1. Forum
  2. tqwNet
  3. TQW GENTECH

  • The next evolution of the penetration test must include agentic A

    From TechnologyDaily@1337:1/100 to All on Wednesday, June 03, 2026 11:15:24
    The next evolution of the penetration test must include agentic AI

    Date:
    Wed, 03 Jun 2026 10:08:52 +0000

    Description:
    The only way defenders can win is by fighting AI with AI.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter When a CISO tells the board we tested that system last quarter, it sounds reassuring. But in todays threat landscape, its a measurement that no longer maps to reality.

    Recent industry research shows that while 95% of organizations prioritize penetration testing , only 32% of their attack surface is actually tested.
    The problem isnt that penetration testing is broken. Its that the word tested no longer means what organizations think it does. Jay Kaplan Social Links Navigation

    CEO and Co-Founder, Synack. Penetration testing used to involve a small team of humans spending a limited amount of time in a system - mapping what they could reach, identifying vulnerabilities within that window, and compiling results into a static report. Latest Videos From Watch full video here: You may like You cant firewall a conversation: how AI red-teaming became mission-critical How AI's evolution is redefining risks Claude Mythos turns years of security research into 20-hour AI exploits

    That model was already under pressure from the pace of change. Then AI broke it.

    Tested simply isnt pulling its weight anymore. Agentic AI is rewriting the rules For more than a decade, automation was the advantage. Mass scanners and automated reconnaissance ran constantly, but they were noisy and required security teams to sift through the output. Defense was slower, but more precise where it mattered.

    Humans could chain findings, understand business context, and stay one step ahead of attackers. The economics werent always favorable, but they were workable. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    That trade has now broken down. Agentic AI is compressing reconnaissance from days to hours. These frontier models reason about endpoints that aren't visible in the UI and they can chain low-impact findings into business-logic exploits. The time between a CVE's public disclosure and the first observed threat-actor exploitation has collapsed to a matter of hours.

    That isn't a faster scanner . It's a creative attacker that never sleeps, never gets bored, and runs at the cost of compute.

    Now consider what an annual pentest actually buys you against that threat.
    Its a snapshot of an attack surface that's changing by the hour, against an adversary that doesn't wait for the next audit. Your board doesn't know that. Your auditors don't know that. And it is increasingly the structural reason why organizations get breached between audits. What to read next Patch window is officially dead as AI finds bugs faster than humans can squash them Why
    you may want to question how your security budget is being spent Why self-running agents are creating the biggest security crisis of 2026 What "tested" needs to mean now The only way defenders can win is by fighting AI with AI. The next evolution of the penetration test must include agentic AI
    on the defense side. Heres what that looks like.

    "Tested" stops being a calendar event and becomes a posture - continuous validation against the latest exploit techniques, on the assets that actually matter, with humans focused on the findings only humans can produce.

    The test needs to explain whats exploited and confirmed. While a scanner can tell you a vulnerability might exist; agentic AI can tell you whether it actually fires in your environment.

    That distinction, at scale, is the difference between a six-figure ticket queue your team will never burn down and a short list of things that will
    kill you next Tuesday. We have found that roughly 40% of the vulnerabilities we find are critical or high. The signal is there. Most teams just can't get to it fast enough.

    And it stops being a humans-or-machines argument. It is both, and theyre deployed differently. AI handles the breadth, the speed, the chained
    reasoning attackers are already running against you.

    Humans handle the creativity, the business logic, the things an algorithm has yet to model. Customers running this combined model cut average remediation time on critical vulnerabilities from 63 days to 38 in a single year, a 47% reduction across severity levels.

    That doesn't happen because they bought more tooling. It happens because
    their definition of "tested" became continuous. The talent question, reframed The cybersecurity skills gap is real, but the issue isnt a shortage of practitioners. It's a lack of senior judgment, applied where it matters. Much of the work consuming our industry's most experienced researchers is reconnaissance, triage, retesting, and sifting scanner output. That is the exact work agentic AI is now good enough to take on.

    Redefining "tested" frees that talent. It puts senior researchers back on the problems machines can't solve: novel attack paths and business-logic abuse - the chains that a creative human spots and a model can't reason its way to. While the UK government has set out a vision for defensive AI that operates
    at machine speed, the talent piece of that vision only works if we stop
    asking humans to do machine-speed work. What I'd ask a CISO today Pick the system in your environment that, if compromised, would put you on the front page. Now answer this: when was it last exploited under controlled conditions - not scanned, not reviewed -but actually attacked and confirmed?

    If the answer is "in our last annual pentest," the word "tested" in your security program has stopped meaning what you need it to mean. Fix the word, and the rest of the program has a chance to follow. We feature the best internet security suites for PCs, Macs and mobile devices . This article was produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology industry today.

    The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit



    ======================================================================
    Link to news story: https://www.techradar.com/pro/the-next-evolution-of-the-penetration-test-must- include-agentic-ai


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)