AI already ate the easy bugs. Lorikeet went hunting where AI can’t see.

Hot take: if you’re still buying pentests to catch SQLi in 2026, you’re paying for nostalgia. AI-assisted code review (Claude, Cursor, Copilot, CodeQL, Semgrep) annihilated most low-hanging source-level vulns. The risk that remains is runtime: session edge cases, TLS posture, proxy boundaries, file-system hygiene—stuff LLMs can theorize about but can’t validate without touching the live stack. Lorikeet Security is built for that reality. It’s a penetration testing and offensive security firm with manual web/app/API/mobile/cloud testing, continuous Attack Surface Management (ASM), vCISO, and SOC-as-a-Service—all delivered via a PTaaS portal with live findings, real-time chat, and integrated reporting. Their Flowtriq case study (two Highs found after an AI pass fixed code-level XSS/SQLi/templating/weak crypto) is the pattern I’m seeing in my own workflow, too.

Architecture & Design Principles

Lorikeet’s value shows up at the seams of distributed systems, so the portal and delivery model matter. The PTaaS portal surfaces live findings, which implies an event-driven backend (think job queue + evidence store) and real-time transport (WebSockets or server-sent events) so developers don’t wait for PDF archaeology. Multi-tenant isolation and RBAC are table stakes: engagements, evidence, and credentials must be logically scoped and encrypted at rest with strong KMS-backed key hygiene.

On the testing side, their approach prioritizes runtime validation: active probes for TLS and proxy behavior, controlled session manipulation, and filesystem artifact inspection in deployed environments or ephemeral test accounts. ASM likely runs a continuous recon pipeline—dns/cert transparency/crawl—feeding an asset graph that testers pivot through. Findings are normalized (CVSS + exploitability context) and mapped to compliance controls for SOC 2, HIPAA, PCI-DSS, HITRUST, and FedRAMP. The design philosophy: let AI clear trivial code smells, then dispatch humans to interrogate real behavior at the perimeter and control plane.

Feature Breakdown

Core Capabilities

• Manual Web/App/API/Cloud Pentesting

  • Technical: Stateful testing that exercises auth flows (rotation on privilege change, SameSite/HttpOnly/Secure flags, CSRF token scope), content security (CSP, framing), TLS posture (protocol min, cipher selection, OCSP stapling, HSTS preload), reverse-proxy trust chains (X-Forwarded-For, Host/Origin validation), and filesystem hygiene (world-writable temp dirs, debug artifacts, leaked secrets in build output).
  • Use case: After your AI audit closes XSS/SQLi/template injection, Lorikeet still surfaces session fixation or header-misconfig issues that only appear under specific routing or failover conditions.

• Continuous Attack Surface Management (ASM)

  • Technical: Continuous passive/active discovery across DNS, certificate transparency, cloud perimeters, and HTTP fingerprints, deduplicated into an asset inventory with deltas and alerting. Think “brownfield drift detector” that catches shadow subdomains, forgotten S3 buckets, or TLS regressions between releases.
  • Use case: You ship weekly; ASM flags that a new reverse proxy pool dropped HSTS and reintroduced TLSv1.0 support before a botnet finds it.

• PTaaS Portal with Live Findings and Real-Time Chat

  • Technical: Event-sourced findings feed with evidence attachments, replayable POCs (curl/HTTPie snippets), affected asset linkage, and status transitions (Open → Triaged → Fixed → Verified). Real-time chat collapses the back-and-forth: testers share live traffic captures; engineers post patches; retests are queued and logged.
  • Use case: During an incident rehearsal, your team asks for immediate retest of a hotfix; Lorikeet validates within the portal and ships a compliance-mapped note you can hand to audit.

Integration Ecosystem

A modern PTaaS portal lives or dies by integration. Expect exportable findings in machine-readable formats (JSON/CSV, ideally SARIF) and webhook notifications to bridge into ticketing/alerting. SSO (SAML/OIDC) is essential for enterprise orgs; granular RBAC and SCIM provisioning keep access sane. Real-time chat often displaces Slack/email, but webhook bridges let you mirror critical updates into your on-call channels. For CI/CD, the practical pattern is “merge closes an issue, webhook triggers automated retest,” with human validation captured in the portal.

Security & Compliance

Data handling should minimize blast radius: scoped credentials, time-bounded access, encrypted evidence, and PII scrubbing in artifacts. Lorikeet maps findings to compliance frameworks, which shortens your auditor conversations: each issue ties to a control (e.g., SOC 2 CC6.7, PCI 6.6) and remediation evidence is centralized. For regulated workloads, look for enterprise features like tenant-specific data retention, regional residency, and detailed activity logs.

Performance Considerations

Speed here isn’t TPS; it’s feedback latency. Real-time findings and chat reduce the mean time to remediation by days versus static reports. Manual testing won’t “scale” like scanners, but it scales where it counts—precision. Continuous ASM keeps noise down by enriching discoveries before escalating. Reliability-wise, you want portal uptime SLAs and predictable retest windows; evidence storage should handle large artifacts (pcaps, screenshots) without timing out your team mid-incident.

How It Compares Technically

• Versus AI code review (CodeQL, Semgrep, Snyk Code, Copilot Security): those tools excel at source-level patterns; they can’t assert HSTS deployment, proxy trust boundaries, or session rotation under RBAC transitions. Lorikeet fills the runtime/config gap.
• Versus DAST/SAST/IAST platforms (Burp Suite Enterprise, OWASP ZAP automations, Contrast): automation catches broad classes but struggles with multi-hop auth, environment-specific headers, and emergent behaviors under load balancers/CDNs. Lorikeet’s human-led probes uncover those.
• Versus legacy PTaaS (Cobalt, NetSPI, Bishop Fox portals): similar delivery mechanics, but Lorikeet’s positioning is AI-native—explicitly assuming your code is pre-sanitized and focusing effort on runtime and infrastructure seams. That reallocation of tester time is the practical differentiator.
• Versus bug bounty: great for breadth and creativity, weaker on structured compliance mapping and coordinated retesting timelines. Lorikeet optimizes for enterprise readiness.

Developer Experience

What matters to me: reproducible steps with exact headers, cookies, and curl commands; clear affected asset scoping; and retest automation. Lorikeet’s live portal and chat shorten the “can you repro?” loop, and integrated reporting means fewer PDF diff wars. If they offer SARIF/JSON exports and webhooks, you can pipe results into your backlog and CI. The case study cadence—AI pass first, targeted manual second—is the least-painful DX I’ve seen for fast-moving teams.

Technical Verdict

Strengths: AI-native philosophy, runtime-first methodology, and a modern PTaaS portal that compresses remediation cycles. The Flowtriq results—two Highs post-AI audit in session management, TLS posture, filesystem hygiene, and reverse-proxy headers—mirror what I routinely see. Limitations: manual work is human-time-bound; you still need access orchestration and staging parity to get full value. Ideal for SaaS/AI teams and regulated orgs that already run AI code review and want practitioner-grade validation mapped to SOC 2/HIPAA/PCI/HITRUST/FedRAMP. If your threat model lives at the edges and in the config, this is where you should spend. For the case study details, see lorikeetsecurity.com/blog/flowtriq-case-study-ai-audit-pentest-gap.