Tenzai's AI Hacker Is the First Autonomous System to Rank in the Top 1% of Global Hacking Competitions

News > Technology News

Audio By Carbonatix

3:00 PM on Tuesday, March 17

The Associated Press

Autonomous penetration-testing agent outperformed more than 99% of human participants across six major Capture-the-Flag platforms designed for elite security researchers

TEL AVIV, IL / ACCESS Newswire / March 17, 2026 / Tenzai, the AI-native cybersecurity company building autonomous penetration-testing AI agents, today announced that its AI hacking system achieved top-1% performance across six globally recognized hacking competitions originally designed only for human participants.

While AI security tools have previously demonstrated success in bug bounty competitions and student-level hacking challenges, this is the first time an autonomous AI system has achieved top-tier results in elite Capture-the-Flag (CTF) environments that evaluate advanced exploitation skills.

Across six major CTF platforms, including websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker, Tenzai's agent consistently solved complex vulnerability challenges, placing it ahead of more than 99% of participants.

Capture-the-Flag competitions are widely used to evaluate real hacking ability. Participants must identify and exploit real vulnerabilities in complex systems, and top rankings are typically achieved by experienced security researchers, professional penetration testers, and bug bounty hunters. Unlike company-sponsored benchmarks, these competitions are primarily populated by individual practitioners competing independently.

To ensure a meaningful benchmark against human expertise, Tenzai evaluated its system across large competitions with tens of thousands of participants, progressively difficult challenges, and specialized environments such as Agent Breaker, which focuses on security issues in AI agents. Many of these competitions release challenges with gated writeups, meaning it's nearly impossible that answers appear in public datasets used for training Tenzai's AI hacker.

Strong performance in these environments requires far more than automated scanning. The competitions contain a fixed number of challenges that increase in complexity and value, meaning high rankings depend on discovering and exploiting extremely complex vulnerabilities, problems that historically only a small number of participants solve.

"At this point, our agent performs better than roughly 99% of people who participate in these competitions," said Pavel Gurvich, CEO and co-founder of Tenzai. "That's more than 125,000 human experts. There is still a small group of exceptional hackers who outperform current AI systems, and closing that gap remains an important challenge. But AI already allows us to bring elite offensive capabilities to organizations on demand and at a scale the industry has never had before."

To reach top-percentile rankings, the system demonstrated capabilities across multiple classes of vulnerabilities, including authentication bypass, insecure direct object reference (IDOR), complex application logic flaws, and multi-stage exploitation chains.

Many of the solved challenges required combining several weaknesses within the same system, a technique commonly used in real attacks but difficult to automate. Rather than relying primarily on large-scale scanning or brute-force enumeration, Tenzai's agent analyzes how applications behave, reasoning about identity, trust boundaries, and system interactions in order to uncover subtle vulnerabilities.

The results suggest that AI systems are beginning to approach the offensive capabilities historically only achieved by elite human security researchers.

For organizations, the significance of these results lies in scale. Highly skilled penetration testers remain scarce and are typically engaged periodically. Autonomous agents can continuously test applications as they change, allowing security teams to evaluate new releases and system updates more frequently.

This enables organizations to shorten compliance validation cycles, expand security testing coverage across a larger number of applications, and detect complex vulnerabilities earlier in development.

By combining advanced offensive reasoning with continuous automation, Tenzai's system allows security teams to test software at the pace modern systems are built.