Horizon3

What is it?

Horizon3’s NodeZero is an AI-driven autonomous penetration testing platform. The company pioneered the concept of “AI hackers” that can by deployed against an environment with zero prior knowledge or an assumed-breached shell. The AI agent conducts recon, enumerates services, chains together vulnerabilities across multiple hosts, and demonstrates actual exploit paths. It shows the attack path, exactly how to fix it, and enables immediate retesting to verify remediation.

Why did they build it?

Vulnerability scanners produce lists of potential issues on individual hosts, but they cannot show what an attacker actually achieves by chaining those issues together across machines. Understanding consequence, from initial access through lateral movement to an actual objective like domain admin or sensitive data exfiltration, is how you prioritize what to fix. Vulnerability scanners alone cannot demonstrate that.

Traditional pen testing has an absorptive capacity problem: organizations run one or two tests a year, can’t remediate findings before the next test, and see the same issues repeatedly. Automated testing lets mature organizations shift to 40-50 tests monthly, continuously finding, fixing, and verifying.

How is it different from a vulnerability scanner?

NodeZero chains issues across multiple machines: lateral movement, credential harvesting, misconfigurations, and CVEs combined into attack paths that lead to actual objectives like domain admin or sensitive data exposure. It operates across the full hybrid cloud infrastructure, from external access through internal pivot to cloud compromise.

Credential-based attacks are core expertise. Attackers log in, they don’t hack in with zero-days. NodeZero finds credentials, understands lockout policies (local and global), and intelligently abuses them across environments without triggering account lockouts or taking down production systems.

How does it work?

Each pen test runs as a single-use Docker container deployed at the chosen initial access point in the network. The container connects to a dedicated virtual private cloud session that instructs it through recon, enumeration, and iterative “next best action” exploitation based on discovered services and historical success rates. After the test completes, the container shuts down and the VPC is destroyed. No persistent footprint to manage.

Tests can start from zero access (breaking in from the outside) or assume breach from a specific point in the network. Scope configuration controls IP ranges, aggressiveness, and optional features like auto-deploying honey tokens (fake AWS credentials, Azure tokens, SQL dump files) during the test to improve detection coverage.

Risky Business appearances

Sources