The test that never ends
Somewhere right now, a Strike agent is knocking on a bank's front door. Not to break in - to prove it could. It maps an API, probes a login flow, chains a misconfiguration into something uglier, and writes it all down. When the finding looks serious, a human named on a roster of vetted hackers picks it up and decides whether it is real. This loop does not stop for weekends. That is the entire pitch.
Strike is a New York-headquartered, remote-first cybersecurity company that sells one stubborn idea: security testing should be continuous, not an annual event you survive and forget. It calls the method continuous hybrid validation - AI for speed and coverage, expert humans for judgment. Roughly 75 people run it. More than 120 enterprises across 20-plus countries pay for it, among them Santander, Mercado Libre and Okta.
Attacker speed at defensive scale.- Strike's tagline, which is also, conveniently, its whole business plan
Attack is cheap. Defense is not.
Here is the asymmetry that keeps security leaders awake. A capable attacker, working from a laptop, can probe a company for next to nothing. The company defending against that attacker spends a fortune - and, historically, only checks its own walls once or twice a year, because a traditional penetration test is expensive, slow, and booked months in advance.
So the math goes sideways. Software ships every week. The attack surface changes every day. And the audit that is supposed to catch the holes arrives, at best, twice a year and arrives as a PDF that is already out of date. The gap between "we were tested" and "we are secure" is where breaches live.
Penetration testing is done at most one or two times a year because it is extremely expensive and time-consuming.SANTIAGO ROSENBLATT - FOUNDER & CEO
Strike's read on the problem is unsentimental: the once-a-year pentest is not a safety net, it is a snapshot. And a snapshot of a moving target is mostly decoration.
A hacker who started at six
Santiago Rosenblatt tells a story that sounds invented and apparently is not. He says he started hacking at six and a half, poking at platforms out of plain curiosity to understand how big systems worked. By 15 he had crossed the fence to defense, helping protect Latin American companies including AstroPay and PedidosYa. Later he led application security at the kind of enterprises that get attacked for a living.
From that chair he watched the asymmetry up close: companies paying enormous sums to defend against people working, cheaply, from home. In 2021 he founded Strike to flip the ratio - to make continuous, expert-grade testing affordable enough to run all the time. He did not build it alone.
The bet was simple and slightly heretical: that you could make elite offensive security a subscription, not a special occasion.- The Strike thesis, paraphrased without the slide deck
Machines do the volume. People do the verdict.
The platform continuously tests an organization's attack surface - web apps, APIs, mobile apps, cloud infrastructure and internal networks. Under the hood sits Strike360, a proprietary engine that automates the full lifecycle: discovery, exploitation, retesting, remediation. The company says its AI agents now surface up to 80% of what expert researchers find. The other 20% - and the judgment about what actually matters - is where the humans earn their keep.
Those humans have a name. Strike calls its vetted network of ethical hackers Strikers, and they provide the contextual oversight that automation alone cannot fake: deciding whether a finding is exploitable, whether it is dangerous, whether it is worth a 2 a.m. page. The unglamorous part - reports, compliance, fixing - gets its own tooling too.
Strike360
The AI engine that runs discovery through remediation, aiming to automate half the pentesting process and cut detection from months to seconds.
Strikers Network
An elite roster of red-team specialists and bug hunters who validate findings on the assets that actually matter.
Compliance Suite
Automated reporting and workflows for SOC 2, ISO 27001, HIPAA and PCI DSS, wired into Jira and Slack.
Remediation Hub
Guided fix workflows - not just longer reports - credited with a 44% drop in mean time to remediate.
The short, fast history of Strike
The numbers, and who is paying them
Skeptics are right to ask whether "continuous" is marketing or method. Strike answers with a scoreboard: more than $4.5 billion in risk mitigated, over 6,000 critical vulnerabilities reported with validated findings, 97% precision, and a 44% cut in remediation time. A Gartner rating of 4.9 out of 5 does not hurt the pitch either.
Where the precision argument lives
And the customers are not a list of logos nobody recognizes. Banks, fintechs, marketplaces and tech firms across the Americas trust Strike with their attack surface:
If your bank is being tested twice a year, a Striker would like a word.- the uncomfortable subtext of every enterprise sales call
Resilience for an AI-powered world
Strike frames its mission as building cyber resilience for advanced, AI-powered ecosystems - which is a polished way of saying the threats are getting faster, so the testing has to. The company describes itself as operating from an attacker's mindset while defending the people who hire it. The $13.5 million Series A, led by FinTech Collective with Galicia Ventures, Greyhound Capital, FJ Labs and Canary, is fuel for exactly that: more Strike360, more markets, more Strikers.
It helps that the people writing checks know the terrain. Strike says it is backed by security operators including the CISO of Palo Alto Networks and a co-founder of Auth0 - the sort of names that signal this is not a generic SaaS bet dressed in hacker clothes.
Strike is flipping the script on traditional security testing. Our AI-driven platform will accelerate vulnerability detection and remediation at a scale never seen before.SANTIAGO ROSENBLATT - FOUNDER & CEO
The snapshot is dying. Something has to replace it.
Here is the wager about the next few years. As AI writes more code and ships it faster, the gap between "tested" and "secure" gets wider, not narrower. A defense model built around an annual checkup simply cannot keep up with software that changes daily. Strike's argument is that the only honest answer is to test continuously - and that the only way to do that affordably is to let machines handle the volume while humans handle the verdict.
The competition is real - HackerOne, Bugcrowd, Synack, Cobalt and the old-guard consultancies are all chasing some version of this. Strike's distinction is the blend, and the geography: it is exporting deep Latin American hacking talent into the U.S. and Brazil, packaged as a subscription rather than a special occasion.
So return to where we started. Somewhere right now, a Strike agent is knocking on a door. The difference Strike is betting on is not that the knock is louder. It is that the knock never stops - and that when something gives, a human is already on the line to tell you whether it matters. The annual pentest got you a photograph. Strike is selling the live feed.
You cannot secure a moving target with a still photograph. Strike's bet is the live feed.- the closing argument, delivered without a slide
Field Notes
- The founder says he started hacking at six and a half - out of curiosity, not mischief.
- By 15 he was defending major companies, including AstroPay and PedidosYa.
- The human testers have a name: Strikers. The word "scan" is conspicuously absent from the brand.
- Total raised to date is roughly $24.67M across seed and Series A.
See it move
Product preview and founder talks - straight from Strike's own channel.