[{"content":"I want AI to replace pentesters. Hold on - this isn\u0026rsquo;t clickbait. I\u0026rsquo;ll explain why AI speeding up cybersecurity and pentesting is actually good news for everyone working in the field.\nThe cybersecurity market is smaller than you think Over the past two years, the cybersecurity market has been growing 9–14% annually, reaching up to $330 billion in 2025 depending on whose report you trust (IMARC, Grand View, Fortune Business Insights all give different numbers).\nFor comparison:\nMarketing technologies: ~$850B in 2025, growing at ~20% CAGR Global software market: $823B in 2025 Cybersecurity: $220-330B That\u0026rsquo;s a staggering gap. The volume of AI-generated content and hype around cybersecurity is wildly disproportionate to its actual market size - a market that doesn\u0026rsquo;t ship consumer products, that exists almost entirely as a cost center for buyers, and that vendors monetize largely through fear-based positioning. Even the global software development market is bigger than cybersecurity, and both are dwarfed by martech.\nWhy companies spend on cybersecurity in the first place Before the AI surge, the only meaningful growth drivers for cybersecurity were:\nCompliance - meeting regulatory standards Breach prevention - avoiding fines, customer trust loss, reputation damage, and direct financial theft The numbers from IBM\u0026rsquo;s Cost of a Data Breach report:\nGlobal average breach cost: $4.44M US average breach cost: $10.22M Cost of meeting compliance: ~$5M Cost of non-compliance: ~$14M Breach probability is hard to pin down, but a 2025 UK survey put the rate at about 43% of companies. If we assume a 30–40% annual probability and $4.4M average impact:\nExpected loss = $4.4M x 0.4 = $1.76M per year\nThat would be a rational baseline security budget. Every CISO reading this just laughed, because getting that number approved is wishful thinking. Reality, according to IANS Research: companies actually spend just 0.69% of revenue on cybersecurity.\nCompare that to marketing budgets:\nSpend category % of revenue Source Marketing 7.8% Gartner 2026 CMO Spend Survey Marketing 9.4% CMO Survey (Deloitte / Duke / AMA) Cybersecurity 0.69% IANS Research Companies spend 8-11x more on marketing than on security. This single fact defines the labor market dynamics for everyone reading this.\nWhat actually makes a good pentester or analyst Cybersecurity is fundamentally about tradeoffs and decision-making under information scarcity. When you have one shot at your end goal - most red team engagements - getting caught ends the project. That\u0026rsquo;s high-stakes adversarial work.\nLLMs are still bad at this. They need repetitive supervised self-correction. They\u0026rsquo;re inconsistent - the same task produces different outcomes across runs, which makes results hard to predict. In red team work, where you have to be extremely cautious not to trigger SOC alerts, LLMs act too roughly: direct steps, no patience, no contextual restraint.\nThe detail awareness required to stay below the detection threshold takes years of operational experience to develop. Current LLMs don\u0026rsquo;t reliably exhibit it.\nWhere AI can and will eat pentesting Penetration testing as a service, however, is largely algorithmic. The workflow:\nRecon - reverse NS, WHOIS, MX lookups, subdomain enumeration Target identification - port scanning, tech fingerprinting via Wappalyzer or similar, functionality discovery Vulnerability scanning - Nessus, nmap NSE scripts, web app analysis, common exploits Credential stuffing - combing public breach for org credentials (hard to source comprehensively, but doable) This is well-documented work, taught in courses, written about in books - exactly the kind of knowledge LLMs ingest well. Because pentesting can produce noise and the only hard constraint is keeping the customer\u0026rsquo;s infra up, you can iterate as many cycles of recon -\u0026gt; scan -\u0026gt; exploit as needed and course-correct along the way.\nThis is exactly the workflow that LLMs are getting good at right now. And that\u0026rsquo;s the central point of this post.\nPhishing and AI-generated malware Phishing remains the most effective initial access method - still the top vector threat actors use to drop ransomware. AI changes the field in two concrete ways:\nIndustrial-scale obfuscation - signature and hash-based detection becomes obsolete Malware in obscure languages - few defenders are tooled to reverse code written in less common languages, creating a real gap between attacker capability and defender readiness This forces defenders into new detection strategies and new tooling - which means more work, more specialization, and more spending.\nThe paradox: more attacks means more demand for defenders More successful breaches lead to more security spend. Higher attacker capability leads to more hiring on the defender side. The market grows when attacks work.\nThis dynamic is reinforced by the AI safety positioning from Anthropic, OpenAI, and others. Their public claims about LLMs and autonomous agents as cybersecurity threats - whatever you think of the accuracy - have directly driven budget owners to fund more robust defensive programs. Whether you call it awareness or fear marketing, the budget effect is the same.\nThe increased interest in cybersecurity from companies over the past two years is a direct consequence.\nWhat this means for pentesting as a career Pentesting as a productized service will be heavily automated. Expect a single specialist to run 4 projects in parallel without efficiency loss within a couple of years. The conveyor-belt portion of the work - recon, scanning, common-vuln exploitation, reporting - is exactly what current models handle well.\nBut the strategic adversarial work - red teaming, custom exploit development, defender architecture, incident response, threat modeling - stays human-led. And the budgets for that work grow as attack capability grows.\nIf you\u0026rsquo;re a pentester reading this: AI isn\u0026rsquo;t your replacement. It\u0026rsquo;s your force multiplier. The ones who pick these tools up first are the ones who win.\n","permalink":"https://ankerit.io/blog/posts/ai-replaces.pentesters/","summary":"AI accelerating cybersecurity automation is actually good news for security pros. Market data, breach economics, and a realistic look at what pentesting really involves.","title":"I Want AI to Replace Pentesters - and Why That's Bullish for Cybersecurity"}]