Your annual red team engagement produces a 60-page PDF that reflects your attack surface as it existed three weeks ago, during a two-week window, scoped to the assets you already knew about. By the time remediation starts, your developers have shipped 40 new endpoints, an acquisition brought in three forgotten subdomains, and a set of credentials leaked on a dark web forum nobody checked.
That is not a red team. That is a historical document.
Continuous automated red teaming (CART) exists because adversaries do not wait for your fiscal year to reset. This article breaks down what CART actually does, how it differs from point-in-time red teams and DAST scanners, and what a mature implementation looks like in 2026.
See what your real attack surface looks like before your next red team engagement.
Free AI Pen Test. No asset list required.
What Continuous Automated Red Teaming Actually Means
CART is not a scanner on a schedule. It is not a DAST tool with a cron job. The word “red teaming” carries specific weight. It means an attacker-perspective assessment that chains findings across systems, tests business logic, abuses identity, and follows a kill chain from initial access to lateral movement.
Continuous means the assessment runs weekly, on-demand, or triggers automatically when your attack surface changes. Automated means AI agents execute the testing, not a consultant who flies in twice a year.
The combination matters. Continuous without automation means you are paying for a retainer that rarely fires. Automated without genuine red-team logic means you get a scanner that finds injection points but misses the credential reuse path from your forgotten staging app into your production Active Directory.
A real CART platform does three things in sequence:
1. Discovers the full external attack surface from a zero-knowledge starting point: shadow apps, forgotten subdomains, API endpoints extracted from JavaScript, and leaked credentials from dark web sources.
2. Exploits validated findings with working proof-of-concept code, not a CVSS score and a recommendation.
3. Chains those findings into multi-stage attack paths that follow the MITRE ATT&CK kill chain, pivoting app-to-app and app-to-network.
If a platform stops at step two, it is an automated pentest tool. Step three is what makes it red teaming.
Why Annual Red Teams Fail in 2026
The argument for annual red teams used to be cost. A two-week engagement from a reputable firm runs $2,400 to $10,000 per application depending on scope. At that price, you test your highest-priority apps once a year and accept the gap.
That tradeoff made sense when attack surfaces were stable and exploit development took months. Neither is true anymore.
The Attack Surface Moves Faster Than the Engagement Cycle
A mid-size enterprise on a two-week sprint cycle ships hundreds of changes between annual tests. Each deployment can introduce new endpoints, new authentication flows, and new third-party integrations. An acquisition adds an entirely unknown app estate overnight.
Your annual red team scopes to a predefined asset list you submitted before the engagement started. Shadow apps, newly spun-up staging environments, and subdomains created during M&A activity never make it onto that list.
The Exploit Window Has Collapsed
CVEs are exploited in about 3 days on average today. An annual engagement that finds a critical vulnerability in November does not help you if that same vulnerability was exploited against you in March.
Point-in-Time Results Create False Confidence
A clean red team report does not mean you are secure. It means you were not exploitable during those two weeks, on those assets, by that team. Three weeks later, after a new deployment and a credential leak, the picture is different.
CISOs who rely on annual reports to answer board questions about security posture are answering with stale data. That gap between assumed risk and real risk is where breaches happen. Annual testing typically covers about 20 percent of the attack surface. The other 80 percent sits untested for 365 days.
How CART Works: The Three-Phase Model
A mature CART implementation runs three connected phases continuously.
Phase 1: Discover
The platform maps your real external attack surface starting from your organization name alone. No asset list required. Discovery finds:
Shadow apps and forgotten subdomains not in your CMDB. API endpoints extracted from JavaScript files. Leaked credentials from dark web sources. Exposed admin panels, development environments, and staging apps.
This phase runs continuously. When a new subdomain appears, the platform detects it and queues it for testing automatically. You do not need to tell the platform your attack surface changed.
Phase 2: Pentest
AI agents run authenticated and unauthenticated testing against every discovered asset. Testing aligns to OWASP Top 10 2025 and covers business logic flaws, credential abuse, and authentication bypass, not just injection and misconfiguration.
Every confirmed finding ships with a working Python proof-of-concept exploit, exact steps to reproduce, and full evidence. False positive rates under 2 percent mean your team spends time on real findings, not triage noise. DAST tools typically produce 40 to 70 percent false positives. The difference in analyst time is not marginal.
Phase 3: Chain
This is the red team layer. The platform links individual findings across apps, APIs, and identity systems into multi-stage attack paths. A credential leaked from a forgotten subdomain gets tested for reuse against your primary application. A broken access control finding in one API gets chained with an authentication bypass in another. App-to-network pivots test whether an exploited web app can reach internal infrastructure or Active Directory.
This follows the full MITRE ATT&CK kill chain: initial access, execution, persistence, privilege escalation, lateral movement. The output is not a list of vulnerabilities. It is a demonstrated attack path with working exploits at each step.
CART vs. DAST Scanners: Not the Same Category
DAST scanners test for known vulnerability patterns by sending payloads and observing responses. They are fast, relatively cheap, and decent at finding injection flaws and misconfigurations.
They do not discover shadow assets. They do not test business logic. They do not chain findings. They do not simulate an attacker who has already compromised one app and is pivoting to the next.
The 40 to 70 percent false positive rate from most DAST tools is also a real operational cost. If your team spends three hours a week triaging scanner noise, that is time not spent on validated, exploitable findings.
CART replaces the red team engagement. DAST tools are a different category entirely.
CART vs. Annual Manual Red Teams: A Direct Comparison
| Dimension | Annual Manual Red Team | Continuous Automated Red Teaming |
|---|---|---|
| Frequency | Once per year | Weekly, on-demand, or trigger-based |
| Lead time | 2+ weeks | None |
| Asset coverage | Predefined list | Full external attack surface from org name |
| Shadow app discovery | No | Yes |
| False positive rate | Low (human-validated) | Under 2% |
| Cost per app | $2,400 to $10,000 | $450 to $2,500 |
| PoC exploit delivery | Sometimes | Every finding |
| MITRE ATT&CK chaining | Yes (manual) | Yes (automated) |
| Compliance audit trail | Report PDF | Continuous logs |
| Time to first finding | Days to weeks | Hours |
The cost difference is not marginal. In one Fortune 500 case, per-app testing cost dropped from about $5,000 to under $1,000 by moving to continuous automated testing, an 11x reduction. At that price point, you can test every application in your portfolio on a weekly cadence instead of your top five once a year, scaling coverage from roughly 200 apps to 2,000 or more.
The Governance Question: Can You Actually Run This in Production?
The legitimate concern with autonomous AI red teaming is control. An AI agent running exploits against production systems without guardrails is a liability, not a security tool.
A well-designed CART platform addresses this directly. Scope guardrails define exactly what agents can and cannot touch. Every action logs with full chain-of-thought transparency, so you can audit what ran, when, and why. You choose fully autonomous mode or expert-in-the-loop, where your team reviews and approves before the platform executes.
This matters for compliance. SOC 2, PCI DSS 4.0, and ISO 27001 all require documented evidence of security testing. Continuous testing with full audit logs satisfies that requirement far more completely than an annual PDF from a consulting firm.
What to Look for in a CART Platform
Not every platform claiming continuous automated red teaming actually delivers it. When evaluating options, ask these specific questions.
Does it discover assets you did not provide? If you have to submit an asset list, it is not doing discovery. A real CART platform finds shadow apps and forgotten subdomains from your org name alone.
Does every finding include a working exploit? A finding without a proof-of-concept is a hypothesis. You need working PoC code to prioritize remediation accurately and to demonstrate real risk to stakeholders.
Does it chain findings across systems? Single-app findings are useful. Multi-stage attack paths following the MITRE ATT&CK kill chain are what red teams actually produce. If the platform stops at the application boundary, it is not red teaming.
What are the benchmark results? Any platform making accuracy claims should have public benchmark data. Ask for results on XBEN, Acuart, or DVWA. If they cannot produce numbers, treat their accuracy claims as unverified.
What are the scope guardrails? You need to know exactly what the agents will and will not do before you approve a production run. A vague answer means the platform is not enterprise-ready.
Where FireCompass Fits
FireCompass created the Continuous Automated Red Teaming category and holds a USPTO patent tied to that work. It was one of the first platforms to run Discover, Pentest, and Chain as a connected, continuous sequence rather than three separate tools stitched together.
On benchmarks: 100 percent on XBEN (104/104), 12 out of 12 PoC-validated on Acuart, and DVWA at all difficulty levels, fully autonomous with no manual steering. False positive rates stay under 2 percent, versus 40 to 70 percent for scanners.
FireCompass appears in Gartner‘s Adversarial Exposure Validation (AEV) Market Guide coverage and has been referenced across four consecutive Gartner Hype Cycle reports. FireCompass also holds a GigaOm Leader recognition (2023), among 30+ analyst reports from Gartner, Forrester, IDC, and GigaOm combined. Bruce Schneier advises the company.
Today, FireCompass’s primary focus is AI-native Web App and API pentesting: the same agentic platform that pioneered CART now runs continuous discovery, exploit-validated pentesting, and multi-stage red teaming as one system, whether you need a single application tested this week or your entire external estate tested on a standing weekly cadence. CART is not a side project bolted onto a scanner. It is the same engine, pointed at your whole attack surface instead of one app at a time.
To see what your external attack surface actually looks like before running a full engagement, the Explorer tool at firecompass.com/explorer builds a real attack surface map from your org name at no cost.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The Compliance Angle
PCI DSS 4.0 tightened penetration testing requirements. Requirement 11.4 now expects more rigorous, documented testing with clear scope and evidence. Annual point-in-time tests satisfy the letter of the requirement but leave a 364-day gap between assessments.
DORA, which applies to financial entities in the EU, expects threat-led penetration testing on a defined cadence. ISO 27001 requires documented evidence of security testing as part of the information security management system.
Continuous automated red teaming with full audit logs satisfies these requirements more completely than annual engagements. Every test run is logged. Every finding is documented with evidence. Every agent action is traceable. That is the audit trail compliance frameworks expect.
Annual Red Teams Are Not Going Away Entirely
To be direct: manual red teams still have a place. A skilled human team will find things an automated platform misses, particularly in complex social engineering scenarios, physical security, and highly customized application logic that requires deep contextual reasoning.
The argument is not that manual red teams are worthless. The argument is that running one per year as your primary offensive security program is no longer sufficient. The attack surface changes too fast. The exploit window is too short. The cost of continuous testing has dropped far enough that the old tradeoff no longer holds.
Use CART as your continuous baseline. Use manual red teams for targeted, high-stakes assessments where human judgment adds irreplaceable value.
Conclusion
Annual red teams made sense when attack surfaces were stable and exploit development took months. Neither condition holds in 2026. Your attack surface changes with every deployment, every acquisition, every developer who spins up a new subdomain. Adversaries chain findings across systems in hours, not months. 22 percent of breaches start with credential abuse, and 20 percent trace back to peripheral-asset access, exactly the blind spots an annual, list-scoped engagement is built to miss.
CART closes that gap. It discovers what you did not know you had, exploits what is actually exploitable, and chains findings into the attack paths a real adversary would follow. At $450 to $2,500 per app versus $2,400 to $10,000 for manual, you can test everything continuously instead of testing some things once a year.
The question is not whether to adopt CART. The question is how long you can afford to wait.
Governance & Safety
Continuous only works if it is safe to run in production.
Scope enforcement, production-safe execution, a forensic audit trail, and kill switches on every engagement.
FAQs
What is continuous automated red teaming (CART)?
Continuous automated red teaming is an approach where AI agents run attacker-perspective security assessments on a recurring or trigger-based cadence rather than as a point-in-time engagement. A full CART implementation discovers assets, exploits validated findings with proof-of-concept code, and chains results into multi-stage attack paths aligned to the MITRE ATT&CK kill chain.
How is CART different from a DAST scanner?
DAST scanners test for known vulnerability patterns on assets you provide. They do not discover shadow apps, test business logic, or chain findings across systems. CART platforms discover your full external attack surface from a zero-knowledge starting point, deliver working exploits for every finding, and simulate multi-stage attack paths. False positive rates also differ significantly: DAST tools typically produce 40 to 70 percent false positives versus under 2 percent for a well-built CART platform.
Can continuous automated red teaming replace annual manual red teams?
For most enterprises, CART should replace annual manual red teams as the primary continuous testing program. Manual red teams still add value for targeted, high-complexity assessments where human creativity and contextual reasoning are essential. The practical case for annual manual red teams as the sole offensive security program has weakened significantly as CART platforms have matured and costs have dropped.
Is it safe to run automated red teaming against production systems?
Yes, with the right platform. Enterprise-grade CART platforms include configurable scope guardrails that define exactly what agents can and cannot test. Every agent action logs with full chain-of-thought transparency. You can run in fully autonomous mode or expert-in-the-loop mode where your team approves actions before execution. Platforms that do not offer these controls are not suitable for production environments.
How does CART support compliance requirements like PCI DSS 4.0 or ISO 27001?
Continuous automated red teaming produces a full audit trail of every test run, every finding, and every agent action. This documentation satisfies the evidence requirements under PCI DSS 4.0 Requirement 11.4, ISO 27001 security testing controls, and SOC 2 security criteria. Continuous testing also addresses the cadence expectations in frameworks like DORA more effectively than annual point-in-time assessments.
How quickly does a CART platform find the first exploitable finding?
A mature CART platform typically produces validated findings within hours of the first run, with no lead time or scoping calls required. Discovery of shadow assets and forgotten subdomains begins immediately from your organization name. Contrast that with manual engagements that require two or more weeks from kickoff to first finding.
What benchmarks should I use to evaluate a CART platform’s accuracy?
Ask vendors for results on public benchmarks including XBEN, Acuart, and DVWA at all difficulty levels. These benchmarks test whether the platform can actually find and exploit known vulnerabilities, not just detect them. Any platform making accuracy claims without public benchmark data is asking you to take their word for it.
Frequently Asked Questions
What is Continuous Automated Red Teaming (CART)?
CART is a category FireCompass created that runs red team functions, attack surface discovery, exploitation, and multi-stage attack chaining, on an ongoing automated cadence instead of as a single annual engagement, so validation keeps pace with a changing environment.
How is CART different from a traditional annual red team engagement?
Traditional red teaming happens once a year and covers roughly 20 percent of the attack surface at that point in time. CART runs continuously, re-testing as assets change, which matters given that CVEs are typically exploited within about 3 days of disclosure.
Does CART replace the need for human red teamers?
CART automates the systematic, repeatable parts: discovery, exploitation, credential testing, and attack chaining. Human red teamers remain valuable for genuinely novel attack paths and social engineering that require creative judgment automation doesn’t replicate.
What does CART actually validate versus just scanning?
CART validates exploitability with working proof-of-concept code and chains individual findings into full attack paths, the way a real adversary would move from initial access to a high-value target, rather than just listing potential vulnerabilities.
Is CART still FireCompass’s primary focus in 2026?
FireCompass’s primary focus has shifted to AI-native web app and API penetration testing. CART remains a maintained capability and the category FireCompass originated, but it is not the current lead offering.
How does CART fit with compliance requirements like PCI DSS 4.0?
PCI DSS 4.0 and similar frameworks are tightening testing frequency expectations. A continuous cadence like CART’s produces an ongoing audit trail of tested and validated findings, which maps more naturally to frequent compliance windows than a single annual report.
