Continuous Autonomous Pen Testing for a $300M AI Data-Labeling Startup

The Client

A high-growth AI data-labeling company at roughly a $300M valuation, handling sensitive training data for enterprise and frontier-model customers. Their value proposition depends entirely on trust: customers hand over proprietary datasets and expect them to stay locked down. But like most startups scaling at that speed, their security program had been bolted on after product-market fit — pen tests happened once a year, findings aged out before they were fixed, and the attack surface changed faster than any annual audit could track.

We engaged to do two things, in order: find out how exposed they actually were, and then build a security process that keeps pace with how fast they ship.

Discovery: A Full Environment Review

We brought in seasoned security professionals to conduct a comprehensive review of the company’s environment — cloud infrastructure, application surface, identity and access, data-handling pipelines, and the internal tooling the labeling workforce touched every day.

The review surfaced multiple distinct classes of vulnerability, including:

• Misconfigured access controls that granted broader reach into data stores than roles required.
• Exposed and over-permissioned service credentials in the deployment and CI/CD path.
• Application-layer weaknesses in the customer-facing and internal labeling tooling.
• Gaps in network segmentation between the labeling workforce environment and sensitive customer datasets.
• Insufficient monitoring and alerting, meaning a real intrusion could have gone unnoticed for far too long.

Individually, several of these were serious. Together, they painted a clear picture: a point-in-time pen test once a year was structurally incapable of protecting a company changing this fast.

The Core Problem: Cadence

The findings were fixable. The process was the real vulnerability. In the time between annual audits, this team shipped hundreds of changes — new endpoints, new infrastructure, new third-party integrations. Every one of those changes is a chance to reintroduce risk, and none of it would be tested until the next yearly engagement, by which point the report describes an environment that no longer exists.

So the mandate became: move from periodic, manual assurance to continuous, autonomous assurance.

Implementation: A Structured RFP, Then a Production Program

We didn’t pick a tool off a shortlist and hope. We ran a structured RFP across multiple leading providers, evaluating each against the dimensions that actually mattered for this environment:

• Depth and realism of the autonomous testing — does it chain findings the way a real attacker would, or just run a scanner?
• Coverage across cloud, application, identity, and network layers.
• Safety of running offensive testing against production-adjacent systems without disruption.
• Signal quality — actionable, prioritized, low-false-positive findings versus noise.
• Integration with the team’s existing ticketing and remediation workflow.
• Total cost relative to the annual-audit-plus-headcount status quo.

From that evaluation we recommended and stood up an autonomous penetration-testing provider that re-tests the entire environment every two weeks. Rather than a single yearly snapshot, the company now gets a continuous, attacker’s-eye view of its real exposure — with each fortnightly run validating that prior fixes held and catching new weaknesses the moment they’re introduced.

Beyond Pen Testing: A Full Security & Compliance Lift

Continuous testing solved the cadence problem. But the bigger business blocker was trust on paper — the kind enterprise buyers and frontier AI labs demand before they’ll hand over a dataset. So the engagement widened into a full security-and-compliance lift, run shoulder-to-shoulder with their own teams.

SOC 2, end to end

We consulted on their entire SOC 2 implementation — not as a checklist vendor, but hands-on from day one. We helped them kick the program off, select and negotiate with their SOC 2 auditor, and make sense of the controls they actually needed versus the boilerplate. Then we sat with their teams to map each Trust Services Criterion to a real, enforced control in their stack — so the audit described how they genuinely operate.

Hardening the controls auditors actually test

• Change management: we went through their real change-management controls — PR reviews, branch protections, required approvals — and made sure they were correctly configured and genuinely enforced, not just written down in a policy doc.
• Device & access posture: we drove an MDM (mobile device management) implementation so every endpoint touching customer data was managed, encrypted, and policy-compliant — closing one of the most common enterprise-review gaps.
• AI-assisted internal audits: we applied AI to facilitate cleaner internal audits — gathering evidence, flagging control drift, and surfacing gaps before the external auditor ever saw them, which kept the formal audit short and clean.

Turning compliance into revenue

The point was never the certificate — it was the deals it unlocked. We worked directly with their teams on the security and procurement reviews for the five largest tech companies and many of the top AI labs, translating their now-hardened control set into the exact language each vendor-risk team wanted to see. Compliance stopped being a cost center and became the thing that got them through enterprise procurement.

Results

• Multiple classes of exploitable vulnerability identified and remediated in the initial review — before they could be used against customer data.
• A shift from annual to biweekly security validation: 26 attacker-perspective assessments a year instead of one.
• Vendor selected through a rigorous, criteria-driven RFP, not a sales pitch — with the decision documented and defensible.
• Continuous proof, not a stale report — every fix is re-validated automatically, and new risk is caught in the same two-week window it appears.
• A trust posture that matches the business — security assurance that scales as fast as the engineering team ships, which is exactly what enterprise and frontier-model customers demand.
• SOC 2 Type II, implemented end to end — auditor selected and negotiated, controls mapped to how they actually operate, and change-management (PR reviews, approvals) plus an MDM rollout configured and enforced.
• Cleaner, faster internal audits — AI-assisted evidence collection and drift detection caught gaps before the external auditor did.
• Compliance turned into revenue — we walked their team through the security and procurement reviews for the five largest tech companies and many of the top AI labs, turning a hardened control set into closed enterprise deals.

We didn’t just hand over a findings list. We left a program running that re-proves the company’s safety every two weeks — and a SOC 2 control set, hardened change-management, and an MDM posture that turned security from a procurement blocker into the reason the biggest customers in tech said yes.

This engagement is presented with all client-identifying details anonymized.