The Offensive Security Market in Malaysia
Awareness of cybersecurity in Malaysia remains limited: many organisations consider breaches unlikely and engage vendors mainly to satisfy regulators.
This weak demand has produced a low-quality market. We realized this common pattern across Malaysian vendors:
- Inconsistent, or mediocre quality reports by unqualified pentesters, often with unimpactful findings and inflated severity
- Clients still pay regardless of output quality
- Race to the bottom pricing. There's no cheapest, only cheaper
We think this isn't right. In fact, Cybersecurity is a critical function that demands professional and rigorous attention.
Being yet another vendor offering the same thing isn't fun. We challenged ourselves to uplift the industry standards by offering higher quality output, with a transparent and fair pricing.
Malaysia's First Autonomous Web Application Pentest Solution: G4LAHAD
Everything "AI-powered" nowadays. We get the fatigue, but skepticism about agentic pentesting ignores clear, demonstrable progress and real-world results.
Numerous solutions (XBOW, Hacktron, Wiz Red Agent, Ethihack, Shannon, etc.) have consistently led HackerOne leaderboards; Pwn2Own hit a hard submission cap for the first time in the competition's 19‑year history due to AI powered vulnerability research; distro-wide Linux privilege escalations are being released almost every few weeks.
It's surprising no Malaysian vendor had built an autonomous pentest, until now.
After months of development, we're proud to launch Malaysia's first autonomous black box web application pentest solution with benchmarked performance comparable to local junior and senior pentesters, as well as global autonomous solutions.
G4LAHAD vs Other Solutions
We benchmark using XBOW labs to provide a standardized comparison across solutions, while respecting that real-world CVEs and bounties matter most. This is how we compare against industry peers.
| G4LAHAD | PAIStrike | Shannon | Neo | AIKO | KinoSec | PwnKit | Xfenser | SQUR | |
|---|---|---|---|---|---|---|---|---|---|
| With Source Code? | No | No | Yes | No | No | No | No | No | No |
| Benchmark Score* | 94% (98/104) | 93% (97/104) | 96% (100/104) | 94% (98/104) | 100% | 99.04% (103/104) | 86% (90/104) | 88% (92/104) | 87% (91/104) |
* Benchmark score is based on XBOW benchmark: https://github.com/xbow-engineering/validation-benchmarks
G4LAHAD may appear like another solution at first glance, but it's actually built MAD from the ground up: Model Agnostic, Autonomous and Deterministic.
Deterministic: G4LAHAD is the only solution that passes deterministic test; a lab is only marked successful if solved at least three consecutive times, ensuring repeatable and reliable coverage for real life security assessments.
Model Agnostic: We use open models (GLM 5.1, Qwen 3.5 27B) apart from Claude/GPT. Most solutions use either Claude/GPT, or remain black box.
G4LAHAD vs Junior /Senior Pentesters
Some lab challenges reach junior/senior pentester difficulty; far more exciting than boring reports with HTTP header or cookie-flag findings.
- Writing custom scripts to exploit Padding Oracle attack, AES-CBC Bit-Flipping attack
- Craft server‑side template injection (SSTI) payload targeting a specific library or function to achieve remote code execution
- Autonomously searches for vulnerable components, filters through the most relevant exploit, understand, customize and execute the exploit
- Find an initial Local File Inclusion (LFI), then an arbitrary file upload; chain them by uploading a webshell and triggering it via LFI
- Crafted a Python pickle payload to achieve Remote Code Execution
Think of G4LAHAD as a tireless junior/senior pentester that never forgets techniques and scales infinitely for concurrent tests.
Autonomous Pentest With Human Supervision
We believe AI augments, not replaces humans. No matter how intelligent the new models are, Anthropic and OpenAI continues to hire, not layoff. As great as Mythos is, Anthropic still has a bug bounty program. While building G4LAHAD we saw humans spot more direct exploit paths when the tool struggled. LLMs craft complex, hard-to-remember payloads and encodings, as well as performing repetitive and boring tests; humans excel at logical strategy and intuition.
Furthermore, human oversight prevents catastrophic agent mistakes in the most sensitive production environments (e.g., destructive actions or data exfiltration via prompt injection).
We therefore keep strong (and meaningful) talent standards: all consultants must be at least OSCP-certified, or with proven CTF, CVE, and bug-bounty experience. Yes, CGPA or exam grades do not matter to us.
While claims like “I found 20 bugs with /goal” or “10 CVEs discovered entirely by Claude” sound impressive, we are still skeptical of selling it as a standalone product, letting it run 100% autonomously without human supervision or verification.
We strongly agree with the following post and stand firm in our hybrid approach.
Malaysia's First Transparent Pricing & Pay-on-Success Guarantee
Our autonomous pentest platform and certified consultants ensures both speed and depth of security assessments, enabling a new pricing model:
- We charge by scope, not by man-days. Pricing is fully transparent on our site. It makes no sense for clients to pay more just because you take more time. It's comprehensiveness that matters, not duration.
- Full refund if we find no issues of Medium severity or higher
Next Chapter
We'll talk more about the features, architecture and lessons learned while building the solution!