Don’t fall for the trap
It is true that with AI agents and its accessibility, we have equipped the malicious actor with slightly more automating power in its arsenal.
However, like fuzzers, they only increase the speed at which they find vulnerabilities.
AI agents will make it easier to vulnerability scan multiple endpoints very fast. However, human beings still need to think, interpret and correlate data to establish vulnerability chains that lead to exploitation.
At Michaelis Labs, we have tried two tools being marketed and sold as a great end-to-end pentesting solution on Hackthebox Active Directory Windows boxes. (ADScan & Penligent)
AI agents does speed up some part of reconnaisance and vulnerability scanning but they fail at some pivots, they often can’t exploit domain trust and they can’t use a different enumeration technique if one fails via a protocol.
More importantly, Deepseek & ChatGPT still can’t understand documentation and incorrectly provide commands without the correct flags to undertake enumeration.
In conclusion, relying solely on its output is a huge mistake and money thrown in the trash.
There are other ways besides an AI penetration test you can use to secure your internal environment with proven effectiveness and less risk to your data.
Buying a fully autonomous, continuous, AI agent to penetration test your environment is a flashy gadget being marketed everywhere with no real return on investment.
The narrative that we need AI to secure our network, to find and exploit vulnerabilities in our network is being encouraged, using fear, to get companies to fall for a fake piece of insurance.
It’s a dangerous and misleading trend that has now reached the Mauritius market.
Funding is being raised right now in the US and UK to market AI pentesting solutions aggressively.
New entrepreneurs with no background in cybersecurity have hit the Mauritian market selling AI pentesting tools.
Ask yourself what will happen to your network and data when unknown AI agents owned by unknown persons have access to it 24/7?