The Advancement of Penetration Testing and AI – Is Security Getting Better?

I was watching Harry Potter today – not unusual to have movies on in the background as I work – and it made me think a bit. Pentesters were often treated like wizards – magically being able to unlock a company’s secret. Immortalized in movies like The Matrix and Hackers, having their own language and rules – or lack of them. A subculture that was elusive, dark and, to me at least, cool. It was about what you can do. Your kung fu as it were. But over the last maybe 8 years things have changed.

Companies, not all of them I have to say, have matured, security has gotten better– pentesting evolved. We saw the rise of red teaming, a kind of advanced pentest – whereas traditional pentests try to find and show the impact of multiple attack paths, perhaps tripping defenses (although in the early days there really wasn’t anyone “watching” everything was post facto analysis). Red teaming was designed to be a by any means necessary but don’t get caught (a basic definition and I understand the complexities here so don’t hold the definition against me fellow red teamers 😊 )

Still the basic premise holds true – a company hires you for a period of time to test the defenses and show the impact of risk. RedSpy365 changed that – being able to incorporate threat intelligence, institutional knowledge in a continuous “movie like” experience, using best of breed tools within its own unique ecosystem and crypto fabric – mapping content creators to content consumers. It even sounds impressive to me and I designed it. Albeit with some of the smartest and most dedicated team I have ever known. – I am not “that” good 😊 I just surround myself with incredibly talented people. Then we come to the rise of AI.

It made natural sense to start to incorporate AI into RedSpy365. The bad actors are already using AI to create advanced malware and tooling, so it was too much of a leap for us to be able to use it- we just have to do it smarter and more security. I incorporated AI to solve a couple of problems. Ask questions and get informed responses against documents uploaded into Azure’s ChatGPT via Cognitive Search for informed response and specific pentest reporting. It also had to be able to start “talking” and executing functions/bots and scenarios to RedSpy365 itself.

It appears after all, humans do not like answering lots of compliance questions (go figure) and if we can help that, by having AI look through documents and answer the compliance questions automatically against those documents, then that can help the client save time and money. It can also help me understand control object failures to the technical risks I see on a clients’ network. So, it’s a win-win as far as I can see.

The first part is complete – since we integrated RedSpy365 into SIG (Standard Information Gathering) from Shared Assessments it made sense to be able to upload policy documents and ask sign questions against them and auto fill out the SIG via the AI answer – it is very clever, still in its early stages, but very promising. We released AI into version 14.4.4 to solve the above problem and it does.

The second part is where it gets remarkably interesting. Being able to have an AI talk to and respond and then create content or execute a function, is how we start to move the AI from performing informed response to actually “doing” something. Again, early days, but the feature is starting to come along nicely. We also air gap the AI – after all we are responsible and want the analyst to control the AI not the other way around. Integrating Langchain agents into RedSpy365 is probably the best direction, for us at least. It will allow the AI to interact with the RedSpy365 API.

We also look to our Likely Attack Path Scenario (LAPS) to be able to map potential attack paths. Now couple that with our market place (A place where security researchers can sell their content, respond to challenges, where RedSpy365 clients can purchase said content and create/respond to challenges as well – all in a gamified ethical crypto fabric – which we will tell you more about this later in the year) we can start to map the content inside of the market place. We can map the threat surface of the client (i.e., the risks) to the marketplace so when a content creator adds a new tool, tactic, technique, scenario, bot, template the client and the RedSpy365 can be made aware of the content.

Think of it like an advanced Apple App Store meets – as content creators add new “apps” you get notified of those apps that apply to you specifically. So as content creators add new content the AI can map the clients risks to the content – now RedSpy365’s market place not only enhances the DNA (i.e. no long is RedSpy365 an army of a small team of analysts) but with the DNA of all the content creators it becomes an army of all the DNA inside of it, but it can alert upon new content risks, threat intel risks and tooling risks.

So, what does this mean for a client? Well, it means behind the scenes the AI is working for them and their analyst. It means that as new content flows into the ecosystem, their threat risk is auto mapped to this new content (remember new content can be a new exploit, tactic, tool, technique etc.). The AI can serve as what we call the Augmented Virtual Pentester. Monitoring thousands of data points both on the client’s threat surface and, via the marketplace, any new content added into the RedSpy365 security ecosystem.

I am still evolving with AI myself. I don’t fully trust it and perhaps for good reason. To me it serves as a tool, a function I can use to help with identifying and testing risk and showing impact of that risk and testing the defensive security posture of the organization being tested – after all, isn’t that the definition of penetration testing?

The bad actors are seizing upon AI – not just to see how to exploit AI itself, but to use it as a tool against organizations. Perhaps the future is the bad actors AI vs the good guy’s AI. Machine vs machine. Human creativity vs machine creativity.

So back to the original title of the article – is security getting better? I think so, but I am also very wary. I think the enemy is regrouping, rearming itself with new technology. As a pentester – we have to do the same and that’s why I created RedSpy365.