The cybersecurity industry is rightly captivated by the potential of AI, but we must not be blinded by the hype. The promise of a fully autonomous AI pentester that can replicate the ingenuity of a human expert is, for now, a premature fantasy. In fact, the rush to deploy AI is creating a massive new security blind spot. Our own data shows that a staggering 79% of serious vulnerabilities found in genAI systems go unfixed, making it one of the most significant unaddressed risks for businesses today.
The core challenge is not simply building AI that can run a scanner or fuzz for vulnerabilities; it's understanding what kind of vulnerabilities truly matter. At Cobalt, we believe the future of offensive security isn't a choice between human or machine, it's about harnessing the strengths of both. Our track record in this industry, as the inventors of the pentesting as a service (PTaaS) model, positions us well to reinvent the category we created.
Our vision is clear: we are building the ultimate co-pilot for our pentesters, augmenting their unique expertise with the speed and scale of AI to deliver a higher standard of security testing.
The Human Nature of True Pentesting
Having been involved in defining the foundational methodologies for penetration testing over two decades ago, I can tell you that it has historically been more of an art than a science. It’s about understanding business context, creatively chaining exploits, and uncovering nuanced logic flaws that no off-the-shelf automated scanner today can comprehend. These are the vulnerabilities that pose a genuine risk to a business—the kind that elude simple CVSS metrics.
AI (in its many flavors) and automated tools are becoming proficient at handling the basic hygiene of security, and are poised to make bug bounty programs redundant. However, they are nowhere near mature enough to replicate the instinct and creativity of an experienced pentester. Our pentesters are creative, knowledgeable, experienced researchers, motivated by the challenge, more than just a bounty. They are superior in many ways to bug hunters, who consistently miss the most critical issues:
- Complex business logic flaws: Vulnerabilities that exploit the intended functionality of an application in unintended ways.
- Novel chained exploits: Combining multiple, lower-risk vulnerabilities to create a critical-risk attack path.
- Context-specific risks: Flaws that are only apparent when you understand the business purpose of the application.
Pentesting moves us from assumption to evidence. It requires a narrative, a plan, and the kind of lateral thinking that, for the foreseeable future, remains a uniquely human skill.
The Cobalt Approach: The Human-AI Partnership
Our vision at Cobalt is not to replace the pentester, but to build them the ultimate co-pilot. We are strategically focused on a human-led, AI-powered approach where AI handles the cumbersome, repetitive work—reconnaissance, data enrichment, report drafting—freeing our human experts to do what they do best: think like an attacker and uncover the sophisticated flaws that truly put a business at risk.
This isn't just a chatbot or a support tool; it's an integrated assistant built directly into our Cobalt Offensive Security Platform. Our AI helps our pentesters go farther and faster, allowing them to focus their time on what matters most: simulating actual attackers with curiosity and integrity. For our customers, this combination of AI-generated speed and human intuition means deeper, smarter, and faster security testing.
The Engine Behind Our AI: A Decade of Real-World Data
In the age of AI, the quality of your training data is everything. Our models are not trained on synthetic data, capture-the-flag exercises, or the noise of bug bounty submissions. They are tuned on the largest private dataset of its kind: over a decade of real-world pentest findings from more than 5,000 engagements annually.
This gives our AI—and by extension, our pentesters—an unparalleled understanding of the vulnerabilities that matter. It’s the engine behind our network effect: every pentest we conduct makes our AI smarter, delivering an advantage that off-the-shelf and lab-grown tools simply cannot match. Real-world experience matters.
Our Roadmap: From Augmentation to Continuous Validation
We are on a clear journey to reinvent offensive security, with a roadmap that balances practical innovation today with a vision for the future.
- Today: Our pentesters are already leveraging the Cobalt AI Assistant (currently in beta). It helps with AI-powered scoping to launch tests faster, provides AI-driven insights and benchmarking from our data, and assists with drafting client-ready reports, freeing up valuable time for testing and analysis.
- Coming soon: We are enhancing our Cobalt Platform to automate the initial, time-consuming phase of reconnaissance, target validation, and triage. By handling the repetitive work upfront, our experts can immediately focus their energy on high-value activities and investigating complex attack paths.
- On the horizon: We envision a future that offers the best of both worlds. We will continue to advance our core, human-led, AI-powered manual pentesting for the deepest level of assurance. Alongside this, we are building a separate, autonomous, continuous AI pentesting offering designed to provide 24/7 vulnerability coverage augmented by a global pool of elite offensive security specialists.
Elevating the Craft, Reducing the Risk
The concern that AI will replace human pentesters is based on a misunderstanding of what pentesters do. Our work is not about running tools; it’s about instinct, planning, and persistence. AI won't replace the experts—although it will make it harder for junior security testers, and the less-skilled, to find and keep those jobs. This is the trend we're seeing globally across all consulting and knowledge-worker industries.
However, the 450-plus team members of the Cobalt Core are the best of the best. For them, AI will become a creative catalyst that removes boilerplate work and frees up precious time for the most difficult tasks: to find the critical vulnerabilities, and serve our customers to help their security programs become more effective at fixing them.
At the end of the day, the true adversary is a human, and the human that uses AI better than their counterpart defeats both their adversary and their AI. It means our professional pentesters are still the most essential part of the human-AI relationship.
For organizations, this partnership delivers what matters most: speed, scale, and the amplified expertise needed to truly reduce business risk. At Cobalt, we are committed to this human-led, AI-powered future.