Can You really automate pen testing with AI?

Webinar Recap: Will AI Replace Pen Testers or Just Give Them Superpowers?

If you’ve been following Wizer for a while, you know we love a good CTF (Capture The Flag). But during our last public event, something shifted. The logs were moving at "the speed of AI." Almost every participant showed up with an AI agent in tow, trying to crack the code in record time.

But here’s the kicker: No one solved it without a human.

That realization led to our latest webinar. We sat down with Gaby Friedlander (Founder and CEO of Wizer), Ofri Ziv (Co-founder of Tenzai), Itzik Alvas (CTO of Wiser), and Robbie (aka Pin Draconian, Ethical Hacker) to discuss where AI ends and human intuition begins in the world of security testing.

From Word Predictors to Digital Hackers

Only two or three years ago, the consensus was that AI lacked "context." It was a glorified word predictor. But as Robbie pointed out, the leap from LLMs to autonomous agents has been jarring.

Ofri’s team at Tenzai realized that the logic used for software engineering isn't that far off from security testing. If an AI can write code, it can analyze the behavior of an application to find where that code breaks.

 "It’s a paradise for those looking for vulnerabilities because there is so much more code being shipped, and fewer eyeballs on every line. AI allows you to scale that search." — Ofri Ziv

The Rise of "Vibe Coding"

We’re entering an era Itzik calls "Vibe Coding", where business people or developers describe a feature, and the AI builds it instantly. It’s fast, it’s efficient, and it’s a security nightmare.

• The Problem: AI is task-oriented. If you tell it to build a login page, it builds a login page. It isn't necessarily thinking about "cookie tossing" or complex authorization bypasses unless you specifically tell it to.

DAST: The Unsolved Problem Gets a Solution?

Historically, DAST (Dynamic Application Security Testing) was "the boring stuff" that never really worked well because it lacked the creativity to interact with a running app.

The panel agreed that the real "big move" is AI’s ability to perform autonomous DAST. Instead of just looking for patterns in text (SAST), AI agents can now interact with APIs, click buttons, and even manage their own email inboxes to test registration flows. This allows companies to run a "mini pen test" on every single release cycle, rather than once a year for compliance.

Is the Human Pen Tester Obsolete?

Short answer: No. Robbie explained that while AI is great at finding "complex" vulnerabilities quickly, it often struggles with "simple" ones that require connecting two disconnected systems

The Future Toolbox:

• AI handles the grunt work: Testing logout buttons, session cancellations, and low-hanging SQL injections.
• Humans handle the "Creative Chains": Spending 5 days digging deep into a system’s unique workflow to find the high-level logic flaws that no bot can see yet.

The Bottom Line

We are in a "vulnerability boom." attackers have these tools too, and they have infinite time. As Itzik noted, we can't just sing "Kumbaya" and hope the AI secures everything.

The bar is being raised. If you’re a developer, you need to be a "team lead of robots." If you’re a defender, you need to use AI to keep up with the sheer volume of code being produced.

Watch the Full Webinar

Want to see the future of AI-driven pen testing and security training in action?

Watch the full recorded session here: https://hubs.la/Q04gFBzh0