# Why Aikido is our only pentest provider > We deliver every pentest through Aikido AI Pentest because the annual manual report lands in a drawer and the application ships again the next week. Source: https://fmcybersecurity.com/en/insights/appsec/why-aikido-is-our-only-pentest-provider/ Locale: English Other locale: https://fmcybersecurity.com/insights/appsec/hvorfor-vi-valgte-aikido/ ## Metadata - Date: 2026-04-29 - Author: christian-vik - Topic: appsec - Format: article - Partner: aikido We do not offer manual pentest, and we are not going to start. Every pentest FM CyberSecurity runs goes through [Aikido AI Pentest](/en/partners/aikido/), and this piece explains why. The short version is that the annual manual report lands in a drawer and the application ships again the next week. We picked an AI delivery model because the pattern around the ritual was broken, not because the human work was bad. Across the application security and compliance engagements I have advised this year, the buyer I meet is usually a CISO or a CFO holding a quote between £20,000 and £50,000 for an annual web application pentest, sometimes more for a multi-application scope. The quote is for two to three weeks of consultant time, a written report, and a remediation retest. In one composite conversation with a Norwegian software firm chasing an ISO 27001 certificate to win an enterprise tender, the buyer asked the only question that matters. Will this report still be true in November when we ship the next release. We both knew the answer. That gap is what FM CyberSecurity's pentest stance is for. It is also why we will not deliver a one-off point-in-time report, regardless of who asks. ![Aikido logo and AI Pentest, FM CyberSecurity](../../../assets/news/why-aikido-is-our-only-pentest-provider-inline.png) ## The annual pentest pattern When a Norwegian small or mid-sized firm decides to take application security seriously, the first move is usually to book a manual pentest once a year. The auditor asks for a pentest, the customer asks for a pentest, the contract clause says pentest, so you buy a pentest. The output is a PDF with findings sorted by severity, dated the day of the engagement. The work itself is rarely the issue. Senior consultants who run manual pentests know what they are doing, and within their scope they find real vulnerabilities. The pattern around the work is what falls short. In one composite advisory engagement this quarter, the firm had a clean pentest report from March, a feature release in April that touched the authentication flow, and a second release in May that added a customer API. The March report covered neither. The honest framing is not "the consultant did a bad job." It is "the consultant took a photo of a moving object." A pentest report is true on the day it is written. By release three, you do not have a pentest report. You have a memory of one. ## What people usually assume The common assumption is that more consultant days produce more security. Two weeks is better than one. A senior tester is better than a junior tester. A bigger scope is better than a narrower scope. Buyers ask for daily rates, total engagement length, and seniority of the team, and they price the answer against the budget. The arithmetic is intuitive, and it is also where the model breaks. The variable that matters is not how many days a human spends on the application this year. It is how often the application gets tested against the version of itself sitting in production. A 15-day manual pentest run once a year tests the application as it stood on day one of the engagement. Every commit after that is untested until the next annual cycle. For a firm shipping weekly, the report covers roughly two percent of the year's production code. That is not a slight on the tester. It is a slight on the delivery model. ## Why annual pentests go stale Three things age a pentest report fast. First, the application changes. Code ships, dependencies update, APIs get added, authentication flows get rewritten. Each change is a potential vulnerability that was not in scope of the last report. Manual retest is usually limited to the original findings, not to the new surface. Second, the scope was narrow to begin with. Manual engagements are priced by day, so the buyer trims scope to fit the budget. The customer portal gets tested, the partner API does not. The web frontend gets tested, the mobile backend does not. The list of "out of scope" is often longer than the list of "in scope," and the attacker does not honour either. Third, the report is not replayable. When someone asks in October whether the May findings have been fixed, the only honest answer is to commission another engagement. Most firms do not, because the budget is gone. The fix is marked as remediated in a ticketing system, and the auditor accepts that line item until next year. This is not a critique of the consultants who run these engagements. It is a critique of the shape of the engagement itself. The same testers, given a tool that runs continuously and replays on demand, would produce a more defensible result. That tool exists. ## What FM CyberSecurity runs instead We deliver every pentest through Aikido AI Pentest. Aikido's autonomous agents map the application, discover endpoints (including undocumented ones), exploit vulnerabilities, and validate each finding through actual exploitation before it reaches the report ([per Aikido's product documentation](https://www.aikido.dev/attack/aipentest)). Coverage spans web applications, REST and GraphQL and gRPC and SOAP APIs, authentication flows, access control, and business logic vulnerabilities such as IDOR and cross-tenant access. The platform runs in three modes. Whitebox uses repository access for code-informed testing, greybox combines code and live probing, blackbox tests the surface without source. We typically run greybox for FM CyberSecurity customers because the code access reduces false positives and the live probing catches runtime issues code review misses. In February 2026, Aikido announced [Aikido Infinite](https://www.aikido.dev/blog/introducing-aikido-infinite), which moves the AI Pentest from on-demand to continuous. Each code change triggers agents that test the new surface, validate exploitability, and generate merge-ready pull requests with targeted fixes ([Help Net Security coverage](https://www.helpnetsecurity.com/2026/02/24/aikido-infinite-introduces-continuous-self-remediating-ai-penetration-testing/)). The application gets pentested on every release, not once a year. The audit trail is the part the compliance buyer notices. Aikido produces audit-grade reports for SOC 2 and ISO 27001 the same day, with a finding-by-finding history of when each issue was discovered, when it was exploited, when it was patched, and when it was retested. The auditor gets a timeline, not a snapshot. The all-in-one platform around AI Pentest matters here. Aikido bundles static analysis (SAST), software composition analysis (SCA), secrets detection, container scanning, infrastructure-as-code scanning, and cloud posture management alongside the pentest layer. FM CyberSecurity's testing service uses the bundle, so when AI Pentest finds a vulnerability, the SAST view shows the line of code, the SCA view shows the dependency tree, and the patch lands in the same place. The buyer pays for one platform, not five. ## Where AI pentest does not fit We should be honest about the edge. AI pentest is not the right shape for true bespoke red-teaming engagements, the kind where the value sits in human creativity stitching together physical access, social engineering, and a single high-value target over weeks. Those engagements are rare for the SMB segment FM CyberSecurity serves, and they are a different market with different buyers. FM CyberSecurity does not staff a red team for that work, and we do not subcontract one. If your buyer is asking for a TIBER-EU style threat-led test against a designated financial institution, we will tell you where to look. For everything else, which is most application security work for Norwegian firms up to a few hundred employees, AI Pentest is the better delivery model. ## What this means for the budget conversation If you are a CISO or CFO holding a £30,000 quote for an annual manual pentest, the practical comparison is not "manual versus AI." It is "one snapshot a year versus a test that runs on every release with a same-day audit report." The cost conversation usually lands inside the same budget envelope, sometimes lower, because Aikido prices by application scope rather than by consultant days ([Aikido's standard pentest pricing starts at $4,000 USD](https://www.aikido.dev/attack/aipentest), with continuous tiers priced on scope). FM CyberSecurity's value is not the licence. The value is the assessment scoping (which applications, which APIs, which authentication boundaries), the tuning (so the agents do not chase false positives or attack production paths you have not opted into), the review (every finding goes through a senior FM CyberSecurity consultant before it reaches the customer report), and the audit packaging (so the ISO 27001 or SOC 2 evidence is on the auditor's desk in the format they expect). The platform finds the vulnerabilities. We turn the platform into a defensible programme. If this resonates: - Read [how we pentest applications for ISO 27001](/en/insights/appsec/how-we-pentest-apps-for-iso-27001/) for the audit-evidence view of the same programme. - Forward this to your CFO or compliance lead, the ones holding the manual pentest quote and asking whether [which regulations require recurring pentests](/en/insights/appsec/which-regulations-require-recurring-pentests/) means what they think it means. - Talk to Christian for a 30-minute view on your application stack and where AI Pentest would replace the annual ritual. --- For the full documentation index, see https://fmcybersecurity.com/llms.txt For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt