Posted by Catherine Jones on 15 May 2026

CREST Research: How AI is Changing Penetration Testing

AI has become an established part of cybersecurity service delivery. As understanding has grown and tools matured, providers have become more confident using AI in daily practice. This has created both opportunity and risk in an industry built around assurance. The question for cybersecurity providers is how to harness AI to improve capability while preserving trust – particularly in high-assurance services such as penetration testing.

CREST has been exploring this governance challenge through a global initiative on responsible AI adoption in cybersecurity, involving independent research and dialogue with key stakeholders. We want to help the sector understand what’s happening now, define what responsible implementation looks like, and develop assurance models that support the market’s needs.

How AI is used in penetration testing today

Our recent CREST report Inside penetration testing: How AI is reshaping practice provides significant insights into how AI is being used in penetration testing. Based on original research with 62 cybersecurity providers across 19 countries, the findings reveal how AI use has become standard practice for the majority of respondents – 69% are using AI in penetration testing workflows, with 76% increasing their use over the past year.

Currently, most respondents use AI for the parts of testing that involve high volumes of information, such as report drafting, summarising and data analysis. Practitioners are able to generate and control the output of this work using general-purpose LLMs like ChatGPT and Gemini. Specialist AI-enabled penetration testing platforms have been less widely adopted, which may reflect the higher levels of precision and evidence required for core testing activity.

As tools improve and practice matures, most surveyed providers plan to increase AI use. This is likely to bring greater scrutiny into how testing is checked, evidenced, and validated. Governance frameworks will be needed to help providers meet these expectations – giving clients assurance and supporting the professionals accountable for the work.

What practitioners say about AI in cybersecurity services

In February 2026 we explored our research findings with an industry roundtable in Abu Dhabi. Senior experts from member companies and the CREST team shared their experiences of using AI in operations and services. Their responses support what the research shows: AI is already part of cybersecurity service delivery, but practitioners are applying it selectively.

Roundtable attendees provided real-world insights into the practical applications of AI. In penetration testing, they use it for early-stage tasks like reconnaissance, enumeration and configuration review, as well as reporting and quality assurance. Some organisations use it to reduce preparatory and reporting phases – in some cases from weeks to days. In SOC environments, AI is helping their teams suppress duplicate events, reduce false positives, add context to alerts and route cases to senior analysts faster.

Most AI efficiency gains come from tasks where practitioners can review and evidence the output. They expressed greater caution for AI use in core testing activity, production environments and high-assurance reporting. This was characterised by the roundtable discussion as “mature realism” – acknowledgement that AI brings clear benefits, with areas of risk that need careful management.

“The AI guard rail is me.”
Participant view, Abu Dhabi roundtable, February 2026

This emphasis on human oversight highlights the importance of governance as AI use increases. Concerns about assurance currently present a barrier to further adoption, so for now, the usage model remains human-led and AI-supported.

AI efficiency is only part of the business case

Lower costs are often cited as a benefit of AI. However, while it can reduce manual effort, our research suggests this doesn’t directly translate into savings. In practice, AI delivers the strongest results when it sits inside controlled processes, with clear data handling, defined review steps and accountable sign-off. This requires investment in AI architects, developers, data scientists, validation testing and strong review systems, which can increase costs in the short term.

For many providers, efficiency gains are being used to improve the quality of delivery rather than reduce the price of services. By reducing time spent on routine tasks, AI can give practitioners more capacity for deeper investigation, broader coverage and faster turnaround. This suggests the commercial value of AI lies in better capability and more consistent delivery, not necessarily cheaper testing.

AI-supported work also needs to stand up to scrutiny. Survey respondents and roundtable participants reported persistent constraints around variable output quality, limited explainability, false confidence and the validation work needed to check, reproduce and evidence outputs. AI hallucinations create commercial and reputational risk, particularly in regulated sectors.

This is why skilled practitioners remain central to service delivery. AI has the potential to help businesses scale, but only if quality keeps pace with capacity, and testing tools become more reliable.

Trust in AI-enabled testing depends on governance

Governance is a commercial issue as well as a technical one. As AI is brought into more areas of penetration testing, clients will want clearer evidence of how providers manage its use and the associated risks. Survey respondents already anticipate this scrutiny, with 85% expecting clients to ask about AI use in testing.

The roundtable discussion highlighted the key areas of risk, such as inadequate documentation, lightweight wrappers around third-party models, weak audit trails and unclear liability. Attendees explained how risks increase when AI tools are poorly documented, built without disciplined software engineering, connected to external models or allowed to orchestrate activity without clear controls. This makes it harder to evidence how outputs are produced, and to assign responsibility.

Clear governance gives providers a practical way to address client concerns, with documented processes that show how AI use fits into delivery, how review steps work, how data is controlled and how final decisions are signed off. As AI grows, the ability to demonstrate governance will become central to successful practice.

What comes next for AI in penetration testing

For penetration testing providers, client trust will require transparency. There will be an expectation to demonstrate exactly what AI is used for, how humans check it, and how the final findings stand up to scrutiny.

Our AI in penetration testing research revealed significant sector demand for governance support. To meet this need, we are working to capture emerging good practice as a basis for standards. As a starting point, the Abu Dhabi roundtable proposed 9 principles for responsible AI-enabled cybersecurity, including accountability, transparency, validation, data control and secure development. If adopted widely as a charter, these principles could help standardise AI practices, and help the sector develop strong governance as adoption grows.

CREST will continue to support the cybersecurity industry through research, practical guidance, and assurance models that help providers evidence responsible AI-enabled delivery.

Download the CREST AI in penetration testing report to explore the full research findings.

Further reading:

CREST has published new research exploring how artificial intelligence is being used in professional penetration testing services across the global cybersecurity industry.