In August 2023 I spent my holidays in my summer house at Öland in Sweden as usual. I spent three late evenings after the kids were in bed, thinking about the future of AI in offensive security. It resulted in a short story about Key Knox and his adventures in pentesting, taking place some time in the future. When I wrote this it felt like a distant future and very innovative.
Today, over a year later, this does not feel distant at all. The speed of light is constant but the development in AI certainly is not…
Enjoy the reading!
Chapter 1: The Zero-Day Discovery
Key Knox, a seasoned pentester, sat in the dim light of his home office, his eyes glued to the screen. The AI Offensive Security Platform had just unearthed a vulnerability, but not just any vulnerability. It was a zero-day exploit in the TLS library, a flaw that had remained hidden in the depths of the code until now.
The AI had meticulously dissected the open-source library, applying its vast knowledge about the cloud virtualized environment it was running on. The steps to reproduce the vulnerability were laid out on the screen, a complex dance of code and commands that would have been impossible for any human to discover in such a short time.
Key Knox scratched his head, his mind racing to comprehend the magnitude of the discovery. He launched the regression test Nuclei template to validate the finding. The AI had a history of hallucinating in its early days, but those instances were rare now. As the test ran, he held his breath, waiting for the results.
The confirmation came back positive. The AI had indeed discovered a zero-day exploit. It wasn’t the first time, but this finding was different. This vulnerability was in a library used in almost every web application running on Google Cloud Platform. The implications were staggering. It would trigger a worldwide race against time to patch the library before malicious actors could exploit it.
For a fleeting moment, Key Knox considered keeping the finding to himself. With this knowledge, he could don a black hat, hack into a bank or two, and secure his own future. But the thought was quickly dismissed. He very well knew the Titanium platform’s security mechanisms had already alerted the company’s management about the discovery.
He leaned back in his chair, his mind drifting back to two years ago when he was still using Burp Suite and other standard tools. Back then, finding such a vulnerability would have taken months, if it was even possible. Now, the AI had done it in a matter of hours.
Key Knox couldn’t help but marvel at how far penetration testing had come. The era of AI had truly arrived, and it was changing the game in ways he could never have imagined. He and the entire community of pentesters over the world had gone through a lot and this journey had tested his skills and determination like never before.
Chapter 2: The Making of a Pentester
Key Knox’s journey into the world of cybersecurity started as a full-stack developer, but his penchant for solving riddles led him down a different path. He would spend his free time playing with HackTheBox and other vulnerable applications, his curiosity piqued by the challenge they presented.
In 2015, he got the opportunity to move into the application security team at his company. Despite his colleagues’ proficiency with standard tools, Key’s intuition and developer background gave him an edge. He had a knack for identifying potential vulnerabilities, often outperforming his peers who knew all the nmap flags by heart but lacked his intuitive understanding of software.
Back then, a penetration test was a laborious process. It began with reconnaissance, using tools like nmap for network scanning, Burp Suite for mapping and analyzing applications, and Wireshark for packet analysis. After identifying potential vulnerabilities, they would use tools like Metasploit or manual methods to exploit them.
Key considered switching to a consulting firm, but the inefficiencies of the traditional penetration testing process deterred him. The long wait times, lack of client communication during the test, and the delivery of a PDF report after completion seemed outdated and inefficient.
In 2019, he discovered Titanium, the inventor of Pentesting as a Service, that utilized a large community of testers and a software platform that streamlined the administrative process. Titanium’s approach resonated with Key. It was a way for him to deliver high value with low overhead.
Over the years, he saw the platform mature. He could focus on what mattered most – actual penetration testing. The community was a source of learning and inspiration, and he honed his skills further. While some of his colleagues were content with reporting findings directly from the output of the tools, Key dug deeper, using his intuition to uncover more vulnerabilities. These were joyful times.
Key had always been interested in AI, but he never imagined it would play a significant role in his work. In 2022, he started seeing AI applications that could assist with simple tasks. By 2023, tools began to emerge that could automate reconnaissance tasks. But the real game-changer came in 2024 when Titanium launched an AI pentester.
Initially, Key was skeptical. Titanium’s platform already had a DAST scanner, but it was more suited for customers wanting basic security testing between pentests. The AI pentester, however, was different. It promised to revolutionize the way he worked, and it would even exceed his expectations.
Chapter 3: The Birth of the AI Pentester
Key Knox was already a well-respected Titanium Community freelance pentester when he first heard of their AI initiatives. Intrigued by the potential of AI in penetration testing, he offered his expertise to help with the development of the AI pentester. His initial involvement was modest, analyzing false positives and providing expert knowledge around pentester tooling. But as he proved his commitment and built stronger trust, he was given more responsibilities.
When Titanium offered him a full-time job to test the AI pentester in its early stages, Key didn’t hesitate. He saw it as the opportunity of a lifetime, a chance to be at the forefront of a revolution in his field. He worked closely with the Data team, running the AI pentester in parallel with human pentesters to evaluate the quality of both and train the AI models through the pentester findings.
The progress was astonishing. Within a ccouple of months, the AI pentester was on par with the majority of the human pentesters. After half a year, it was competing with the top five percentile. Key grappled with the implications. The AI pentester could potentially replace his colleagues and even himself. But he also knew that he had a choice: to lead the change or be left behind.
However, the journey wasn’t without its challenges. The AI pentester sometimes hallucinated, leading the team down the wrong path. These instances were a stark reminder of the importance of having a human in the loop. Key’s expertise and intuition proved invaluable in these situations, helping to correct the AI’s course and prevent it from wasting time and resources on false leads.
In a few cases, the AI pentester went amok, performing actions that made no sense and threw the team back to the drawing board. These setbacks were frustrating, but they also provided valuable lessons. They forced the team to reassess their approach, fine-tune the AI’s algorithms, and implement safeguards to prevent similar incidents in the future. The team’s focus on delivering small, iterative improvements and frequent updates helped the team to speed up the learnings.
Despite the hurdles, Key and the team remained committed to their goal. They knew that the path to creating a successful AI pentester would be fraught with challenges, but they also believed in the potential of their work.
The initial releases were designed to assist pentesters with additional information and automation, keeping the core functionality under wraps. As the AI pentester matured, it began to take on more of the work, outperforming all but the top pentesters. It mastered most relevant tools and was initially trained to chain them based upon the used technologies and other response from the tools, later the AI got more and more functionality natively built into it. The landscape of penetration testing was changing, and Key Knox was at the heart of it. Little did he know, the biggest challenges and triumphs were yet to come.
Chapter 4: The AI Revolution
As Key Knox navigated the evolving landscape of penetration testing, he couldn’t help but reflect on the broader impacts of AI in software development and security. The transition from writing code to writing prompts for AI coding assistant tools had been swift and transformative. It had led to a software explosion, with startups churning out new applications in weeks instead of years.
Key likened this transition to the shift from Assembler programming to high-level languages four decades earlier, but this change was a hundred times faster. Early adopters reaped the benefits, while latecomers struggled to keep up. Many mature businesses were swept away by the tide of change, replaced by new unicorns that offered better products at a fraction of the production cost.
The role of software developers had converted into Software Builders, who worked closely with, or even replaced Product Managers and Product Designers. They were able to create secure software without knowledge about the OWASP Top 10, as their tools took care of that. However, this shift also marked the beginning of knowledge worker unemployment. While many were able to make lateral moves to other professions, others were simply replaced by AI.
The security market was a bit slower to adapt, primarily due to businesses’ reluctance to trust AI and the prevalence of legacy software built using traditional methods. But as more AI-driven security tools entered the market, the nature of offensive security changed. The tools saved time, but they also raised the bar for pentesters, who were now expected to find vulnerabilities that the AI couldn’t.
The pressure on pentesters increased, leading to burnout and a shift in professions for many. Penetration testing evolved from a profession that many could perform into a field where only the top pentesters could add value beyond what the AI could do. The lines between offensive and defensive security blurred, with pentesters providing not just vulnerability detection but also mitigation.
Even compliance standards like SOC-2 and ISO-27001, known for their slow pace of change, had been updated to require AI-backed tooling. The entire security business was in transition, mirroring the upheaval in the software-backed world. Key Knox found himself at the heart of this transition, grappling with the challenges and opportunities it presented.
While the AI revolution had significantly improved global security posture, it had also opened up new avenues for hackers. In particular, large, traditional corporations like banks, car manufacturers, and insurance companies found themselves in the crosshairs. These institutions, with their legacy software and slower adaptation to AI, became prime targets for hackers who were presumably leveraging AI to launch even more potent attacks.
The financial institutions were hit the hardest. Forced to rewrite large portions of their legacy software, they had to make massive investments since they were not well versed with modern technologies. The strain was too much for some, leading to a wave of bankruptcies that triggered the largest economic crisis in human history. The world’s financial stability teetered on the brink.
Yet, amidst the turmoil, there were glimmers of hope. Some institutions managed to successfully navigate the transition, rewriting their software and adapting to the new AI-driven landscape. New businesses emerged, agile and innovative, ready to replace the old corporate mammoths that had fallen.
Ironically, many of the most sophisticated hacks were not the work of seasoned cybercriminals but of script kiddies. Armed with powerful tools that leveraged AI, these amateur hackers were able to launch attacks that would have been beyond their capabilities just a few years ago. It was a stark reminder that while AI had the potential to greatly enhance security, it could also be used to tear it down. The battle lines in the world of cybersecurity were being redrawn, and Key Knox found himself on the front lines.
Chapter 5: The Future of Pentesting
The battle against AI-backed hackers was a race, and the only way to win was to stay one step ahead. Key Knox had helped Titanium build an AI pentester that could do just that. The Titanium Offensive Security Platform was a marvel of AI technology, capable of gathering information from a vast array of sources and trained to compete against itself in finding and mitigating vulnerabilities.
The AI pentester was run on all open-source libraries in GitHub, capable of finding vulnerabilities deep within the dependency tree of a customer’s software. No other AI pentester in the world could match the capabilities of Titanium’s platform. The only limitation was that Titanium could only help its own customers, while the entire software industry needed their assistance.
Titanium’s platform had several integrations with GIT repositories and Web Application Firewalls to identify and mitigate vulnerabilities. While zero-day patches were still manually organized through the Titanium Management team, they were working on automating this step as well. As the AI pentester became more sophisticated, the definition of mitigation had to expand. Beta functionality for updating security policies and processes based on the type of findings was already in place, and the AI was adept at redefining zero-trust architecture from the customer’s infrastructure and source code.
The main challenge remained: how to automate mitigation for traditional software that still lacked automated dependency updates. To address this, Titanium was building a global information system to automate updates for all software vendors worldwide, while delaying hacker awareness as long as possible.
What had started as a small Data team at Titanium had grown into a large AI Security department, housing the majority of Titanium’s Data Scientists, Security Experts, and Software Builders. Key now oversaw the Offensive Security community, validating the AI pentester’s findings and organizing the mitigation and communication of zero-day vulnerabilities.
Joining Titanium had been the right decision for Key. He had played a crucial role in making the world a bit more secure through AI, and he knew this was the only way forward in an increasingly automated security industry. It had also given him back something precious: time. Time to spend with his wife and two daughters, time that he had previously sacrificed to complete his pentests. Now, he could achieve better results in a fraction of the time, leaving him free to play with his kids every day. He felt a deep sense of satisfaction, knowing he had made a significant contribution to a more secure society.
As the sun set, casting a warm glow over the city, Key Knox looked towards the future. He was ready for whatever came next. He was ready to continue his journey, to explore the uncharted territories of AI pentesting, and to make the digital world a safer place for everyone.
And with that, Key Knox turned back to his computer, ready to face a new day in the world of AI pentesting.