Instead of asking ourselves, “Will AI replace us?”, the real question is, “How can we use AI to enhance our expertise?” “
Although AI outperforms humans in processing large amounts of data and automation, the insight of pentesters remains irreplaceable when it comes to creativity, interpreting context, and intuition, explains Laurent Deheyer, Chief Delivery Officer at Approach Cyber.
Is AI better than humans at penetration testing? In certain respects, AI clearly seems to have the edge. It’s fast, capable of completing a full penetration test in just a few hours. It’s methodical, because it doesn’t get distracted and never misses a thing. It never stops. It’s scalable, as it can be deployed in parallel across hundreds of targets without incurring additional personnel costs. But of course, it also comes at a price.
All these aspects—both positive and negative—must be thoroughly analyzed, explains Laurent Deheyer. “Some vulnerabilities flagged by the AI still need to be verified by a human. Not all of them are immediately exploitable. After all, the ability to understand the context of an application, communicate with developers, and propose an appropriate solution remains, for the time being, the exclusive domain of humans.”
A co-pilot to prepare the work
AI automates the search for bugs via injection and detects known attack patterns at lightning speed. It excels at executing clearly defined scenarios. And it finds. Documents. Reports. In short, it acts as a co-pilot to prepare the work.
“Today, in the race against the clock that cybersecurity has become, AI has a head start. And we’re taking advantage of that. At Approach Cyber, we use it on a large scale—for the benefit of our clients.”
At first glance, you might think that AI will gradually replace humans. Laurent Deheyer doesn’t believe that. “We, as humans, assess the business context, anticipate real-world consequences, and draw connections between complex vulnerabilities that AI cannot make. In fact, we’re able to improvise when faced with unknown security systems! »
In other words: AI does not replace the intuition, resourcefulness, or big-picture perspective of a good penetration tester.
Not infallible, numerous blind spots
AI heralds a new way of thinking about security: no longer as a series of one-off tests, but as a continuous process integrated into development cycles. It acts as a force multiplier. On the other hand, it is the specialist who controls the tool, interprets the subtle findings, and devises the most advanced, tailor-made attacks.
After all, AI is obviously not infallible. Moreover, it has numerous blind spots. Its intelligence is, rather, relative. “Although it often performs very well in conventional scenarios, it struggles enormously when we venture off the beaten path,” says Laurent Deheyer. “A series of steps involving an unusual sequence of functionalities—what’s called a ‘creative chain attack’—remains difficult for an AI to conceive.”
Similarly, the more experience you have with penetration testing, the better you can think outside the traditional framework of an attack. Following an AI’s recommendations too literally will then be more of a hindrance than a real help. “Our junior staff need to learn to manage without AI,” Laurent Deheyer adds. And thus demonstrate intelligence, subtlety, and creativity, while the AI excels at large-scale tasks such as sorting vulnerabilities or generating reports. The art of the trade lies in looking beyond technical observations to define concrete actions that transform simple technical findings into a clear, relevant, and prioritized security plan. »
Strengthening Expertise
AI has undeniably changed the landscape of penetration testing by boosting detection, triage, and reporting. But it is the combination of the machine’s speed and human ingenuity that delivers the most in-depth analyses, the most creative attack vectors, and the most nuanced advice an organization needs.
Instead of asking, “Will AI replace us?”, the real question is: “How can we leverage AI to enhance our expertise?”
In other words: although AI continues to redefine the pentesting toolkit, it is far more likely to become an indispensable co-pilot than to completely replace the human pilot. That, at any rate, is the course being followed at Approach Cyber, whose 2026 Pentest Annual Report was recently published.
