Sweet launches AI red-team agent to test attack paths

Sweet Security has launched Sweet Attack, an AI red-team agent that is now generally available to customers.

The launch comes as security teams face growing pressure to measure their exposure to AI-assisted attacks, following the emergence of the Mythos benchmark that Sweet cited in explaining the release.

Sweet Attack is designed to test attack paths inside live production environments, rather than relying on external probing or synthetic test conditions. It uses runtime data already indexed by Sweet, including application behaviour, identity paths, exposed interfaces and deployed source code, to identify combinations of weaknesses that can be exploited in practice.

Sweet describes the product as an AI red-team agent that validates attack chains step by step. If a possible route cannot be exercised, it is dropped. If a route works, the system continues and records the conditions that allowed the chain to succeed.

The approach reflects a wider shift in cyber security from broad vulnerability scanning toward verifying real exploitability. Many large organisations have long used a mix of Dynamic Application Security Testing tools and human red teams, but both can leave gaps, particularly when defenders struggle to determine which findings present a credible route to breach.

According to Sweet, the product continuously enumerates and executes attack chains in a controlled way. It logs each validated chain with evidence, exploitation steps and suggested remediation paths.

Two customers cited by Sweet said the product helped them narrow their focus from large volumes of theoretical weaknesses to a smaller set of attack paths that could actually be used.

"Cast & Crew has engaged tier-one offensive security firms for years. Sweet Attack surfaced exploitable attack paths in three days that prior engagements had not identified, and paired the findings with a concrete, prioritized remediation plan we were able to action immediately. The combination of depth and operational usability is what set the engagement apart," said Tal Hornstein, chief information security officer at Cast & Crew Entertainment Services.

The second customer account focused on prioritisation.

"While we always had visibility into our vulnerabilities, we lacked the necessary context for consistent and effective prioritization. Our teams often struggled to balance endless remediations with product deadlines because validating every attack path was impossible. Sweet Attack changed this by quickly surfacing verified, exploitable paths. This shifted our focus from simply 'remediating vulnerabilities' to 'preventing breaches'. In a world where AI accelerates the threat landscape, discovering and remediating these attack paths before attackers exploit them matters most," said Birat Niraula, CISO at Auctane.

How it works

According to Sweet, the product starts with data already gathered from customer environments rather than guesswork at the perimeter. This includes runtime topology, unencrypted Layer 7 exposure, deployed source code, identity paths and live application behaviour.

From there, Sweet Attack looks for openings across vulnerabilities, exposed APIs, unauthenticated endpoints, permissive access scopes and identity relationships. It then tests combinations of those conditions to determine whether they form a workable attack chain.

The emphasis on Layer 7 data is notable because it pushes the analysis closer to how modern applications behave in production, especially in environments where cloud services, APIs and AI-driven workloads create a shifting set of interactions. By replaying API calls, prompts, identities and responses, the system is intended to show security teams not just where a weakness exists, but how it may be traversed in sequence.

That could appeal to chief information security officers under pressure to present clearer risk metrics to boards. Security leaders are increasingly being asked not only for counts of vulnerabilities, but also for evidence of whether those weaknesses can be joined into a realistic path to compromise.

Market pressure

Sweet framed the launch around that pressure, arguing that AI is increasing the speed at which attackers can find and exploit weaknesses. Its position is that defenders need systems that can test live environments with the same pace and logic while remaining controlled and non-destructive.

Dror Kashti, Chief Executive Officer and Co-founder of Sweet Security, made that case in the company's announcement.

"For two years the industry has been bracing for an attacker class moving at AI speed - with nation-state tooling and live knowledge of every exploitable seam. Mythos forced everyone to put a number on the gap. We can. Sweet Attack doesn't model the threat - it safely executes it against the customer's actual production environment and reports back what worked. The myth is that defenders can't keep up with attack speed. Sweet Attack debunks it," said Kashti.

Sweet Security positions itself around cloud and AI security, with a focus on observing live behaviour in dynamic environments. Sweet Attack is available to all existing customers, extending that model from detection and exposure analysis into active validation of exploit paths.

The central claim behind the launch is that security teams need fewer theoretical findings and more proof of which attack routes work in practice.