Source:
The Register29% of security pros were open to fully autonomous pentesting last year; now only 9% are
Perhaps bots aren't the answer to everything when it comes to finding flaws. Fully automated pentesting has been a letdown for many security teams, according to offensive security firm Cobalt, as support for the approach has fallen sharply over the past year. Cobalt’s recent 2026 State of Pentesting report found, among other things, that security practitioners are rapidly ditching autonomous pentesting tools, in large part because they’re simply failing to detect critical vulnerabilities. Cobalt reported that 78 percent of respondents to its survey for the 2026 report experienced “critical false negatives” from automated scanning tools, with the tools quite bad at detecting the sort of vulnerabilities its AI ilk inflicts on environments in which it’s prevalent. “Automated scanners are brilliant at finding known, signature-based vulnerabilities. But they fail miserably at AI security,” the company said in a release summarizing the report’s findings. “Prompt injection exploits and excessive agency flaws require creative, multi-turn interaction chains [and] adversarial psychology,” Cobalt continued. “These logic flaws are entirely invisible to tools that test using single-shot automated queries.” A year of disappointment with automated scanning tools has led to a considerable decline in the number of organizations considering a purely automated security scanning approach, with just 9 percent of respondents saying that they were open to the idea, compared to 29 percent last year. It’s worth noting that the number of respondents to Cobalt’s survey was small - just 450 folks - but even with so few data points, the numbers are still bad news for automated pentesting vendors, but good news for infosec professionals, says Cobalt. “The drop in reliance on fully automated pentesting is actually a healthy sign,” the company said in its report summary. “It proves that practitioners are seeing through the vendor hype and demanding actual assurance rather than just coverage.” Those practitioners may also be simply overwhelmed by the number of vulnerabilities that non-security AI tools are introducing into their spaces: Per Cobalt, around 12 percent of the vulnerabilities detected in traditional environments are classified as high or critical severity. In AI and
LLMenvironments, that number climbs to 32 percent, and that's not a new number, either. That 32 percent figure has held for the past two years, Cobalt said of its pentesting data, suggesting AI is introducing a lot more vulnerabilities. Combine those increased severity odds with automated pentesting bots that miss the sort of vulnerabilities that AI often introduces and it’s a recipe for disaster. Cobalt says the solution is hybrid security in which most systems are allowed to be automatically scanned by AI, while the most critical systems are left up to humans to protect and manage. The company sells such a solution, naturally, but it’s worth pointing out that its findings on the uptick in vulnerabilities introduced by AI aren't exactly a unique claim. Application security firm Veracode reported earlier this year that AI-assisted software development is creating more vulnerabilities than security teams can keep up with, leaving more vulnerabilities left unresolved for longer periods of time. Per Veracode, some 82 percent of companies are leaving known vulnerabilities unresolved for more than a year, while the number of high-risk vulnerabilities as a share of all discovered is rising as well. That said, not everyone is as skeptical of automated pentesting as Cobalt and its survey respondents. According to Amazon security chief CJ Moses, AI pentesting tools have made Amazon security teams 40 percent more efficient, though Moses’ measure for that figure isn’t clear. Moses still wasn’t keen on handing the entire security project off to AI, however. He told us at the RSA Conference in April that AI pentesting still needs a human in the loop to ensure it doesn’t muck something up. "AI is very good at doing things, especially when you have large amounts of data and need that big view,” Moses said in an April interview. “But from a decision-making capability, it isn't something that we're ready to rely on." ®Get AI news in your inbox
Daily digest of what matters in AI.