The Rise—And Risk—Of AI In Offensive Security

Forbes

15-07-2025

Gunter Ollmann is a global cybersecurity innovator with decades of experience, patented tech and leadership across 80+ countries.
Offensive security tools, which are designed to proactively identify threats and vulnerable attack vectors before they occur, have long been exploited by threat actors. AI is, unfortunately, perpetuating the issue and, in particular, is making social engineering easier since it empowers criminals with native language capabilities, supercharging their effectiveness. But AI is also working to the defender's advantage by shaking up the traditional penetration testing sector, which once centered on "breadth," e.g., identifying as many vulnerabilities as possible using scanners and automated tools, so that it has now evolved into full-scale attack and breach simulation.
This capability effectively puts the defenders in the attacker's "shoes" so they replicate the tactics of threat actors to help organizations understand how far an attacker could infiltrate their systems.
How AI Enhances Offensive Security While Introducing New Risks
As with most things AI-related, innovation is a double-edged sword. As tools improve, they benefit not only defenders but also attackers. For defenders, tools that once required manual triage are now equipped with AI that can scan, correlate and validate vulnerabilities. For instance, when different scanners return conflicting information, AI can determine which findings are likely false positives, saving human analysts hours of triage. Now, instead of sifting through lengthy lists of potential issues, testers can focus on what truly matters: issues that are exploitable and impactful.
For attackers who used to rely heavily on manual efforts to gather intelligence on targets, they can now use AI to mine the internet, analyze social networks, access data dumps and even build virtual personas that can infiltrate private online communities. These personas can be tailored to a specific user's interests—we have seen train hobbyists targeted and used to establish trust before delivering a targeted phishing link or malware payload. These AI-generated personas may join relevant forums, interact with the target over time and build credibility in a way that was previously too labor-intensive to execute.
AI also plays a major role in passive reconnaissance. Oftentimes, attackers don't even need to touch a target system and can use AI to collect extensive intelligence about an organization from public and semi-private sources. For example, it can determine which individuals have administrative access, what systems are publicly exposed and what historical vulnerabilities exist. This reduces the need for noisy scans and increases the chances of a successful, undetected breach. But of course, defenders can use these capabilities too, hence an ongoing game of "cat and mouse" between red teamers and threat actors.
Evaluating Offensive Security Vendors
AI without human expertise generates "noise," particularly hallucinations, which throw false positives and negatives into the mix, so it needs highly skilled experts who know how to interpret the findings and use the tools effectively. This pool exists as the discipline has evolved from an "art" into a "science," where a global community of elite testers all perform to the same standardized methodologies and regulatory standards. This has helped streamline the logistics of launching high-quality tests quickly, enabling better remediation, retesting and translation of findings into business-relevant language for developers and executives. With organizations assured of consistency across processes, it's up to vendors to differentiate on their ability to simulate modern threats, collaborate closely with internal teams and provide testing agility. Features such as retesting, contextual reporting and access to global talent pools are also critical.
Humans Versus AI
Pentesting has evolved from a niche security function to a broad organizational priority. Reports no longer go just to security teams; they are reviewed by engineering leaders, product owners and other business stakeholders. Findings are now written in context for the end audience, and AI helps facilitate this translation, ensuring that vulnerabilities are understood and fixed by the right teams. This ensures not only a faster resolution but also that development teams remain focused on delivering secure code from the outset.
The biggest question facing the industry is whether AI will replace pentesters. The answer is "yes" for traditional average pentesting and "no" at the top end. AI can excel at automating routine tasks, but skills like red teaming at the highest level are a human endeavor. Elite testers bring knowledge of the best tools to use and the experience that can't be replicated by algorithms.
We're seeing that currently, the best results come from hybrid teams where AI handles repetitive, data-intensive tasks and human experts focus on strategy, interpretation and innovation. This is a continuation of a long-term trend whereby so-called "tier one" security analysts were automated some ten years ago. It means smaller teams can achieve more with routine tasks such as scanning, correlation and log analysis handled by AI, while expert humans focus on complex and strategic areas.
Cybersecurity Is About People
AI is revolutionizing offensive security, bringing with it both immense promise and considerable peril. The tools of the trade have evolved, and so too must the people and processes that govern them. As the attacker-defender arms race accelerates, the role of AI will only grow. But in the end, cybersecurity is still about people. Penetration testing and Red Teaming are driven by highly skilled individuals who understand how adversaries think, and they leverage AI as a tool to sharpen their edge.
The adversaries are human—and so too must be the defenders. To truly stay ahead, organizations need to blend elite research talent with smart technology and never lose sight of the human element that defines success in security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?