Search
scroll it
3D modern technology background with digital particles design

AI Can Find More Vulnerabilities. Humans Still Decide What Matters.

19
May 2026
Angela Heindl-Schober
0% read

Key Takeaways

  • AI is now finding vulnerabilities at machine speed. The hard part is deciding which findings actually map to business risk.
  • AI-assisted discovery is on track to push annual CVE disclosures from roughly 40,000 in 2025 toward 100,000 in 2026.
  • More findings do not produce more security.
  • The model that wins this phase combines machine-scale coverage, vetted human researchers, continuous validation, and business-risk prioritization.
  • Synack delivers this through Sara, Synack’s Autonomous Red Agent, working in concert with the Synack Red Team across some of the most regulated environments in the world.

What AI Pentesting Means for Continuous Security Validation

Every CISO conversation I’ve had this quarter circles back to the same problem: AI produces more vulnerability findings than security teams can read in a week, and it clouds their understanding of which findings are connected to real business risk.

This week’s Wall Street Journal piece on frontier AI models and the bug bounty market gave that conversation a wider audience. The share of high-severity findings is climbing, and Anthropic’s Opus 4.6 disclosed more than 100 bugs in Firefox over a two-week stretch. The headline most people will take away is that AI can now find vulnerabilities faster than any human team, and that part is true, and it has been true for a while.

While AI has proven its ability to find vulnerabilities, the hard part now is discerning which of those findings actually deserves a response. That difference is also reshaping how organizations build their security programs. Moving forward, testing models must be built around continuous security validation, which pairs AI pentesting with human judgment and creativity.

AI Pentesting Is Producing More Findings Than Teams Can Triage

Roughly 40,000 CVEs were disclosed across the industry in 2025, and the current trend points toward 100,000 in 2026. Synack CTO Mark Kuhr estimates that AI-assisted discovery will eventually push that number toward a million in a single year. That trajectory is good news for adversaries and complicated news for defenders, because more findings do not automatically produce more security.

Most security teams already feel this in practice. The findings pile up faster than anyone can read them, and without a clear sense of which ones touch the systems the business actually runs on, every alert in the queue ends up competing equally for attention that is already stretched thin. The clock has tightened too. CISA is moving toward three-day patch windows for critical vulnerabilities, replacing the multi-week cycles teams had built their workflows around, and most programs were simply not designed to operate at that pace.

Coverage without validation creates a different problem.

Why Continuous Security Validation Beats Volume in Penetration Testing

Security teams do not need another dashboard with 50,000 alerts. They need a defensible answer to a smaller, harder set of questions. Which vulnerabilities are actually exploitable in this environment? Which assets are truly exposed? Which attack paths could let someone reach the systems the business cannot afford to lose, and how quickly can we close them?

This is where continuous security validation starts to matter as a category and not as a buzzword. Gartner has been describing the same work in analyst language under Adversarial Exposure Validation, which slots into the wider CTEM picture. For both frameworks, the underlying idea is the same: ongoing proof that systems can or cannot be exploited, fast enough for remediation to keep pace.

Findings create work. Evidence creates clarity.

AI + Human Pentesting: Where Researcher Judgment Matters Most

In our industry, there’s a lot of talk about whether AI is replacing human researchers. But the data from real engagements shows a consistent pattern: agents are very good at volume, and senior researchers are very good at severity and criticality. The reason is context, and context is still hard to fake.

What agents do well is scale. AI can scan thousands of systems, test common attack patterns against them, and surface a long list of potential vulnerabilities in hours. A senior researcher, on the other hand, knows how an organization’s applications are supposed to be used, what the business is trying to protect, and which weaknesses could let someone get to a customer database or a payments system. 

Taken together, researchers and AI can cover both the wide-scan work of looking for entry points across a company’s systems, and the complex, hard-to-find vulnerabilities that often present real risk.

How AI + Human Pentesting Delivers Continuous Security Validation

The model that holds up under this kind of pressure is not AI-only and it is not human-only. It is the combination of machine-scale coverage and human creativity to deliver continuous validation and business-risk prioritization. 

That’s the model Synack has been refining for 13 years. Sara AI Pentesting, Synack’s Autonomous Red Agent, runs continuously across the attack surface and expands coverage at machine speed, powered by agentic AI. The Synack Red Team (SRT), a rigorously vetted community where fewer than 10% of applicants are accepted, validates what is actually exploitable and reports vulnerabilities in language a security leader can take into a board meeting. Together they make continuous security validation a working program across some of the most regulated environments in the world.

That posture is where the market is headed: coverage at scale, validation with judgment, evidence over volume, continuity over snapshots.

What This Means for Penetration Testing Programs in 2026

Vulnerabilities are going to be discovered faster than ever, by more tools, in more places. The organizations that come out of this stretch in better shape will be the ones that can keep proving, on an ongoing basis, which risks actually matter before an attacker gets there first. The penetration testing programs that succeed in this phase will be the ones built around continuous validation, not periodic assurance.

AI finds more. Humans prove what matters.

You may also like
Evaluating Enterprise-Grade Guardrails For Your Agentic AI Pentesting Solution: Insights From Synack’s New eBook Evaluating Enterprise-Grade Guardrails For Your Agentic AI Pentesting Solution: Insights From Synack’s New eBook Blog
Continuous Security Validation Is Replacing Periodic Penetration Testing Continuous Security Validation Is Replacing Periodic Penetration Testing Blog
Continuous Security Validation: Why It Matters and Why Synack Is Built for It Continuous Security Validation: Why It Matters and Why Synack Is Built for It Blog
Inside the Sara Pentest 5 Step Workflow  Inside the Sara Pentest 5 Step Workflow  Blog