Why the Future of Pentesting Needs Humans and Agentic AI Working Together
Most enterprises test less than a third of their attack surface, and attackers have already moved to AI-speed offense. Agentic AI closes the coverage gap, but only when paired with human expertise: an AI-first, human-validated model that secures critical infrastructure without sacrificing operational safety.
Key Takeaways
- Only 32% of enterprise attack surfaces are tested on average, leaving a 68% blind spot that attackers actively exploit at machine speed.
- Agentic AI pentesting tools can cover far more ground far more often: 87% of adopters report expanded attack surface coverage, and 91% test more frequently.
- Unlike scanners, agentic AI reasons contextually, forming hypotheses and adapting mid-test, which is why it finds novel vulnerabilities that signature-based tools miss.
- Human experts remain indispensable for business logic flaws, IDOR, and complex access control chains: the high-value bugs agentic AI still cannot reliably catch.
- Critical National Infrastructure requires strict network-level containment and human oversight to prevent AI agent drift and ensure zero operational disruption.
- Synack pairs Sara, its agentic AI, with 1,500+ vetted researchers in an AI-first, human-validated model built to close the coverage gap without adding operational risk.
The Attackers Already Moved to Machine Speed
Last September, Anthropic shared a detail that has stuck with me. A state-sponsored group had quietly taken over an AI coding agent and pointed it at around 30 organizations, running what amounted to an autonomous espionage operation. The AI did roughly 80 to 90% of the hands-on work itself, hammering targets at thousands of requests a second. There is no human team on earth that operates at that speed.
When these autonomous operations target Critical National Infrastructure (CNI) such as energy grids, water systems, or transit networks, machine speed stops being just an IT headache. It becomes a matter of public safety and physical security.
Attackers are now building AI into the actual attack, letting it hunt for weaknesses and chain them together at all hours. Once the offense is moving that fast, a once-a-year pentest stops being a security control. It is a photograph of a building that has already been remodelled. Most defenders know they are behind. The reason isn’t effort. It’s that the way we have always done testing was never designed to keep up.
The Coverage Gap Brings More Risk Than Ever
Synack commissioned Omdia to survey 200 security leaders and practitioners at US enterprises with 1,000 or more employees. Pentesting came back as a top or high priority for 95% of them. And yet the average organization is only testing about 32% of its attack surface.
So roughly two-thirds of the environment, 68%, goes untested. That is a blind spot sitting in plain sight, and attackers have become very good at reaching it before anyone else does. For about a third of these companies it’s worse again, with 20% or less of their infrastructure under any kind of regular assessment. Keep in mind who answered this survey: large enterprises, about 63% in the 1,000 to 4,999 range and 38% above 5,000. These are organizations with mature security teams and large budgets.
In high-assurance sectors, a 68% coverage gap isn’t just an unmapped digital asset. It represents a potential single point of failure for an entire public service. Good manual testing takes time and can be costly at scale, so it ends up rationed into a few snapshots a year, while the things you need to test (cloud-native apps, APIs, infrastructure that spins up and disappears) keep piling up between engagements.
What Agentic AI Changes
Agentic AI genuinely moves the needle here, because it lets you cover far more ground far more often. The same Omdia respondents who already use the technology qualify this: 87% said it made testing a bigger slice of their attack surface easier, and 91% said it let them test more often.
It is worth defining what agentic means, because vendors have stretched the word. A scanner follows a script, while an agentic system reasons. It studies the application in front of it, comes up with a theory about how it might break, tries it, looks at what came back, and changes its approach based on that, which is more or less how a human tester thinks. That ability to work from context, rather than from a fixed list of checks, is the whole difference. It is also why these systems find things a signature based tool will never see.
We already have proof in the wild. Anthropic turned its latest model loose on Firefox, a browser that has been fuzzed and audited for decades, and it turned up 22 unknown vulnerabilities in two weeks, 14 of them high severity. Several of these were logic errors the existing fuzzers had simply never caught, illustrating a different kind of bug rather than more of the usual.
This example demonstrates how AI goes faster, wider, and looks at the systems being tested from an angle humans tend not to. For an organization staring at that 68% gap, that is a big deal.
While scaling up agentic capabilities is necessary to match the adversary, high-assurance environments cannot afford the unpredictability that comes with letting an autonomous AI run completely unguided.
Why Humans Are Still Indispensable
Automation and AI Pentesting Still Demand Rigorous Assurance
My first job was in avionics, and this entire AI and human dynamic feels deeply familiar to me because of it. We did model-based systems engineering where we built precise models of how a system was meant to behave, then generated the code straight from those models. Automation already did a great deal of the heavy lifting, much as agentic AI does today.
But producing the code was never the hard part. Enormous amounts of rigorous, structured testing, independent verification, and human review against the intent of the design. The automation could generate something that looked correct, and even passed a first glance, yet proving it behaved as intended across every edge case that mattered was a human responsibility. You do not sign off on a flight system because the tool says it is fine. You sign off on it because people have rigorously demonstrated that it is.
The same mentality exists in security testing and attack surface management. The people who are the most enthusiastic about AI are also the most insistent that it cannot run alone. Only 22% want fully autonomous testing. A clear majority, 64%, want agents doing the work with humans watching over them. They are right to.
AI Still Misses the Business Logic Flaws
Where agentic AI still falls down is exactly where the expensive bugs live, which is business logic. Think about a banking app where the problem isn’t a bad input, but a sequence of legitimate looking steps. You kick off a transfer, cancel it at just the right moment, and ride the timing window to spend the same money twice. Nothing about that trips a signature. To catch it you have to understand what the transaction is for, what the business assumed would happen, and where the code quietly disagrees. That is intuition, and the models aren’t there yet.
IDOR (Insecure Direct Object Reference) is the textbook case. It lives in the application’s idea of who owns what. Finding it means logging in as different users, swapping object IDs around, and thinking carefully about permissions. Automated tools love the happy path and tend to stroll right past it. Same story with multi-step access control abuse, horizontal chaining across disparate systems, and the creative pivots that a seasoned tester does almost by reflex. Academic benchmarks have clocked standalone model precision as low as 23 to 65%, which in practice means a pile of false positives with nobody to sort the real from the noise. And in a head-to-head comparison, Stanford researchers found AI agents beat 9 of 10 human pentesters on a live enterprise network, but the top human still won on creative vulnerability chaining.
CNI Safety: Why Autonomy Needs Guardrails
When you shift the lens to CNI, the limitations of standalone agentic AI harden into strict safety boundaries. High-assurance testing operates under a zero tolerance policy for operational disruption:
- The Threat of Agent Drift: Agents work by observing and adapting. If an agent is instructed to test a staging environment, it may naturally attempt to follow links or cross segmented zones. In CNI, scope enforcement cannot rely on prompts or instructions alone; it requires strict, network level containment to ensure the AI never drifts past Model boundaries into production environments.
- The Five Eyes Mandate: Recent joint guidance from CISA, the NCSC, and their Five Eyes counterparts highlights that autonomous agents introduce massive privilege and behavioural risks. To meet compliance baselines, systems must demonstrate behavioural auditability and feature rigid emergency controls, a kill switch that allows human operators to stop an agent mid task.
There is also the matter of what the AI hands back. Models hallucinate or make stuff up when they don’t know. A purely autonomous run will confidently report bugs that don’t exist. If those findings go straight to your engineering teams, you have just spent their week chasing ghosts. Someone, something, or even better both, has to validate each finding and prove it is actually exploitable before it counts. The strongest setups use the AI itself to do a first pass of triage and deduplication at scale, then put a human on the results that matter.
Furthermore, a model trained on last year’s data cannot reproduce the restless, competitive curiosity of a human research community that collaborates, pivots, and uncovers novel, zero day techniques in real time.
AI Pentesting with Humans in the Loop Brings the Best of Both
So it was never really humans versus AI. The programs that work run both at once. In high assurance architectures, the ideal model is AI first, human validated.
Let agentic AI carry the heavy lifting of continuous discovery, surface enumeration, and regression testing across the entire surface at machine speed. Then, pass those high quality leads to human experts who assume control of the next mile, prosecuting business logic, navigating complex chains, and ensuring strict validation before any exploit touches a critical asset. The people supply the judgement and safety parameters the machine doesn’t have. Sometimes the maths will favour AI only testing on lower stakes enterprise assets, and that’s a perfectly reasonable call, as long as it is made deliberately rather than by default.
Synack didn’t bolt humans and AI together after the fact. We built the platform around both. We pair Sara, our agentic AI, with the Synack Red Team, more than 1,500 vetted researchers, in a setup where humans are in the loop by design. The autonomous side covers ground fast with strict, safe action defaults and network level scope containment. The researchers go deep on the hard, high value problems, ensuring nothing gets reported until it is confirmed to be genuinely exploitable and operationally safe. We have over 13 years, 1,500 elite vetted researchers, and millions of hours of expert testing that got us here.
Attackers already worked out that automation plus human ingenuity beats either one alone. If we want to keep up, close that 68% gap, and secure the infrastructure that underpins society without inflicting operational harm on ourselves, we have to meet them with the exact same combination.
Related reading: Agentic AI Pen Testing: Speed at Scale, Certainty with Humans • Sara AI Pentesting Is Now GA: The Synack Autonomous Red Agent • Attack Surface Discovery and Management: What Security Teams Actually Need to Know
Frequently Asked Questions
Agentic AI pentesting uses AI systems that reason and adapt during testing, rather than following fixed scripts, to autonomously discover, chain, and validate vulnerabilities at machine speed. Unlike traditional scanners, agentic systems study an application, form hypotheses, test them, and adjust based on results, much as a human tester would. The key difference: a scanner executes a checklist; an agentic system thinks.
Agentic AI excels at speed and coverage but still struggles with business logic vulnerabilities, IDOR, and complex multi-step attack chains that require contextual judgment. A model trained on last year’s data also cannot reproduce the restless, competitive curiosity of a human research community that evolves in real time. Human experts validate exploitability, navigate edge cases, and ensure findings are operationally safe to report, especially in critical infrastructure environments where a false move can cause real-world harm.
According to the 2026 State of Agentic AI in Pentesting, a survey of 200 US enterprise security leaders commissioned by Synack and conducted by Omdia, only 32% of the average organization’s attack surface is tested annually. For about a third of enterprises, coverage is worse: less than 20% of infrastructure receives any regular assessment. This gap is not from lack of effort, it’s a structural limitation of traditional, point-in-time testing that agentic AI is built to address.
AI-first, human-validated means AI agents and human experts are working together as one continuous system. AI runs continuous discovery and regression testing across the full attack surface at machine speed, while human experts work alongside it to validate exploitability, chase complex logic flaws, and set safety parameters as findings are surfaced. Humans also confirm operational safety before anything is reported.
Synack combines network-level scope containment with strict safe-action defaults to prevent AI agent drift. All findings are human-validated before reporting, and nothing is confirmed as exploitable until a researcher has reviewed it against the operational context.


