Hacktron Raises $2.9M Pre-Seed to Bring AI Pentesting Into Every Pull Request

Software development got faster. Security didn’t. That mismatch has quietly become one of the most expensive problems in modern infrastructure, especially as AI-generated code accelerates release cycles across enterprise software, cloud infrastructure, and developer tooling markets.

Hacktron, a San Francisco-based AI-powered cybersecurity startup, just raised $2.9M in pre-seed funding to attack that problem directly. The round was led by Crane Venture Partners with participation from Project Europe, Vercel Ventures, Plug and Play Ventures, and Cambridge Enterprise Ventures. The company was founded by competitive hackers and offensive security researchers Zayne “zeyu1337” Zhang, Co-Founder and CEO, Mohan “s1r1us” Pedhapati, Co-Founder and CTO, and Harsh “rootxharsh” Jaiswal, Co-Founder and Chief Research Officer. Their pitch is brutally simple: if attackers are already using AI to accelerate vulnerability discovery, defenders cannot keep relying on quarterly pentests and compliance theater wrapped in expensive PDFs.

Hacktron says its autonomous offensive security platform continuously tests every code change using attacker-style analysis integrated directly into software development workflows and CI/CD pipelines. That distinction matters. Most security tooling still behaves like airport security in 2004. Shoes off. Laptop out. Everybody inconvenienced. Nobody convinced.

What Happened

Hacktron announced a $2.9M pre-seed round on May 13, 2026. Crane Venture Partners led the financing alongside Project Europe, Vercel Ventures, Plug and Play Ventures, and Cambridge Enterprise Ventures. The company positions itself as an autonomous offensive security platform capable of continuously identifying exploitable vulnerabilities during software development. Instead of periodic penetration testing engagements, Hacktron runs continuous application security testing on every pull request and code change.

The startup says it generated roughly $240K in revenue during its first 9 months of operation. Hacktron also disclosed security testing work involving companies including Perplexity AI and Supabase, alongside vulnerability disclosures tied to ecosystems connected to GitHub, GitLab, OAuth2 Proxy, BeyondTrust Remote Support, Next.js infrastructure, and Cloudflare-related systems. That’s an unusually aggressive traction profile for a pre-seed cybersecurity company. Most early security startups spend their first year refining slide decks and arguing about dashboards. Hacktron came to market talking like operators who already know where the bodies are buried because they helped uncover them.

The funding round also reflects continued investor appetite for AI cybersecurity startups positioned around developer workflows and infrastructure automation. Venture firms increasingly want platforms embedded directly into software production pipelines rather than security tools bolted onto systems after deployment.

Why Hacktron Matters

Cybersecurity is entering an uncomfortable transition period where AI benefits both software builders and attackers simultaneously. Developers now ship code at extraordinary speed using AI coding assistants, autonomous workflows, and compressed deployment cycles. The attack surface expands with every productivity gain. Security teams, meanwhile, are often trapped inside workflows designed for slower release cycles and smaller infrastructure footprints. That gap is becoming operationally dangerous.

Hacktron’s approach reflects a broader shift happening across application security: continuous offensive testing instead of episodic compliance exercises. The company’s founders come from offensive security, bug bounty, and competitive hacking backgrounds, which shapes the product philosophy. Their worldview is not “how do we generate another alert?” It is “how would someone actually break this system?” That sounds subtle until you realize most enterprise security software still measures success by volume of findings instead of exploitability.

Continuous pentesting matters because AI-assisted development environments create vulnerabilities at machine speed. Traditional security review cycles simply cannot keep pace with modern software deployment velocity. Boards are tired of spending millions on security stacks only to discover attackers still found the one exposed credential nobody patched because the Jira ticket died in administrative purgatory.

The Founders Bring Offensive Security Credibility

Hacktron’s founding team is part of the story investors are betting on. Zayne Zhang is described by the company as a Cambridge CS dropout, former TikTok employee, former military operator, DEF CON CTF runner-up, and contributor to 15 CVEs. Mohan Pedhapati previously worked as a Senior Security Researcher at Cure53 and founded a security auditing company that reportedly reached €1.5M in revenue. Harsh Jaiswal previously worked at ProjectDiscovery and built a reputation in bug bounty circles and offensive security research.

This matters because cybersecurity buyers have become deeply skeptical of “AI security” branding. The phrase itself has started to resemble nutritional labeling on cereal boxes. Everybody claims intelligence. Everybody claims automation. Everybody claims accuracy. Meanwhile, enterprise security teams are drowning in alerts while attackers quietly walk through forgotten API keys and misconfigured cloud permissions.

Hacktron’s credibility comes less from marketing language and more from the backgrounds of the people building the system. Competitive hackers tend to think differently about software because they spend their lives studying assumptions. Every exploit begins with somebody noticing a system behaving slightly differently than expected. That mindset does not emerge from quarterly compliance meetings and vendor webinars featuring stock photography of people smiling at dashboards.

The “No Pwn, No Pay” Strategy Is Not Normal

Hacktron is also running a “No Pwn, No Pay” offer for qualifying pentest engagements. If the company does not uncover a validated High or Critical severity issue, Hacktron refunds the engagement. That is either confidence or controlled insanity depending on which side of the procurement process you sit on. But strategically, it makes sense.

Cybersecurity vendors have spent years monetizing fear, uncertainty, and checkbox compliance. Buyers increasingly want measurable outcomes instead of abstract promises wrapped in acronyms. A guarantee tied directly to vulnerability discovery changes the psychology of the sales conversation. It also signals something larger happening across security markets: customers are beginning to expect performance accountability from AI-native infrastructure vendors.

That trend extends beyond cybersecurity. Across enterprise AI infrastructure, developer tooling markets, and infrastructure automation platforms, investors are rewarding companies willing to tie revenue closer to measurable operational outcomes. The era of “trust us, the dashboard looks impressive” is fading fast.

What This Signals About Cybersecurity Markets

Hacktron’s funding round reflects a broader market shift toward autonomous security infrastructure. Traditional pentesting remains valuable, but it struggles to scale against modern deployment velocity. Software teams now deploy continuously. AI-generated code accelerates iteration speed even further. Attackers automate reconnaissance and vulnerability discovery. Static review cycles increasingly resemble trying to inspect highway traffic using a folding chair and binoculars.

That creates an opening for companies building continuous offensive testing systems integrated directly into developer workflows. The investor lineup also matters. Crane Venture Partners has historically focused on developer infrastructure and enterprise tooling. Vercel Ventures participating is strategically notable given Hacktron’s positioning around modern software stacks and developer-centric workflows.

The deeper signal underneath this funding round is philosophical: security is moving closer to software production itself. Instead of operating as a downstream audit function, security tooling increasingly needs to behave like infrastructure embedded inside the development lifecycle. The startups that understand that transition early will likely define the next generation of application security markets. The ones still selling static compliance rituals wrapped in polished enterprise branding may discover the future arrived while they were updating the PowerPoint template.

Frequently Asked Questions

What is Hacktron?

Hacktron is a San Francisco-based AI-powered cybersecurity startup building an autonomous offensive security platform for continuous vulnerability testing during software development.

How much funding did Hacktron raise?

Hacktron raised $2.9M in pre-seed funding led by Crane Venture Partners.

Who invested in Hacktron?

Investors include Crane Venture Partners, Project Europe, Vercel Ventures, Plug and Play Ventures, and Cambridge Enterprise Ventures.

Who founded Hacktron?

Hacktron was founded by Zayne Zhang, Mohan Pedhapati, and Harsh Jaiswal, all of whom come from offensive security and competitive hacking backgrounds.

What does Hacktron’s platform do?

Hacktron continuously analyzes pull requests and code changes using AI-driven attacker-style testing designed to uncover exploitable vulnerabilities in modern software environments.

Why does continuous pentesting matter?

Continuous pentesting helps security teams identify vulnerabilities immediately as software changes, reducing risk created by rapid AI-assisted development cycles and continuous deployment environments.

What is Hacktron’s “No Pwn, No Pay” program?

Hacktron offers a limited-time pentesting guarantee where qualifying customers receive a refund if no validated High or Critical severity vulnerabilities are discovered during the engagement.

Why are investors interested in AI cybersecurity startups like Hacktron?

Investors see growing demand for autonomous security infrastructure as AI accelerates software development, expands attack surfaces, and increases pressure on traditional security review models.