After a long week of hunting for misconfigurations in a company’s infrastructure, Aaron Herndon, penetration tester and principal security consultant at Rapid7, frequently spends a Friday writing out the team’s discoveries.
A 40-day assignment may mean a digest of 120 pages, Herndon said; even limited findings require an analyst to show their work.
“Writing is the worst part of this job,” he told IT Brew.
Red-team reports often require mapping the team’s tactics to those in the Mitre framework, to provide information on recommended controls. Herndon has used in-house LLMs, trained on detection information and run locally, he said—both for writing tips and for prompts like, “Here's what I did. Show me the relevant Mitre tags.”
“I can give it a bulleted list of high-level information and say, ‘Make this sound business professional,’ or ‘Review it for this style-guide component,’” Herndon said.
He and other pen testers spoke with IT Brew about how AI will impact their jobs (and job security).
Chat’s the way it goes. A log of pen-test activity potentially contains credentials, attack tactics, and other details one wouldn’t want sent to a stranger or public-facing chatbot.
Herndon safeguards client data, he assured us; no customer details can reach a cloud-based LLM or be used to train a model. Rapid7 has dedicated virtual machines for client jobs, and DLP mechanisms detect sensitive-data exfiltration.
“Take GenAI out of it,” he said. “You would never publish that information as a tester. That’s a fireable offense.”
Regex marks the spot. Eric Escobar, principal security consultant at Sophos, also spends whole days writing pen-test assessments—frequently tuned to a job’s unique expectations. One client, for example, may need funding so their team can go to DEF CON. Another may want to make a case for multi-factor authentication.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
An AI tool, he said, no matter how good its writing skills, “is not in any way, shape, or form going to replace the custom tooling and writing that we do.”
Escobar has used AI, however, to create “regex” filters—mechanisms that pull specific bits of a database, like usernames beginning with a specific letter.
Pen testers are no strangers to automation. Tools like NetExec run automated system checks. Nmap, created in 1997, lets analysts discover a network’s services and hosts.
“There’s no way that I can trust [AI] with entrusted data to us. Instead, it’s, ‘What are the ways that I can add little bits of efficiency to what I’m already doing that I normally wouldn’t have time to do?’” he said.
Jack Danahy, VP of advisory services and corporate strategy at NuHarbor Security, said his company hasn’t used AI to simplify tasks. He’s intrigued, however, about capabilities that tailor messages to C-suite clients of varying technical expertise—“to help us better understand a community that we really want to serve,” he said. A helpful prompt someday, Danahy agreed, could be something like: explain this web application vulnerability as if you were talking to a middle manager who doesn’t understand tech.
Job: security. While AI and “vibes” have made software engineers reflect on their job security, CompTIA sees healthy growth for both coders and cybersecurity analysts. The industry association predicts a 30% growth in cybersecurity analyst roles by 2034 (and 27% growth for software developers and engineers).
Also, more AI tools, even if they take over aspects of the pen-testing job, means more stuff to write about and compromise.
“I don’t think it’s going to make the jobs go away, because at the end of the day, we still have AI systems to hack too, right?” Herndon said.