FoundersHack 2026 · Nexus 3

Operant

AI for Offensive Cyber Security
Autonomous penetration testing.
No security team required.
97.3%
CVE Detection
80×
Faster Than Manual
0.2%
False Positives
82.4%
Exploit Success
100%
OWASP Top 10
INDEPENDENTLY VALIDATED · BUG BOUNTY PROGRAMS
02 / 12
Problem
The Gap

SMEs: most attacked.
Least protected.

Fast shipping creates hidden vulnerabilities. Attackers find them before you do.

Breach cost by sector — IBM/Ponemon 2024
Healthcare
$9.77M
Financial
$6.08M
Technology
~$4.9M
Retail
~$3.5M
Global avg
$4.88M
WHY NOW —In 2026, MCP-based attacks go fully autonomous. AI generates 41% of all code globally, expanding attack surfaces faster than any team can manually test.
Malwarebytes 2026 · Pento MCP Report 2025
Verizon DBIR 2025
88%
of SMB breaches involve ransomware
vs. 39% large enterprises · targeted 4× more
46%
of all breaches hit <1,000-person firms
$3.3M avg cost · 60% close within 6 months
47%
of small firms have zero cyber budget
ConnectWise 2024
03 / 12
Validation
Real Evidence

Tested across 200+ targets.
Loved by real users.

Not a prototype. Tested live.

200+
targets tested
CTF platforms & bug bounty programs
51
attack tools built
SQLi · XSS · SSRF · IDOR · cloud
01
Bug Bounty
Live programs · findings confirmed exploitable
02
Platforms
TryHackMe · HackTheBox · PortSwigger
17+ rooms · 21+ labs · 10 vuln categories
03
FoundersHack
"Very easy and useful" — mentors & participants
Would use Operant immediately
Working product — live now
operantlabs.com ✓ live site
npx operant-mcp ✓ live demo
github.com/operantlabs/operant-mcp ✓ public repo
04 / 12
Solution
How It Works

AI that attacks your app
before attackers do.

One config. Real exploits in hours. No expertise needed.

01
Add to Claude Code / Claude Desktop
One config block · ~5 min
02
Ask in plain English
"Test my website for vulnerabilities"
03
Get exploit-validated findings
97.3% detection · 0.2% false positives
claude_desktop_config.json "operant": { "type": "http", "url": "https://mcp.operantlabs.com/mcp" }
51 tools · 8 methodology prompts
WebSQLi · XSS · SSRF · IDOR · CORS
AuthCSRF · bruteforce · cookie tamper
CloudCloudTrail · S3 · metadata SSRF
NetworkPCAP · DNS · TLS · recon
ComplianceSOC 2 · ISO 27001 · PCI DSS
100%
OWASP TOP 10
0.2%
FALSE POSITIVES
80×
FASTER
05 / 12
Market
Trends & Timing

Three forces converging.
Right now.

The timing isn't a coincidence. It's the window.

AI Attacks
2026
AI attacks go fully autonomous
MCP-based attacks are now a defining cybercriminal capability. Whoever moves first wins.
Malwarebytes 2026
MCP Standard
97M+
monthly MCP SDK downloads
100K in Nov 2024 → 8M by Apr 2025. Backed by Anthropic, OpenAI, Google, Microsoft.
MCP Blog · Linux Foundation 2025
Market Growth
29%
PTaaS CAGR — fastest segment
Pentest market: $2.74B → $7.41B by 2034. Only 25% of SMEs have ever run a pentest.
Mordor Intelligence · Fortune Business Insights 2025
Market sizing
AI CyberSec TAM
$34B
Pentest TAM
$2.74B
SAM (US+EU+AU)
$1.72B
Fortune Business Insights 2025 · AllAboutAI 2025
SME security gap — BrightDefense 2025
Using PTaaS today
70%+
Planning to adopt
14%
SMEs ever pentested
25%
06 / 12
Business
Model + GTM

Subscription SaaS.
Zero-friction onboarding.

Plugs into tools developers already use. No new tooling.

Starter
SMBs · single app
Replaces $5–50K pentests
Growth
Eng teams · CI/CD + SOC 2
10,000+ tests/deploy
Enterprise
Mid-market · unlimited scope
vs. $164K/yr traditional
ROI —2 manual pentests/yr at $30K = $60K. Operant: ~$12–18K/yr. 3–4× saving from month one.
GTM
01
PLG
MCP ecosystem · GitHub · dev communities
→ 33M US SMBs
02
Sales
Eng teams (50–500) · MSSPs · vCISOs
03
Regulated
Healthcare · Fintech · NIS2 / DORA buyers
Unit economics — 2028
$36K
ARPA / year
vs $164K avg traditional · Cobalt 2024
12.2×
LTV / CAC
$21M
ARR target 2030
85%
Gross margin
Risks
RISK Competitors move downmarket
→ SME pricing + MCP moat they can't replicate
RISK AI regulation restricts offensive tools
→ Compliance-first framing — we ARE the safeguard
RISK MCP security concerns slow adoption
→ Operant is the security layer — risk becomes our value prop
07 / 12
Competition
The Gap

Expensive. Reactive.
Not built for SMEs.

Every alternative costs too much, moves too slowly, or requires a security team.

SolutionReal ExploitsAlways-OnSME PriceNo ExpertiseMCP Native
Traditional Scanners
Nessus, Qualys		✕ Theory~ Scheduled~ Mid
Manual Pentest
$10–50K / test		✓ Expert✕ Once
XBOW $120M raised✓ AI✕ Per-test~
BreachLock $18.5M ARR✓ Hybrid~ Periodic~
Operant✓ Validated✓ Always✓ SME-first✓ Plain English✓ Native
KEY INSIGHT —XBOW and BreachLock target enterprise. 90%+ of breached orgs had <1,000 employees. Nobody is building for this customer at scale. That is our gap.
Verizon DBIR 2025
08 / 12
Product
Use Cases

What Operant does

operantlabs.com · github.com/operantlabs/operant-mcp

[ 01 /04 ]
01
Reduce Real Breach Risk
97.3% CVE detection · 0.2% false positives. Only proven exploitable findings.
CRIT Remote Code Execution
HIGH SQL Injection (auth bypass)
MED  SSRF via open redirect
[ 02 /04 ]
02
Shorter Path From Test to Fix
80× faster. Results in hours, not weeks — step-by-step reproduction.
TARGET
Recon
Exploit
Report
[ 03 /04 ]
03
Keep Pace With Modern Dev
10,000+ tests per deploy in CI/CD. Always-on, not point-in-time.
$ operant scan target.example.com
80/tcp open http
[!] CRITICAL detected
[ 04 /04 ]
04
Meet Compliance With Confidence
SOC 2 · ISO 27001 · PCI DSS — one click. $100K+ saved.
Critical RCE9.8
SQLi8.6
XSS7.5
09 / 12
Benchmarks
Proven Results

Industry-leading scores.

Validated through real bug bounty programs — not lab benchmarks.

Cybench · Exploit Success
Autonomous exploitation across standardised benchmarks
82.4%
Highest of any known AI security agent benchmark.
OWASP Top 10 · Coverage
All categories with validated findings
100%
Every OWASP category covered, exploit-confirmed.
CVE Detection Rate
Known vulnerabilities across CVE databases
97.3%
Zero false negatives on critical severity.
False Positive Rate
Traditional scanners avg 40%+
0.2%
Developers act immediately. No triage fatigue.
Distribution
MCP-Native
Plugs into Claude Code, Cursor, any MCP host. 97M+ monthly downloads. Zero friction.
Trust
Exploit-First
Deterministic validation on every finding. No noise. Developers trust and act immediately.
Speed
80× Faster
Traditional pentest: 2–4 weeks, $10–50K. Operant: hours, continuously, fraction of cost.
10 / 12
Customer
Founder Profile

Who we build for:
the time-poor founder.

Time Poor
Energy should be on the core product
Not on security audits, compliance paperwork, or chasing a consultant for a report that takes 6 weeks.
Resource Limited
No budget for a traditional pentest or a full-time security hire
Manual pentest: $50K per engagement. Dedicated security hire: $120K–$180K/year. Neither is realistic for a 10-person startup.
Undereducated
"Security isn't a big deal for us"
60% of SMEs close within 6 months of a cyberattack. The risk is invisible until it's existential.
Overconfident
"We're too small to be a target"
43% of all cyberattacks hit SMEs. Small companies are easier targets — not ignored ones.
No Accountability
Nobody owns security, so nobody does it
Without a dedicated owner, security becomes everyone's last priority. Operant runs continuously — no owner required.
87%
of critical findings
are found in organizations with under 200 employees. The risk is concentrated exactly where defenses are weakest.
11 / 12
Why Now
The Cost of Manual

Manual security
doesn't scale.

What manual security actually costs
Threat landscape changes daily
What was secure 6 months ago may not be today. Annual pentests leave an 11-month blind spot.
13+ distinct skill domains required
Network · app · cloud · compliance · logging · incident response. No single hire covers this.
$120K–$180K/year for dedicated security personnel
Even then, they can't run 10,000+ tests per deploy or work continuously around the clock.
or
200–400
hours/year on security
=
Every hour on security
is an hour not spent on product, sales, or customers
Operant vs. the alternative
Manual Operant
Cost / year $120K–$180K ~$36K
Coverage 1–2× / year Continuous
Tests per deploy 0 10,000+
Time to first finding 2–4 weeks < 1 hour
Expertise required Senior CISO Plain English
Setup Weeks of scoping 5 minutes
BOTTOM LINE — Operant costs 80% less than a security hire, runs 24/7, and requires zero security expertise. Every hour saved is an hour back on your product.
12 / 12
The Ask
Why Now

Security that keeps up with
how software is built today.

The threat is real. The market is ready. The product works.

The Problem
88%
of SMB breaches = ransomware
4× enterprise rate. Traditional tools can't keep up with how SMEs ship today.
The Market
29%
CAGR — PTaaS fastest segment
$2.74B → $7.41B by 2034. Enterprise saturated. SMEs underserved.
The Product
5 min
from zero to first pentest
97.3% detection · 0.2% FP · validated across 200+ targets · live demo now.
[+]
Operant
operantlabs.com · github.com/operantlabs/operant-mcp
Nominate Operant.
Every SME shipping software has an attacker probing it.
Most have nothing probing back. We fix that.