Continuous Red‑Teaming: Novee’s $51.5M Push to Turn AI Hacking into Everyday Enterprise Defense

When the first-generation of AI models marched out of research labs and into production, many treated them like new, smarter databases: package the weights, guard the API keys, and hope the old security playbook still applied. That assumption has unraveled. Today’s AI systems are living, adaptive, and porous — they ingest user inputs, learn from telemetry, orchestrate downstream services, and in doing so create broad and novel attack surfaces.

Into that gap steps Novee, an Israeli startup that just raised $51.5 million to scale a platform promising to flip the security paradigm: instead of pen tests that happen once a quarter, or reactive incident response after a breach, the company touts continuous, AI-powered offensive testing that treats enterprise AI systems as perpetually under simulated attack. The result is not a single snapshot of vulnerability, but a constantly refreshed picture of what can go wrong and how to fix it.

Why continuous offensive testing matters for AI

Traditional penetration testing works against stable, well-understood targets: web servers, networks, and monolithic applications. AI systems are different in three fundamental ways.

• Dynamic behavior: Models evolve — through retraining, new data, and configuration tuning. A configuration that was secure yesterday can leak sensitive information tomorrow.
• Semantic attack surface: Threats are linguistic and contextual. Prompt injection, data poisoning, model inversion, and chain-of-thought leakage exploit meaning rather than protocol flaws.
• Compositional complexity: AI systems often orchestrate other services, call APIs, generate content, and take actions in the world. A failure in a model can cascade into broader system compromise.

Continuous offensive testing treats those realities as central, not peripheral. Rather than waiting for a periodic audit, it relentlessly probes models with adversarial inputs, simulates threat actor playbooks, and traces how adversarial successes propagate through pipelines and business logic. That approach recognizes that security needs to be as rapid and iterative as the development cycles that produce modern AI features.

What an AI-powered offensive security platform looks like

At its core, the platform being scaled by Novee sits at the intersection of adversarial machine learning, automation, and enterprise software controls. Its capabilities typically include:

• Automated adversarial attack generation: Creating both generic and targeted adversarial prompts and inputs that probe for prompt injection, hallucinations that reveal sensitive data, or manipulations that drive unsafe outputs.
• Model inversion and data-leak tests: Probing whether private training data or sensitive metadata can be reconstructed from model behavior.
• Supply-chain and integration fuzzing: Stress-testing the interactions between models, APIs, and downstream services to reveal lateral movement or privilege escalation paths.
• Simulation of threat actors: Running red-team scenarios that mimic insider misuse, external adversaries, or adversarial automation to measure risk across personas.
• Continuous monitoring and drift detection: Watching for configuration changes, distributional shifts, and model drift that open new vulnerabilities over time.
• Actionable remediation workflows: Prioritization of findings, integration with CI/CD and MLOps tooling, and guided playbooks for mitigation.

The artful part is not just generating attacks but making the results digestible and operational: triaging which findings are true breaches, mapping the business impact, and weaving tests into developer workflows so fixes don’t languish in a ticket backlog.

Funding as a signal — and a call to action

A $51.5 million round is less about runway and more about a market signal. It reflects growing enterprise recognition that AI systems can be converted into attack vectors at scale, and that protecting them requires more than ad hoc manual review. Organizations deploying conversational agents, decision-support models, or automated agents are now asking not whether they need security, but how to make security continuous and automated.

That funding will likely build engineers, product integrations, and data infrastructure to run massively parallel adversarial campaigns across many customers. It will also push the industry to consider how offensive testing can be safely shared: red-team findings are sensitive, and the tooling that powers them has dual-use potential.

Dual-use concerns and the governance problem

There is an uncomfortable truth: the same tools that help a bank or healthcare provider harden its AI systems could be repurposed by malicious actors to discover vulnerabilities at scale. That dual-use dilemma sits at the heart of the conversation about offensive tooling in cyberspace.

Responsible deployment requires thoughtful guardrails: access controls, safe red-team environments, ethical use policies, and, in some cases, oversight or certification. For enterprise buyers, the calculus has to consider not just the technical efficacy of tests, but the legal and compliance implications of running simulated attacks that might touch regulated data or third-party systems.

How continuous offensive testing reshapes roles and processes

Adopting this approach nudges organizations to rethink both technology stacks and human workflows. Security teams need tighter integration with ML engineers and product owners. CI/CD pipelines must accommodate automated red-team runs. Incident response playbooks expand to include model remediation and retraining steps. Compliance teams will want attestations that adversarial testing is part of a demonstrable risk reduction program.

The ultimate benefit is cultural: security moves from being a gatekeeping afterthought to a continuous design constraint embedded in model development and deployment cycles.

The future: standards, marketplaces, and shared hygiene

As continuous offensive testing becomes more common, the next layer of progress will be standardization. Benchmarks for attack types, reproducible validation suites, and normative reporting formats will help organizations compare their posture and choose vendors wisely. There’s also room for community-driven hygiene practices: safe, anonymized repositories of attack signatures and mitigations that accelerate defensive responses across industries.

Market dynamics will shape who provides these capabilities. Platform providers may offer offensive testing as a managed service; security specialists will offer tailored red-team scenarios; and enterprise tooling will need to balance automation with human oversight. The winners will be those who make adversarial insights actionable, auditable, and easily woven into existing engineering rhythms.

A pragmatic, courageous posture

The arrival of substantial funding for continuous AI offensive testing is more than a headline: it is a recognition that the age of periodic security checks is over. AI systems change rapidly and interact with unpredictable inputs; defenders must become equally nimble. Continuous red-teaming does not promise invulnerability. No system can be perfectly safe. But it changes the odds, converting surprise into a recurring analytic problem with measurable, repeatable mitigation paths.

Treating AI security as continuous defense is a pragmatic, courageous posture: accept that vulnerabilities will appear, but refuse to let them persist unexamined.

The wider AI community — from builders to buyers to auditors — will need to adopt new expectations. When AI features ship, they should come with an operational security curve: how quickly can adversarial weaknesses be discovered, triaged, and fixed? The bar set by continuous offensive testing is not merely technical; it is a promise of resilience.

Novee’s $51.5 million raise is part of a broader industry pivot toward that promise. It signals demand for tooling that embraces AI’s unique failure modes, automates the grind of adversarial discovery, and integrates findings directly into the machinery of modern software delivery. The next decade of AI will not be decided in a single audit or a single patch; it will be decided in the relentless cycles of attack, discovery, and repair that define continuous security.

For organizations racing to put AI to work, the lesson is clear: invest in the capacity to be surprised, and then set up systems that ensure surprises become lessons, not disasters.