We’ve been hearing the same story for years: AI is coming for your job. In fact, in 2017, McKinsey printed a report, Jobs Lost, Jobs Gained: Workforce Transitions in a Time of Automation, predicting that by 2030, 375 million workers would need to find new jobs or risk being displaced by AI and automation. Queue the anxiety.
There have been ongoing whispers about what roles would be impacted, and pentesting has recently come into question. With AI now able to automate tasks such as vulnerability scans and network scans—among other things—and with platforms like PlexTrac adding AI capabilities to cut back on the manual effort, will pentesters be out of a job?
Let’s start with some optimism. This year, McKinsey retracted its former prediction that 375 million workers would be displaced by AI, lowering the prediction to roughly 92 million workers. The article continued to ease concern stating that although some jobs may become obsolete, it’s more likely that jobs will simply undergo a transition and that an estimated 170 million new roles will emerge from the ashes.
Circling back to pentesting, it’s fair to assume that some aspects of the role will lend itself more to automation in the coming years, and some pentesting-related roles might have to pivot, but AI is missing an element that sets pentesting apart from other automated scanner tools: the human element. As cited by the Cloud Security Alliance, “Rather than replacing humans, AI serves as a force multiplier for penetration testers.”
One common misconception is that AI will make pentesters a thing of the past. The reality is far more nuanced. Automation has already begun to assist in streamlining some of the more monotonous, repetitive tasks, but human creativity and expertise remain irreplaceable.
AI is changing the barriers to entry for pentesting. With the help of AI-powered tools, folks with less technical experience—often referred to as script kiddies—will be able to perform more sophisticated tests without needing an in-depth understanding of the underlying mechanics. AI lowers the barrier to entry by automating more complex tasks like vulnerability scanning, adversary simulation, and exploitation. Such automation enables these users to identify and exploit weaknesses in systems with greater ease.
While pentesters may have a negative view of script kiddies, the advancements in AI and automation benefit everyone. Removing low-hanging fruit allows testers of all levels to take on more intricate and valuable engagements, raising their skill level and making them more effective and secure in their roles. With AI handling the tedious groundwork, all testers can focus on learning the deeper nuances of pentesting, ultimately becoming more proficient and contributing more to the security landscape.
It’s not just script kiddies that will reap the benefits of AI—pentesters can as well. By leveraging automation, pentesters are freed up to focus on tasks that demand a higher level of expertise or human intervention. For instance, AI can automate the discovery of vulnerabilities, allowing pentesters to focus on crafting unique exploits or conducting advanced red team exercises that require a nuanced understanding of human behavior and business logic.
Specific tasks AI can automate include:
By eliminating these repetitive tasks, AI allows pentesters to spend more time exploring sophisticated exploits, finding hidden flaws, and thinking outside the box—skills that are beyond AI’s reach for the foreseeable future.
AI’s impact on pentesting is also evident in the realm of social engineering. The technology is already advancing phishing simulations and training exercises. AI’s ability to analyze vast amounts of data, understand human behaviors, and craft more believable phishing attacks or social engineering scenarios allows penetration testers to conduct more realistic attacks. This means that businesses can be better prepared for real-world threats, as AI enhances the authenticity of simulated attacks.
Moreover, AI tools can provide feedback and coaching, allowing penetration testers to refine their social engineering techniques and learn from past engagements, improving their craft over time.
AI can dramatically speed up most, if not all, stages of the penetration testing lifecycle. For example:
The future of pentesting will likely involve a synergistic relationship between AI and human expertise. Here’s how AI will support pentesters in the near future:
AI is not here to take over the job of penetration testers; rather, it is here to make their work faster, more efficient, and more effective. The mundane tasks of scanning for vulnerabilities, writing reports, and even executing basic exploits can be automated, but the nuanced tasks that require creativity, critical thinking, and deep technical knowledge will always need a hacker’s touch.
By embracing AI as a tool to enhance their work, penetration testers can spend more time on the exciting and challenging aspects of their job—hacking, problem-solving, and outsmarting adversaries. As AI continues to evolve, it’s clear that pentesters will be empowered, not displaced. In fact, those who embrace AI will likely find themselves more competitive in an ever-changing cybersecurity landscape.
Resources:
