
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

Artificial Intelligence (AI) is rapidly transforming the cybersecurity industry, and penetration testing is no exception. Once viewed primarily as a human-driven discipline requiring deep technical expertise and critical thinking, penetration testing is increasingly benefiting from AI-powered tools that improve efficiency, streamline workflows, and enhance analytical capabilities.
A recent global research report from CREST, based on responses from 62 cybersecurity providers across 19 countries, reveals that AI has moved beyond experimentation and is becoming a permanent feature of professional penetration testing. The findings offer valuable insight into how security providers are using AI today, where the technology delivers the greatest value, and why human expertise remains essential despite rapid advancements.
For organizations seeking cybersecurity services, understanding the relationship between AI and penetration testing has become critical when evaluating providers and assessing cyber resilience.
Penetration testing has traditionally relied on highly skilled ethical hackers who simulate real-world cyberattacks to identify vulnerabilities before malicious actors can exploit them.
Today, AI is changing how many of these activities are performed.
According to CREST's research, nearly 70% of surveyed penetration testing providers currently use AI-enabled tools as part of their service delivery, while more than three-quarters report that their AI usage has increased significantly over the past year.
This trend reflects a broader shift across cybersecurity, where organizations are exploring how AI can automate repetitive tasks, accelerate data analysis, and improve overall operational efficiency.
However, despite increasing adoption, the report emphasizes that AI is augmenting human expertise rather than replacing it. The most successful penetration testing providers are using AI to enhance practitioner capabilities while maintaining strong governance, validation processes, and expert oversight.
Not every stage of a penetration test benefits equally from AI.
The research found that AI adoption is highest in areas involving large volumes of information processing and relatively low operational risk.
Common use cases include:
Reporting has emerged as the most widely adopted AI use case within penetration testing.
Penetration testers often spend significant time documenting findings, creating executive summaries, and translating technical vulnerabilities into business risk language.
AI-powered tools can assist by:
Drafting reports
Summarizing findings
Improving consistency
Enhancing readability
Accelerating report delivery
Because reporting is highly visible to clients but relatively low risk from a technical perspective, it has become the natural entry point for AI adoption.
Reconnaissance is another area where AI is delivering measurable value.
AI tools can rapidly analyze large volumes of publicly available information, helping testers identify:
Potential attack surfaces
Exposed assets
Employee information
Third-party risks
Digital footprints
This capability allows testers to spend less time manually collecting data and more time analyzing potential attack vectors.
AI is also being used to assist with vulnerability scanning and enumeration activities.
These tasks often generate significant volumes of data that require prioritization and interpretation.
By helping testers identify patterns and contextualize findings, AI can improve efficiency without compromising accuracy.
While AI adoption is growing rapidly, fully autonomous penetration testing remains rare.
Only a small percentage of surveyed organizations reported meaningful use of autonomous or agent-based testing systems.
This is largely because many critical stages of a penetration test require:
Professional judgment
Validation
Reproducibility
Accountability
Risk management
Activities such as exploitation, privilege escalation, post-exploitation, and lateral movement continue to rely heavily on experienced security professionals.
AI may generate suggestions or provide assistance, but practitioners remain responsible for validating findings and ensuring testing activities are accurate, safe, and defensible.
This highlights an important distinction.
The future of penetration testing is not AI versus humans. Instead, it is AI working alongside skilled cybersecurity professionals to improve outcomes.
The report found that general-purpose large language models (LLMs) currently dominate AI usage within penetration testing.
Among the most frequently used tools are:
ChatGPT
Claude
Gemini
Microsoft Copilot
Ollama
These platforms are valued because they are easy to deploy, require minimal integration effort, and can support a wide variety of tasks.
Interestingly, specialized AI-powered penetration testing platforms have seen lower adoption rates than many expected.
Many providers reported concerns regarding:
Reliability
Precision
Reproducibility
Explainability
Auditability
As a result, most organizations currently operate hybrid environments that combine traditional security tools, AI assistants, open-source utilities, and proprietary workflows.
The survey identified several areas where AI is already delivering tangible value.
One of the most significant advantages is time savings.
By automating repetitive tasks such as documentation, data analysis, and information synthesis, AI allows security professionals to focus on higher-value activities.
AI can help standardize reporting formats, improve clarity, and reduce administrative overhead.
This enables testers to spend more time investigating vulnerabilities and less time formatting reports.
AI excels at processing large datasets and identifying patterns that may otherwise be overlooked.
This capability can strengthen threat analysis and improve the overall quality of testing engagements.
As cyber threats continue to increase in volume and sophistication, AI helps organizations scale their security operations without sacrificing quality.
Despite its benefits, AI introduces new risks that organizations must address carefully.
The report highlights several key concerns.
AI-generated content can vary significantly depending on prompts, context, and model behavior.
This inconsistency creates challenges in high-assurance security environments.
One of the biggest risks associated with AI is its ability to generate plausible but incorrect information.
Without proper validation, organizations risk relying on inaccurate findings.
Many AI models operate as black boxes, making it difficult to understand how specific outputs were generated.
This lack of explainability can create challenges for compliance, governance, and regulatory oversight.
Perhaps most importantly, AI outputs still require human review.
Organizations cannot assume that AI-generated findings are automatically accurate or defensible.
Human validation remains essential for maintaining trust and accountability.
As AI adoption accelerates, governance is emerging as a major differentiator among cybersecurity providers.
The report found that clients increasingly want transparency regarding:
How AI is used during testing
What data is shared with AI systems
How outputs are validated
Who is accountable for findings
What safeguards are in place
Organizations evaluating penetration testing providers should look beyond claims of automation and focus on evidence-based assurance processes.
Key evaluation criteria should include:
Validation methodologies
Practitioner certifications
Audit trails
Data protection controls
Human oversight frameworks
Providers that can demonstrate mature governance practices will likely enjoy stronger client trust and competitive differentiation.
The research suggests that the future of penetration testing will be defined by hybrid operating models.
Rather than fully autonomous systems replacing human testers, AI will increasingly support practitioners across a broader range of activities.
Over the next several years, organizations can expect to see:
Increased AI-assisted vulnerability discovery
More advanced security copilots
Greater workflow orchestration
Enhanced threat intelligence analysis
Improved testing efficiency
Stronger integration between AI and traditional security platforms
At the same time, regulatory scrutiny and governance requirements are expected to increase as AI becomes more deeply embedded within cybersecurity services.
Organizations that invest in both technological innovation and professional oversight will be best positioned to capitalize on these advancements.
Artificial Intelligence is no longer an emerging concept within penetration testing—it is becoming a standard component of modern cybersecurity service delivery.
The latest industry research demonstrates that AI is helping penetration testers improve efficiency, enhance reporting quality, and strengthen analytical capabilities. However, the technology has not eliminated the need for human expertise.
The most effective cybersecurity providers are combining AI-enabled tools with experienced practitioners, rigorous validation processes, and strong governance frameworks.
For organizations purchasing penetration testing services, the key question is no longer whether a provider uses AI. Instead, it is how responsibly, transparently, and effectively that AI is integrated into the testing process.
As cyber threats continue to evolve, AI-powered penetration testing will play an increasingly critical role in helping organizations identify vulnerabilities, strengthen defenses, and build long-term cyber resilience.