Penetration Testing is as dynamic and agile as the attackers we are seeking to simulate. The methods we use today are highly advanced and specialised when compared to the sort of tools and methods we used even 5 years ago. The same is certainly true for the methods and tools we will be using in the future, and nothing makes this clearer than the current state and advancement of Artificial Intelligence and Large Language Models.
Large Language Models (LLMs) such as Chat GPT, Claude and Gemini can already digest massive data sets, detect patterns that humans may miss, generate scripts, suggest attack strategies and more and more increasingly, perform attacks themselves. Over the next 3 years AI is not just going to change the way testing is performed, it is likely to cause a fundamental shift in methodology and tools. Potentially shifting penetration testers value from manual execution to strategic oversight.
Reconnaissance has always been an integral part of any penetration test, however it can also take a large amount of time that would be better spent testing. We can attempt to reduce this impact by requesting scope, documentation and information from customers up front, but there will always be some shadow IT, some domain, something that is missed, that requires penetration testers to commit considerable time to open source information gathering, directory scanning, etc.
LLM’s can perform these same tasks, but at a far greater speed, and accuracy. LLM’s can ingest DNS records, Certificates, Public repos, reddit posts, scan for domains and subdomains, social media profiles, and correlate all of the information into a ranked list of high-value, high-impact attack targets.
Unlike a lot of the current tools used for these purposes, AI could continue this recon throughout the entire testing, if new information is discovered, for example a naming convention of API endpoints, a note from a previous senior engineer, a hardcoded API key, the AI can use that information to further its recon work, potentially discovering new endpoints, new stack overflow questions from said developer or enumerate the scope of the API key.
A lot of exploitation today relies heavily on publically available exploits, and on standard payloads. While every penetration tester will create custom payloads and scripts for each engagement, many of these are based on more widely known exploits. AI however may be able to generate unique, customised exploits and payloads.
AI can generate these exploits at a much faster rate than a traditional penetration tester, generating hundreds of payloads a second and, if permitted and configured correctly, testing them just as fast. In the time it may take a penetration tester to research and craft an injection payload, an AI designed for the task could create, test and validate thousands of payloads.
This speed and memory also allows the AI to generate exploits and payload specifically designed to be chained together, exploiting each service in a sequence, evaluating the response and crafting the next stage in the chain automatically.
Most penetration testers strive to produce a ranked list of findings, using their knowledge of the environment, experience and research skills to give each finding a risk rating. However with limited view into the businesses priorities and processes these risk ratings can at times be misaligned with the businesses own risk appetite.
AI will be able to take these findings, and by ingesting all data gained during the engagement, along with any documentation discovered or provided by the business, align them to the businesses specific risk appetite and matrix.
While these tools are growing more and more powerful they are a long way from fully replacing human testers, however our role may change. In the future human penetration testers will move from executors to a more orchestrator aligned role. While critical thinking and problem solving have always been key skills in penetration testers, they will become even more valuable when interacting with penetration testing AI. Human oversight will be critical to determine if the AI is suggesting incorrect paths, hallucinating or even scope creeping. Especially against sensitive systems and production environments it will be vital for the human penetration tester to be well versed not only in penetration testing, but also in AI literacy skills such as prompt engineering, model evaluation and integration of AI tools into existing workflows.
As for businesses, there are a multitude of benefits from this future. The ease of testing with AI tools will lead to faster engagements, reducing the time from commencement to delivery of the report considerably. AI can support testers to perform more continuous testing, taking a majority of the workload off of human testers so tests can be performed more often, and with the added benefit of ingesting all previous results and reports allowing the testers to provide a true indication of progress and growth over time.
However there are also risks to take into account. As in all industries there will be companies looking to use these tools as cheaply as possible to generate profit. Such companies will likely skimp on the human aspect of testing, leaving the business open to testing without the proper human oversight, leading to problems with hallucinations or even with AI tests that breach the agreed scope, or legal & ethical guidelines, as without proper human oversight and training models could perform unintended testing.
Teams that adapt now will gain a competitive advantage:
1. Train staff on AI tools, prompt engineering, and AI-assisted workflows.
2. Integrate AI outputs into existing orchestration pipelines.
3. Validate AI-generated test cases as a standard procedure.
4. Update engagement scopes to explicitly include AI-assisted testing.
There is no doubt that AI will reshape our industry in the coming years. Testers spending less time writing and running scripts and more time coaching and orchestrating intelligent attacks, validating the findings and providing strategic insights. Testing will become faster, smarter and more closely aligned with business needs.
Testers who embrace this change early, will gain the knowledge, speed and coverage to excel in this growing field.
