Pentesters: Is AI Coming for Your Role?

We’ve been hearing the same story for years: AI is coming for your job. In fact, in 2017, McKinsey printed a report, Jobs Lost, Jobs Gained: Workforce Transitions in a Time of Automation, predicting that by 2030, 375 million workers would need to find new jobs or risk being displaced by AI and automation. Queue the anxiety.

There have been ongoing whispers about what roles would be impacted, and pentesting has recently come into question. With AI now able to automate tasks such as vulnerability scans and network scans—among other things—and with platforms like PlexTrac adding AI capabilities to cut back on the manual effort, will pentesters be out of a job?

Let’s start with some optimism. This year, McKinsey retracted its former prediction that 375 million workers would be displaced by AI, lowering the prediction to roughly 92 million workers. The article continued to ease concern stating that although some jobs may become obsolete, it’s more likely that jobs will simply undergo a transition and that an estimated 170 million new roles will emerge from the ashes.

Circling back to pentesting, it’s fair to assume that some aspects of the role will lend itself more to automation in the coming years, and some pentesting-related roles might have to pivot, but AI is missing an element that sets pentesting apart from other automated scanner tools: the human element. As cited by the Cloud Security Alliance, “Rather than replacing humans, AI serves as a force multiplier for penetration testers.”

AI Will Enhance, Not Replace, Pentesting Capabilities

One common misconception is that AI will make pentesters a thing of the past. The reality is far more nuanced. Automation has already begun to assist in streamlining some of the more monotonous, repetitive tasks, but human creativity and expertise remain irreplaceable.

The Script Kiddies Are (Machine) Learning

AI is changing the barriers to entry for pentesting. With the help of AI-powered tools, folks with less technical experience—often referred to as script kiddies—will be able to perform more sophisticated tests without needing an in-depth understanding of the underlying mechanics. AI lowers the barrier to entry by automating more complex tasks like vulnerability scanning, adversary simulation, and exploitation. Such automation enables these users to identify and exploit weaknesses in systems with greater ease.

While pentesters may have a negative view of script kiddies, the advancements in AI and automation benefit everyone. Removing low-hanging fruit allows testers of all levels to take on more intricate and valuable engagements, raising their skill level and making them more effective and secure in their roles. With AI handling the tedious groundwork, all testers can focus on learning the deeper nuances of pentesting, ultimately becoming more proficient and contributing more to the security landscape.

Focusing on Higher-Value Work: Let AI Handle the Monotonous Tasks

It’s not just script kiddies that will reap the benefits of AI—pentesters can as well. By leveraging automation, pentesters are freed up to focus on tasks that demand a higher level of expertise or human intervention. For instance, AI can automate the discovery of vulnerabilities, allowing pentesters to focus on crafting unique exploits or conducting advanced red team exercises that require a nuanced understanding of human behavior and business logic.

Specific tasks AI can automate include:

• Facilitating deeper research and Open Source Intelligence (OSINT) gathering
• Scanning for common vulnerabilities and exposures (CVEs) in target systems
• Conducting basic network scans and identifying potential attack vectors
• Categorizing and prioritizing discovered vulnerabilities based on severity and exploitability
• Crafting exploits based on the technology stack of the current engagement
• Suggesting additional test cases to conduct based on previously identified vulnerabilities

By eliminating these repetitive tasks, AI allows pentesters to spend more time exploring sophisticated exploits, finding hidden flaws, and thinking outside the box—skills that are beyond AI’s reach for the foreseeable future.

Phishing and Social Engineering 2.0: AI’s Hook for Better Simulations

AI’s impact on pentesting is also evident in the realm of social engineering. The technology is already advancing phishing simulations and training exercises. AI’s ability to analyze vast amounts of data, understand human behaviors, and craft more believable phishing attacks or social engineering scenarios allows penetration testers to conduct more realistic attacks. This means that businesses can be better prepared for real-world threats, as AI enhances the authenticity of simulated attacks.

Moreover, AI tools can provide feedback and coaching, allowing penetration testers to refine their social engineering techniques and learn from past engagements, improving their craft over time.

AI Will Accelerate the Pentesting Process: Speed Meets Precision

AI can dramatically speed up most, if not all, stages of the penetration testing lifecycle. For example:

• OSINT and Information Gathering: AI can analyze an organization’s technology stack, identify known vulnerabilities in the tools and platforms in use, and suggest potential attack vectors more quickly than a human could manually research.
• Threat Modeling: Based on the data collected, AI can recommend specific threats to emulate based on previous success rates correlated to the gathered intelligence.
• Anomaly Detection: When sifting through massive datasets, AI excels at detecting patterns and identifying outliers. It can flag anomalous findings that might otherwise be buried in an ocean of data, allowing pentesters to focus on the most critical vulnerabilities.
• Exploit Development: AI tools can assist pentesters in generating exploit code tailored to the specific technology stack or system they are testing.
• Post Exploitation: AI can help cover tracks of exploitation, removing evidence that the testers were even there in a more comprehensive fashion. It can also leave false clues to keep the defenders guessing and lead their investigation down rabbit trails.
• Pentest/Offensive Security Reporting: Just like GPT tools that help you write an email, you can use generative AI to speed pentest reports. PlexTrac, a leading pentest reporting platform, integrates AI to help generate exploit findings, summarize data, and even draft executive summaries for reports. But, of course, you need to make sure the platform you leverage keeps your data safe. PlexTrac’s homegrown AI solution operates in a pre-trained capacity. The system and underlying components do not learn over time or retain user submissions beyond the requirement to process the submission and provide a generative response.

What to Expect From AI in Pentesting: A Hacker’s Best Friend?

The future of pentesting will likely involve a synergistic relationship between AI and human expertise. Here’s how AI will support pentesters in the near future:

1. Collaboration: AI can serve as a sidekick to penetration testers, helping to analyze findings, create reports, and even recommend next steps based on past engagements. It can act as a “red team assistant” facilitating collaboration among team members and providing guidance throughout the engagement.
2. Business Logic and Contextual Awareness: AI will also help penetration testers understand how vulnerabilities impact the business. Instead of just identifying a technical flaw, AI will provide context on how that flaw could lead to business disruptions, data loss, or reputational damage. This understanding can guide pentesters in crafting more impactful recommendations and reports.
3. Agentic Frameworks and Reasoning Models: With advancements in reasoning models, AI can provide insights into why it makes specific decisions, allowing penetration testers to better understand the logic behind its findings and suggestions. This transparency will improve the way humans interact with AI and enhance its effectiveness in pentesting tasks.

Embracing Your New Pentest Partner

AI is not here to take over the job of penetration testers; rather, it is here to make their work faster, more efficient, and more effective. The mundane tasks of scanning for vulnerabilities, writing reports, and even executing basic exploits can be automated, but the nuanced tasks that require creativity, critical thinking, and deep technical knowledge will always need a hacker’s touch.

By embracing AI as a tool to enhance their work, penetration testers can spend more time on the exciting and challenging aspects of their job—hacking, problem-solving, and outsmarting adversaries. As AI continues to evolve, it’s clear that pentesters will be empowered, not displaced. In fact, those who embrace AI will likely find themselves more competitive in an ever-changing cybersecurity landscape.