• 2 min read
AI won’t replace penetration testers just yet
Rootshell Security argues AI is speeding up security testing, but human judgment still matters most for exploitability and risk prioritization.

Image: TechRadar
AI is already reshaping offensive security, but it is not about to replace penetration testers, according to a Chartered Cyber Security Professional (ChCSP) and Vice President of Global Threat Services at Rootshell Security writing for TechRadar Pro. The bigger shift, the author argues, is that AI will change how testers work — and could make experienced practitioners more valuable, not less.
In day-to-day security testing, AI is already helping teams:
- identify vulnerabilities faster
- analyze large datasets
- correlate findings across environments
- surface potential attack paths
- generate documentation and reporting
- reduce repetitive manual work
Those gains are real. But the article argues that simply finding vulnerabilities has never been the hardest part of cybersecurity. The tougher problem is understanding risk: which flaws are actually exploitable, which attack paths are realistic, which issues need immediate remediation, and which can wait.
That is where human expertise still matters most. A vulnerability’s real-world impact depends on context, including asset criticality, business impact, compensating controls, user privileges, environmental configuration, attacker motivation, and the way multiple weaknesses interact. Two organizations can have the same vulnerability and face very different levels of risk.

Recommended reading
TfL hackers get 5.5 years as Scattered Spider takes a hit
Why context still beats automation
The author says effective assessments rely on thinking like an attacker rather than following a fixed workflow. Testers weigh questions such as how to gain initial access, what to target next, how weaknesses can be chained together, and what the likely business impact would be.
“Will AI replace penetration testers?” “My answer is equally simple: No.”
That is why the piece pushes back on the idea of fully autonomous security testing. Attackers adapt, improvise, and exploit unexpected opportunities, the author writes, and strong offensive security work requires the same flexibility.
The next bottleneck is prioritization
As AI improves vulnerability discovery and analysis, organizations will end up with more findings, more data, and greater visibility. That may sound like progress, but it can also create more noise.
According to the article, the companies that succeed over the next decade will not be the ones that find the most vulnerabilities. They will be the ones that best distinguish genuine risk from background noise and decide where to focus limited resources.
The author’s conclusion is straightforward: the future of security testing is human-led, AI-assisted, with machines accelerating analysis and visibility while people remain responsible for business context, real-world risk assessment, and remediation priorities.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


