption. Traditional scanners flag a version string. Our engine tests whether the vulnerability is actually exploitable in your environment today.

What we're not seeing matters too

M-Trends 2026 ranks three vulnerabilities among the most frequently exploited globally: SAP NetWeaver (CVE-2025-31324), Oracle E-Business Suite (CVE-2025-61882), and Microsoft SharePoint (CVE-2025-53770). We have not observed any of these across our clients' infrastructure. That silence is itself meaningful: our clients' exposure profile does not align with the top of the global exploitation list. Their validation programmes are working.

More importantly: our engine detects and validates all three. If any of them appear in your environment, Ethiack will prove exploitability before an attacker does. That is the operational value of proactive Adversarial Exposure Validation: you get the answer before a breach forces the question.

Summer Release: a Portal that speaks for itself

The overarching goal for Q2 is to make the Ethiack Portal a transparent, intuitive extension of your security team.

A redesigned Portal that puts the right data up front

The Portal currently surfaces a wealth of data. The redesign surfaces the right data, instantly, for every role. Overall Risk Score and trend lines, Mean Time to Resolve, the most critical unresolved risks, and the most exposed assets are visible without hunting through raw findings lists. For CISOs and board-level stakeholders, it translates continuous validation output into a single, readable security-posture view.

Full visibility into what Hackian is doing

Autonomous AI should never be a black box. In Q2 we are launching step-by-step visibility into Hackian's execution at every stage of a test.

For continuous Adversarial Exposure Validation, you will see the core focus of each test, summaries of reconnaissance, service discovery, and fingerprinting, along with detailed drill-downs into execution logic, protocols used, and targeted CVE information.

For pentesting, we are fully exposing Hackian's reasoning: how it selects specialised sub-agents, the chronological narrative of its execution, and validations showing each action respected your defined guardrails. Technical teams will be able to review tool summaries, input/output traces, and export the exact code used in any step. Transparency is the foundation of trust.

Onboarding tailored to your engagement

Deploying security should not be slowed by lengthy setup. We are introducing tailored onboarding paths for Continuous AEV and for Pentesting, each streamlined to your engagement model. AEV onboarding makes it easier to assume authorisation for testing domains and lets you skip reconnaissance entirely, accelerating time to first validated result. Pentest onboarding lets you pinpoint assets, inject credentials securely, define precise testing policies, and launch Hackian for in-depth engagement immediately.

Platform stability that compounds

Q2 also includes a significant engineering investment in API consistency and engine stability. Clients using the Ethiack API or connecting via third-party platforms can expect improved consistency and a lower risk of breaking changes. This work is not visible as a discrete feature in the Portal, but it sets the foundation for faster delivery across the rest of the year.

Moving Forward: broader coverage, deeper integration, clearer ROI

Our roadmap beyond Q2 reflects how mature CTEM programmes evolve: broader coverage, deeper integration, and the ability to quantify security value in business terms.

Active Directory testing and privilege escalation validation. Internal compromise almost always routes through identity: misconfigured AD trusts, over-permissioned service accounts, domain escalation paths that external testing never reaches. We're extending the Hackian engine with dedicated AD testing and privilege escalation validation, unlocking a new class of internal identity-based exploitability.

Supply chain and third-party validation. Exposure you do not directly control is now a primary breach vector globally. We're building engine capabilities to validate external dependencies and supply-chain components, extending Adversarial Exposure Validation beyond your direct organisational perimeter.

Deep platform integrations. Continuous validation is only as useful as its reach into the tools you already run. Building on the Service Desk Plus integration shipped in Q1, we are expanding to include ServiceNow for enterprise workflow, Wiz for cloud security posture correlation, and AWS and GCP for automated asset import and attack surface synchronisation. Validated findings reach the right team through the right system, without manual handoffs.

An MCP server for agentic security pipelines. As security operations adopt automated, AI-driven workflows, Ethiack needs to be a native participant in those pipelines. Our forthcoming MCP server will let external agents and orchestration platforms query Ethiack findings, trigger tests, and receive validated exposure data programmatically, making continuous adversarial validation a first-class input to automated security decision-making.

Business-impact and ROI metrics. Security leaders need to communicate the value of their validation programme in financial terms. We will introduce metrics that quantify risk reduction over time, tie remediated findings to business impact, and support board-level reporting on exposure trends and programme effectiveness.

You don't need more findings. You need to know what's exploitable

Attackers are accelerating. Ethiack keeps you one step ahead.

See your exposure. Test continuously to validate what attackers can actually exploit. Act on what matters most.

Every capability described here is live in the Ethiack Portal today. Log in to run your first authenticated pentest, review your updated Risk Score, or deploy Beacon v2. If you are evaluating Ethiack, or sharing this release with colleagues starting their validation programme, sign up, set up your DNS record in under 10 minutes, and begin testing your assets.