Shikhil Sharma is the Founder of Astra Security – a continuous pentesting platform. At the very onset of his career, Shikhil consulted a number of businesses, startups & banks on cyber security. After helping some top businesses secure their websites & apps, Shikhil noted how in-effective traditional pentesting was, and founded Astra Security as an enabler to help bridge the same. He deeply cares about building habit forming products and designing intuitive marketing campaigns.
Astra Security recently raised $2.7 million to revolutionize cybersecurity with AI-Driven pentesting.
Your journey started with consulting businesses and banks on cybersecurity. What gaps did you identify in traditional pentesting that led to the creation of Astra Security?
A traditional pentest is often done as a point-in-time exercise, it’s usually triggered by regulatory requirements or when a vulnerability is suspected, leaving the applications vulnerable to hacks for an extended period between due pentest. Traditional pentesting, which is service-driven, often overwhelms customers with 500-page reports filled with jargon but lacking actionable insights.
Communication is typically unstructured, leaving stakeholders, developers, CTOs, CISOs, and even pentesters frustrated by the lack of seamless collaboration and clear remediation guidance. With AI increasing the rate at which new code is being pushed into production, the traditional penetration testing approach fails to keep up. This led us to create Astra Security, a continuous offensive pentesting platform.
Astra Security aims to make cybersecurity “super simple” for SMEs. How does your approach differ from traditional security solutions in the market?
SMEs need simple, effective security that doesn’t slow them down. That’s where Astra Security stands out. Our approach is built around ease of use, automation, actionable insights, and making security continuous at scale. Every few months there’s a new acronym of tools ranging from CSPM, SSPM, CTEM, and ASPM, which mid-sized businesses find difficult to keep up with. At Astra, we offer features from all of these without naming them anything fancy, to keep the platform user-friendly.
Our platform integrates directly into the CI/CD pipeline, providing real-time alerts and guided remediation so teams without dedicated security experts can stay protected.
What are some of the most innovative AI-driven security features Astra has developed to stay ahead of cybercriminals?
Astra’s AI-powered offensive security engine is designed to detect, correlate, and remediate vulnerabilities at scale. Our platform continuously scans infrastructure by leveraging AI-driven attack simulations via threat modeling, mimicking real-world hacker tactics to uncover even the most sophisticated threats. We offer a friendly bot, “Astranaut,” which has the context of each vulnerability in the customer’s stack, and helps developers fix vulnerabilities quickly.
Astra Security offers “continuous pentesting.” How does this differ from traditional pentesting, and why is this shift necessary?
Astra’s continuous pentesting platform makes security real-time and proactive, unlike traditional one-off tests. Our AI-powered platform continuously scans infrastructure, detects vulnerabilities, and simulates real-world attacks, providing instant alerts, risk prioritization, and AI-driven remediation so developers can fix issues faster. With cyber threats evolving daily, businesses can’t afford to wait months for the next test. Astra combines AI automation with expert validation, ensuring 24/7 protection and reduced risk exposure.
Your platform has identified over 110,000 vulnerabilities per month. Can you share insights on some of the most surprising or critical vulnerabilities you’ve discovered?
The actual number of vulnerabilities we identify every month is 200,000+. We still see injection-based attacks like SQL and scripting attacks that have been around for years remaining among the top findings on our platform. Surprisingly, broken access control is widespread, with many applications vulnerable to it. We were able to see this at scale after we launched a broken access control scanner module in beta internally. Another thing that surprises us is how many times unintentionally secret keys are committed to customer-facing code, from Stripe, Slack, to email service provider keys – we’ve seen it all.
What role do human security researchers play in Astra’s AI-powered pentesting platform? How do automation and human expertise complement each other?
At Astra, AI automation and Astra’s security experts work hand in hand to deliver precise, actionable, and real-time security assessments. While AI accelerates vulnerability detection and automates attack simulations, our security researchers bring deep context, validation, and innovative analysis, ensuring no critical flaw goes unnoticed. We believe pentesters now have an even more important role to play, and no longer have to spend time reporting low-hanging vulnerabilities again and again, but focusing on actual critical potential attacks more.
With cloud environments growing in complexity, how is Astra Security evolving to protect modern SaaS and cloud-based infrastructures?
Our platform proactively scans cloud workloads, APIs, and identities, detecting misconfigurations, privilege escalation risks, and real-world attack vectors. Astra ensures businesses can scale securely – without compromising agility – with deep cloud integrations, automated compliance checks, and security embedded into CI/CD pipelines.
Your background includes participating in high-profile bug bounty programs. What was your most memorable vulnerability discovery?
One of my bug bounty journey’s most memorable vulnerability discoveries was identifying a critical authentication bypass and injection attack in a major marketplace platform. The flaw allowed attackers to access user accounts without valid credentials, potentially exposing sensitive financial data. What made this discovery stand out was its real-world impact—had it been exploited, it could have led to large-scale financial fraud. Responsible disclosure ensured the vulnerability was patched before any damage occurred.
You’re actively involved in cybersecurity and often speak at industry events. What role does community engagement play in shaping Astra’s mission?
Community engagement is key to Astra’s mission. Interacting with security professionals, developers, and CISOs helps us understand emerging challenges firsthand. These insights directly influence our product innovations, ensuring we build solutions that are not only cutting-edge but also practical, effective, and aligned with industry needs. At Astra, we’ve built The 403 Circle—our exclusive community of 100+ CTOs and CISOs, where security leaders share experiences, exchange insights, and seek guidance from peers on the frontlines of cybersecurity.
Where do you see Astra Security five years from now, and what’s your ultimate vision for its impact on the cybersecurity industry?
Five years from now, Astra will be at the forefront of AI-driven offensive security, making continuous pentesting the industry standard. Our goal is to eliminate the traditional, reactive approach to security by providing businesses with an automated, intelligent security engine that detects, prioritizes, and helps remediate vulnerabilities in real-time. Astra will shape the future of proactive cybersecurity, helping businesses move beyond periodic security testing to always-on, AI-powered protection that scales with them.
Thank you for the great interview, readers who wish to learn more should visit Astra Security.
