I want AI to replace pentesters. Hold on - this isn’t clickbait. I’ll explain why AI speeding up cybersecurity and pentesting is actually good news for everyone working in the field.

The cybersecurity market is smaller than you think

Over the past two years, the cybersecurity market has been growing 9–14% annually, reaching up to $330 billion in 2025 depending on whose report you trust (IMARC, Grand View, Fortune Business Insights all give different numbers).

For comparison:

  • Marketing technologies: ~$850B in 2025, growing at ~20% CAGR
  • Global software market: $823B in 2025
  • Cybersecurity: $220-330B

That’s a staggering gap. The volume of AI-generated content and hype around cybersecurity is wildly disproportionate to its actual market size - a market that doesn’t ship consumer products, that exists almost entirely as a cost center for buyers, and that vendors monetize largely through fear-based positioning. Even the global software development market is bigger than cybersecurity, and both are dwarfed by martech.

Why companies spend on cybersecurity in the first place

Before the AI surge, the only meaningful growth drivers for cybersecurity were:

  1. Compliance - meeting regulatory standards
  2. Breach prevention - avoiding fines, customer trust loss, reputation damage, and direct financial theft

The numbers from IBM’s Cost of a Data Breach report:

  • Global average breach cost: $4.44M
  • US average breach cost: $10.22M
  • Cost of meeting compliance: ~$5M
  • Cost of non-compliance: ~$14M

Breach probability is hard to pin down, but a 2025 UK survey put the rate at about 43% of companies. If we assume a 30–40% annual probability and $4.4M average impact:

Expected loss = $4.4M x 0.4 = $1.76M per year

That would be a rational baseline security budget. Every CISO reading this just laughed, because getting that number approved is wishful thinking. Reality, according to IANS Research: companies actually spend just 0.69% of revenue on cybersecurity.

Compare that to marketing budgets:

Spend category% of revenueSource
Marketing7.8%Gartner 2026 CMO Spend Survey
Marketing9.4%CMO Survey (Deloitte / Duke / AMA)
Cybersecurity0.69%IANS Research

Companies spend 8-11x more on marketing than on security. This single fact defines the labor market dynamics for everyone reading this.

What actually makes a good pentester or analyst

Cybersecurity is fundamentally about tradeoffs and decision-making under information scarcity. When you have one shot at your end goal - most red team engagements - getting caught ends the project. That’s high-stakes adversarial work.

LLMs are still bad at this. They need repetitive supervised self-correction. They’re inconsistent - the same task produces different outcomes across runs, which makes results hard to predict. In red team work, where you have to be extremely cautious not to trigger SOC alerts, LLMs act too roughly: direct steps, no patience, no contextual restraint.

The detail awareness required to stay below the detection threshold takes years of operational experience to develop. Current LLMs don’t reliably exhibit it.

Where AI can and will eat pentesting

Penetration testing as a service, however, is largely algorithmic. The workflow:

  1. Recon - reverse NS, WHOIS, MX lookups, subdomain enumeration
  2. Target identification - port scanning, tech fingerprinting via Wappalyzer or similar, functionality discovery
  3. Vulnerability scanning - Nessus, nmap NSE scripts, web app analysis, common exploits
  4. Credential stuffing - combing public breach for org credentials (hard to source comprehensively, but doable)

This is well-documented work, taught in courses, written about in books - exactly the kind of knowledge LLMs ingest well. Because pentesting can produce noise and the only hard constraint is keeping the customer’s infra up, you can iterate as many cycles of recon -> scan -> exploit as needed and course-correct along the way.

This is exactly the workflow that LLMs are getting good at right now. And that’s the central point of this post.

Phishing and AI-generated malware

Phishing remains the most effective initial access method - still the top vector threat actors use to drop ransomware. AI changes the field in two concrete ways:

  • Industrial-scale obfuscation - signature and hash-based detection becomes obsolete
  • Malware in obscure languages - few defenders are tooled to reverse code written in less common languages, creating a real gap between attacker capability and defender readiness

This forces defenders into new detection strategies and new tooling - which means more work, more specialization, and more spending.

The paradox: more attacks means more demand for defenders

More successful breaches lead to more security spend. Higher attacker capability leads to more hiring on the defender side. The market grows when attacks work.

This dynamic is reinforced by the AI safety positioning from Anthropic, OpenAI, and others. Their public claims about LLMs and autonomous agents as cybersecurity threats - whatever you think of the accuracy - have directly driven budget owners to fund more robust defensive programs. Whether you call it awareness or fear marketing, the budget effect is the same.

The increased interest in cybersecurity from companies over the past two years is a direct consequence.

What this means for pentesting as a career

Pentesting as a productized service will be heavily automated. Expect a single specialist to run 4 projects in parallel without efficiency loss within a couple of years. The conveyor-belt portion of the work - recon, scanning, common-vuln exploitation, reporting - is exactly what current models handle well.

But the strategic adversarial work - red teaming, custom exploit development, defender architecture, incident response, threat modeling - stays human-led. And the budgets for that work grow as attack capability grows.

If you’re a pentester reading this: AI isn’t your replacement. It’s your force multiplier. The ones who pick these tools up first are the ones who win.