AI won’t replace human pentesters and security teams. It will be a force multiplier
The first question we get from CISOs when we demonstrate Xint is, “does this replace humans?”
The truth is there has always been a shortage of qualified security engineers, and now AI is generating more vulnerability-prone code just as AI is scaling attacker capabilities.
From The Verge:
‘[Katie Moussouris, founder and CEO of Luta Security] says that many people in cybersecurity roles have been laid off because of AI’s efficiencies, even though those efficiencies are exactly why more humans need to remain in the mix. Companies will need human threat hunters, threat intelligence officers, and incident responders to deal with the onslaught of new exploits. And they’ll need people to decide which patches to prioritize and implement.
“We don’t have the AI defensive equivalent to automate all of those tasks, and I think we’re going to need to staff up and hire a lot of people,” she said. And organizations will need to build out secure software and secure architecture for networks to avoid ending up in an endless cycle of patching. “You have to build more secure software in the first place. We can’t incident respond our way to resilience.”’
But the role is changing away from bug discovery, which LLMs excel at, and more towards validation, patching and remediation where human understanding of systems still outperforms even the most advanced LLMs.
The human role in product security is changing, but humans are still essential
Autonomous pentesters like Xint (also knowns as Cyber Reasoning Systems) make the judgment calls a senior researcher would make, without being prompted for each one, such as:
File selection
Reachability reasoning
Exploit chaining
Reproduction
Patch suggestion.
But human oversight remains critical for:
Engagement scoping
Report reviews
Assessing the applicability of a finding to the organization’s specific architecture (e.g., does a vuln only apply for certain settings that are not applicable to the organization)
Remediation prioritization
Evaluating how a patch will impact the entire system
We are not trying to automate the human out of the loop. Rather we are automating the parts of pen testing that do not scale (the hours of reading code and chasing data flows) so that human time lands on the parts that do (deciding what matters, accepting findings, shipping fixes).
The end-state is not a robot pen tester. It is a security team that gets pen test depth on the cadence of CI.
Xint is AI-native, but we’re hiring
One of the paradoxes of this period is that the most successful companies in AI are increasing headcount.
At Xint we are hiring because our goal wasn’t to replace humans but rather figure out how to solve the talent shortage in cyber just as the volume of insecure code is exploding. Pointing even the most state of the art LLM at a code or application will probaly unearth a real vulnerability, but it will just as likely drown teams in false positives. Without a system, the raw output of models is just not practical in the real world for securing codebases and applications.
Xint itself is built on using the expertise of the world’s best hackers. Attackers are continuously changing tactics, which means we always need new people thinking like an attacker in order to harness the most impactful outputs from LLMs.
Xint is not a replacement, but rather a force multiplier for security teams having a difficulty time finding talent.