When a developer leaves your SaaS company, you revoke their Okta access, disable their GitHub account, and rotate API keys. But what happens to the AI agent they built last month, the one that still has standing access to your production customer database?
We've spent the past six months testing AI implementations for European B2B SaaS companies, and we keep seeing a pattern that should concern every technical founder: orphaned AI agents create persistent access paths that traditional security audits miss. This is not theoretical. We found production agents with full database access whose creators had left the company four to six months earlier.
Securing these systems takes a different approach than securing traditional software. AI agents don't just run code. They make autonomous decisions about what data to access and when.
The identity problem: AI agents don't show up in your IAM audit Your identity and access management system knows about human users and service accounts. But does it know about the LangChain agent your backend engineer spun up to automate customer support ticket classification?
Hey PH I'm Beatriz, co-founder of Faultline Security We do penetration testing for startups and SaaS companies. Seed to Series B, mostly B2B, mostly teams that don't have a dedicated security person yet.
The short version: we charge EUR 3,000, turn around reports in under two weeks, and the report is structured so your engineers can fix it and your auditor can sign off on it. Most pentest firms charge EUR 15,000 40,000 and take six weeks. We built for a different kind of company.
Why we started this
A founder we know lost a Series A because when the lead investor asked for a pentest report, he didn't have one. Not a security failure. A paperwork failure. He'd built something real, had paying customers, good metrics. But no report. The round didn't close.