ESCAPE raises €15 million as AI-generated code fuels a new wave of vulnerabilities

Artificial intelligence is accelerating the production of software. It is also accelerating the emergence of vulnerabilities. As code-generation tools spread across development teams, attack surfaces expand and detection cycles shorten. In this environment, a new generation of cybersecurity tools is attempting to automate penetration testing and vulnerability discovery.

Escape, a startup specializing in automated offensive security, has announced a €15 million Series A funding round to accelerate the development of its platform. The round was led by Balderton Capital, with participation from Uncorrelated Ventures and existing investors IRIS and Y Combinator.

AI is reshaping the timing of cyberattacks

The transformation underway is largely a matter of speed. Software development cycles have accelerated dramatically with the rise of code-generation platforms and AI-assisted programming tools.

In this environment, vulnerabilities appear more quickly and become exploitable sooner. According to figures cited by Escape, organizations now face an average of 1,968 cyberattacks per week, a level that has increased sharply in recent years.

This gap between development speed and the ability to secure systems places increasing pressure on cybersecurity teams. In most technology companies, security teams remain significantly smaller than development teams, limiting their capacity to continuously analyze systems running in production.

This imbalance helps explain the growing interest in automated approaches capable of simulating attacker behavior and identifying vulnerabilities before they are exploited.

The limits of traditional approaches

Until now, application security has relied mainly on two types of tools.

Automated scanners can identify certain known vulnerabilities, but they often remain limited to technical signatures. At the other end of the spectrum, penetration tests conducted by human experts can explore the logic of an application in depth, but their cost and duration make them difficult to deploy at scale.

In an environment where applications are updated continuously, these methods are increasingly difficult to maintain.

Attackers now focus primarily on systems running in production, where the critical elements of an application exist: real configurations, authentication flows, integrations between services and business logic.

This is precisely the layer that new automated offensive security tools aim to analyze.

Agents capable of simulating an attacker

The platform developed by Escape relies on artificial intelligence agents designed to reproduce the strategies of advanced attackers in order to explore application vulnerabilities.

These agents can analyze application logic, detect configuration errors, identify potential data leaks and simulate attacks exploiting weaknesses that appear only in production environments.

The approach aims to automate the entire offensive security lifecycle: mapping the attack surface, performing continuous penetration testing and providing contextual remediation guidance.

The objective is not simply to generate reports, but to maintain a continuous cycle of detection and remediation.

According to the company, this automation can significantly reduce the time required for security testing. Some users report that processes previously taking several days can now be completed in a matter of hours.

The challenge of “vibe coding”

A recent phenomenon is amplifying this issue: the growing number of applications produced using automated code-generation tools, sometimes described as “vibe coding.”

This development model, often faster and accessible to developers with limited security expertise, can introduce vulnerabilities that traditional tools struggle to detect.

Escape reports having identified more than 2,000 serious vulnerabilities across 5,600 public applications created using this type of development, including 175 cases exposing personal data and sensitive secrets.

All of these vulnerabilities were present in production environments and potentially exploitable within hours.

For security teams, the challenge lies in the nature of these weaknesses: they often stem from business logic errors or interactions between services rather than isolated coding mistakes.

Toward continuous security

These changes are part of a broader evolution in cybersecurity practices, marked by the gradual integration of security tools directly into development pipelines.

The objective is to move from periodic audits to continuous security, embedded directly into production workflows.

Tools capable of automating penetration testing and analyzing application behavior could therefore become standard components of DevSecOps architectures.

In an environment where code production continues to accelerate, the ability to continuously simulate attacker behavior may become a fundamental requirement for securing modern applications.

Escape in brief

Escape is a cybersecurity startup focused on application security and automated offensive security. The company develops a platform designed to simulate cyberattacks in order to identify application vulnerabilities and help security teams remediate them.

The company was founded by Tristan Kalos and Antoine Carossio, who bring experience in machine learning and cybersecurity gained in Europe and Canada.

The platform is currently used by more than 2,000 security teams worldwide, including organizations such as BetterHelp, PandaDoc, CyberCube and Arkose Labs. Each month, Escape performs more than 300,000 security assessments across its customer base.

With this €15 million Series A funding round, led by Balderton Capital with participation from Uncorrelated Ventures, IRIS and Y Combinator, the company plans to accelerate engineering and commercial hiring in Europe and the United States while further developing its AI agents designed to perform autonomous penetration testing.