ITTech Pulse Exclusive Interview with Gal Malachi, Co-Founder and Chief Technology Officer of Terra Security

Gal Malachi, Co-Founder of Terra Security, in an ITTech Pulse interview, shares how autonomous security agents improve vulnerability prioritization by validating real-world exploitability.

Gal, your career spans cybersecurity engineering and startup innovation. Could you share how your journey led to co-founding Terra Security and focusing on autonomous security validation?

My background is deeply rooted in security and engineering. I spent years building and securing complex systems across large organizations and startups, working closely with developers, infrastructure teams, and security teams. Over time, I consistently saw the same gap.

Engineering velocity kept increasing. CI/CD, cloud-native architectures, microservices, and now AI-assisted development dramatically accelerated how fast teams ship code. But security validation did not evolve at the same pace. Penetration testing remained mostly manual, periodic, and expensive, while scanners lacked the context to understand real-world risk.

That mismatch became even more extreme with AI. Today, teams can generate and deploy features in hours or even minutes. The attack surface changes continuously, but validation still happens every few months in many organizations.

Terra was founded to solve exactly that problem. We built an agentic system that brings offensive security into the same operational model as modern engineering. Instead of testing occasionally, we continuously simulate real attackers, validate exploitability, and provide actionable results that align with how software is actually built and shipped today.

Read More: ITTech Pulse Exclusive Interview with Stanley R. Hughey, Chief Technology Officer at iNet

With modern software development moving rapidly, how do you see AI transforming traditional penetration testing and helping security teams continuously identify and validate vulnerabilities across complex enterprise application environments?

AI is fundamentally changing both sides of the equation.

On the development side, AI accelerates code generation, integration, and iteration. That increases complexity and expands the attack surface at a pace that was not possible before.

On the security side, AI allows us to move from static testing to adaptive systems. Traditional penetration testing is constrained by human bandwidth. Even highly skilled testers cannot continuously track every change across distributed systems, APIs, and business logic flows.

What we are building instead is a system of specialized agents that can reason about applications, explore attack paths, chain vulnerabilities, and validate exploitability in context. These agents operate continuously and adapt as the application evolves.

The key shift is from finding potential issues to proving real risk. Security teams need to know what can actually be exploited in their environment right now, not just what might be vulnerable in theory.

ITTech Pulse recently covered Terra Security becoming the first AWS partner for Autonomous Security Validation. What inspired this milestone, and how does this recognition reflect the growing importance of AI-driven security testing?

This milestone is a reflection of a broader shift in the industry.

Customers are no longer satisfied with periodic assessments that provide a snapshot in time. Their environments change too quickly, especially with cloud-native architectures and AI-driven development. They need continuous validation of their real exposure.

Working closely with AWS customers, it became clear that this was not a niche problem. It is a structural gap in how security operates today. The recognition as the first AWS partner for Autonomous Security Validation shows that this category is becoming real and necessary.

It also highlights that AI-driven offensive security is moving from experimentation to production. Organizations are starting to rely on these systems to validate risk in environments that are too dynamic for traditional approaches.

Many organizations deploy new code weekly but test security far less frequently, creating a significant exposure gap. How does Terra’s autonomous validation approach help security teams keep pace with modern development cycles?

The core issue is the gap between change and validation.

In many organizations, code changes daily or weekly, but security validation happens quarterly or during specific milestones. That means vulnerabilities can exist in production for long periods without being tested in a realistic way.

Terra closes that gap by making validation continuous and aligned with the live system. Our agents continuously interact with the application, explore new functionality, and test for exploitable paths as they emerge.

We are not just scanning for known issues. We are simulating attacker behavior, including multi-step attack chains, authentication flows, and business logic abuse. That allows security teams to detect and validate issues shortly after they are introduced, rather than months later.

This is what enables security to operate at the same pace as CI/CD instead of lagging behind it.

Terra’s platform uses AI agents to discover, exploit, and validate vulnerabilities continuously. How does this agentic approach improve accuracy, coverage, and real-world exploit validation compared to traditional penetration testing methods?

The agentic approach introduces reasoning and adaptability into the testing process.

Traditional tools rely heavily on predefined signatures and rules. They are effective for known patterns but struggle with context, especially in modern applications where vulnerabilities often depend on specific flows or combinations of behaviors.

Human testers bring that context, but they are limited by time and scope.

Agents allow us to scale that reasoning. They can explore large state spaces, test different hypotheses, and adjust their strategy based on responses from the application. They can chain multiple steps, maintain session context, and validate whether an attack actually succeeds.

This improves coverage because testing is not limited to predefined paths. It improves accuracy because findings are tied to successful exploitation attempts. And it improves prioritization because security teams receive evidence of real impact instead of theoretical risk.

Read More: ITTech Pulse Exclusive Interview with Michael Jacobs, Head of Social Innovation at IBM

As organizations increasingly adopt cloud-native development and CI/CD pipelines, how important is integrating autonomous security validation directly into development workflows to ensure security keeps pace with rapid application releases?

It is critical.

In a modern environment, security cannot be an external process that runs occasionally. It needs to be part of the system itself. Applications are constantly changing, infrastructure is dynamic, and dependencies are updated continuously.

By integrating autonomous validation into development workflows, organizations can validate security as part of their normal delivery cycle. This means testing new features, APIs, and integrations as they are introduced, not after the fact.

It also changes how teams prioritize work. When developers see validated, reproducible vulnerabilities tied to real exploit scenarios, it becomes much easier to fix issues quickly and effectively.

Looking ahead to 2026, what key trends do you expect to shape AI-driven offensive security, continuous threat exposure management, and automated vulnerability validation as enterprises strengthen their cybersecurity posture?

Several trends are becoming clear.

First, exploitability will become the primary signal. Organizations will move away from large volumes of findings toward validated, high-confidence risks that reflect real attacker behavior.

Second, AI-generated applications will introduce new classes of vulnerabilities. Copilots, autonomous workflows, and AI-driven integrations create complex and often unpredictable attack surfaces.

Third, continuous validation will become a standard requirement, not an advanced capability. Just like monitoring and observability became always-on, security validation will follow the same path.

Fourth, agentic systems will become more specialized and collaborative. Instead of a single model doing everything, we will see systems composed of multiple agents, each focused on specific aspects of offensive security, working together to simulate realistic attacks.

For CISOs and engineering teams adopting AI-driven security platforms, what advice would you offer to help organizations transition from periodic penetration testing toward continuous, autonomous security validation practices?

Start by reframing the goal.

The objective is not to run more tests. It is to continuously understand and reduce real risk.

Focus on integrating validation into your existing workflows rather than treating it as a separate activity. Align it with how your teams build and deploy software.

Prioritize systems that provide exploitability validation and clear evidence. That is what enables teams to make decisions quickly and confidently.

And finally, adopt a gradual approach. You do not need to replace everything at once. Start by augmenting your existing processes with continuous validation and expand from there as teams build trust in the system.

The key is to close the gap between how fast you build and how fast you validate. That is the fundamental challenge AI has introduced, and also the opportunity.

Thank you, Mr. Gal Malachi, for taking the time to share your insights with us.

Write to us [⁠wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.