We Built an AI That Thinks Like a Hacker — Here's What Happened
A few months ago, our team read about a company that got breached. The attacker didn't use some fancy zero-day exploit. They found a misconfigured database, used a weak API endpoint to get in, and walked straight to the customer data. The whole attack took maybe 20 minutes.
What shocked us wasn't the breach itself. It was this: the company was using five different security tools, and none of them caught it.
Why? Because each tool only sees one piece of the puzzle. The web scanner found the API issue but rated it "medium." The database scanner found the misconfiguration but rated it "low." Nobody connected the dots: medium + low = critical when they're chained together.
That's when we decided to build something different.
The First Version Was Embarrassing
We won't sugarcoat it. The first version of ShieldGraph was basically a bunch of Python scripts stitched together. A header scanner that checked if your website had HSTS. An SSL checker. A basic port scanner.
The first scan we ran found exactly zero vulnerabilities. Not because the target was secure — our scanner was just bad.
But we kept going.
14 Scanners Later, We Hit a Wall
After a few weeks, we had about 14 working scanners. Web stuff mostly — headers, SSL, XSS, SQL injection, CORS, cookies. It worked, but honestly, it wasn't special. Qualys has been doing this for 25 years. Why would anyone use our tool?
Then we had an idea that changed everything.
What if an AI could chain these scanners together like a real hacker?
Think about it. When a pentester attacks a system, they don't just run one tool. They run a port scan, see what's open, think about what to try next, run another tool, find something interesting, pivot, and keep going. It's a chain of decisions.
What if we gave an AI access to all our scanners and said: "Think like a hacker. Find the attack path."
Building the AI Red Team
We built it. We wrapped each scanner as a tool that an AI agent could call. Then we wrote a conversation loop:
- AI looks at the target
- AI picks which scanner to run
- We run the scanner, give results back to AI
- AI thinks about what it learned
- AI picks the next scanner
- Repeat until done
- AI writes a penetration test report
The first time we ran it against a test server, it performed 18 steps in 3 minutes. It found that an admin panel was accessible, JWT tokens had no signature verification, and a PostgreSQL database accepted connections without a password.
Then it chained them together: Web App -> JWT Bypass -> Admin Panel -> Database -> Customer Data.
Risk level: CRITICAL.
Our beta tester called: "How did you find all that? I've been running security scans for weeks and nothing showed up."
That's when we knew we had something nobody else was building.
The Digital Twin: Predicting the Blast Radius
The AI Red Team was powerful, but we wanted to answer a different question: "What happens AFTER an attacker gets in?"
If someone hacks your web server, how far can they go? Can they reach your database? Your payment system? Your customer data?
So we built the Infrastructure Digital Twin. You select any asset in your infrastructure, click "Simulate Blast Radius," and it shows you visually how an attack spreads:
- Web Server compromised
- API Server reached (60% probability, 1 hop)
- Customer Database exposed (30% probability, 2 hops)
We even run Monte Carlo simulations — 1,000 random attack simulations to answer: "In 70.8% of scenarios, an attacker reaches your customer database."
Try explaining that to a CISO with a CVSS score. You can't. But show them "70% chance your customer data gets stolen" — suddenly the budget gets approved.
Where ShieldGraph Stands Today
Here's what we've built:
- 30 real vulnerability scanners — not stubs, they actually connect and check
- Web apps, 8 databases (PostgreSQL, MySQL, MongoDB, Redis, Elasticsearch, Oracle, MSSQL, Cassandra), AWS/Azure/GCP, SAP, Oracle EBS, Docker
- AI Red Team — an autonomous AI that runs penetration tests and generates professional reports
- Infrastructure Digital Twin — blast radius simulation with real probabilities
- CWE classification on every finding, linked to MITRE
- EPSS scores — real exploit probability data from FIRST.org
- One-click compliance reports for OWASP, PCI DSS, SOC 2, HIPAA
- A lightweight Go agent for scanning private networks behind firewalls
- Smart auto-discovery — the agent finds Docker containers and services automatically
Lessons Learned Along the Way
1. Your own platform has to be more secure than your customers.
We're a cybersecurity company. If someone hacks us, it's game over. So we ran our own tools against ourselves. Found 17 security vulnerabilities in our own platform. Fixed all 17. Then ran a complete security audit — JWT validation, CORS, rate limiting, encryption, everything.
The irony of a security company having security bugs is something we'd rather not talk about.
2. AI is incredibly good at security testing.
The AI naturally thinks in attack chains. "I found a missing header, so let me check for injection. I found injection, so let me check what database is behind it." This is exactly how human pentesters think — but the AI does it in 3 minutes instead of 3 weeks.
3. Graph databases changed our understanding of risk.
SQL can't answer "can an attacker reach asset Z from asset A through any path?" We use a graph database that handles this natively. Suddenly, "medium" + "low" vulnerabilities that connect to form a "critical" attack path become visible.
4. The mid-market needs affordable security.
Enterprise security tools cost $50K-$200K per year. Most companies can't afford that. We built ShieldGraph for $499-$2,999/month. The AI Red Team alone replaces a $20K pentest engagement — and it can run unlimited.
What Makes Us Different from Qualys and Tenable
Let's be real. Qualys has 25 years of experience. Tenable, Rapid7, Snyk — they're established, well-funded, battle-tested.
We're not trying to replace them for Fortune 500 companies.
But here's what none of them offer:
- No AI Red Team. None have an autonomous AI that chains scanners together and thinks like a hacker.
- No Digital Twin. None simulate attack blast radius with real probabilities.
- No unified platform. You need Qualys + Tenable + Snyk + a pentesting firm. We do it all.
- No mid-market pricing. They start at $50K. We start at $499.
We're building for the other 90% of companies — the ones who know they need security but can't afford enterprise tools.
What's Coming Next
We just launched on Product Hunt and are actively onboarding early users.
On the roadmap:
- Jira and ServiceNow integration for ticketing
- Slack and Teams notifications for real-time alerts
- SSO/SAML for enterprise authentication
- SIEM export for security operations centers
But the feature everyone gets excited about is the AI Red Team. Every time someone sees the AI autonomously hacking a system, explaining its reasoning at each step, and building attack chains — that's the moment they get it.
Try It Yourself
We'd genuinely love your feedback.
shieldgraph.com — 14-day free trial, no credit card required.
Launch the AI Red Team against your own infrastructure. See what attack chains it discovers. We bet it finds paths you never thought of.
If you find bugs or have feature requests, drop a comment below or reach out on Twitter @shieldgraph. We read every message.
ShieldGraph — Scan everything. See the attack path. Fix what matters.