AI is definitely the buzzword of the past few years, and in 2025 we’ve seen AI tools offering specific implementations that people and organizations can use to work faster and smarter. Meanwhile AI companies are constantly updating offerings as the market grows and changes. Of course, with all of this rapid change, there are opportunities for AI to be used insecurely or even maliciously, so today I’d like to take a look at AI-augmented penetration testing at Raxis and how we use AI with an eye on security.

How AI Enhances Penetration Testing

At Raxis, we are using AI to enhance our penetration testing by augmenting manual expertise, freeing up our experienced penetration testing team to focus on the most challenging aspects of security, such as chained attacks and creative exploit paths. We’ve found that many of our customers are (rightfully) concerned about how we use AI on our penetration tests, and I’d like to take this opportunity to delve into that.

There are numerous AI tools, some with security features, and some without. With security ever on our minds, we first split our AI use by whether any specific information is involved. This doesn’t just mean data such as PII and financial information, it also means sensitive data such as who our customers are and what systems they have.

Non-Sensitive AI Uses

There are several ways that AI enhances our pentest process by speeding up manual tasks that our pentesters would usually perform manually. Because malicious actors can take all the time in the world to attack an organization while pentesters operate in a time-box and prioritizing activities, AI is a big help in simplifying some steps of the process so that our pentesters can focus more on complex manual exploits.

• PentestGPT can provide exploit code for specific vulnerabilities and attack paths. Where, in the past, pentesters may have spent hours researching paths for complex attacks, PentestGPT often gives them solid paths quickly. In such attacks, exploits often don’t work the first time or in the same way for every environment, so this one tool can help throughout the process.
• Various common AI tools, allow pentesters to: 
  • Ask questions around exploit usage and tools to use in specific scenarios.
  • Generate various lists, for example additional named pipes found on operating systems before Windows 8 to help find an accessible pipe to exploit the Eternal Blue vulnerability.
  • Vibe code scripts to automate tasks that our pentesters would otherwise run manually providing output for each command in an output file our pentesters can then check. Note that AI only writes the scripts that our pentesters review and run; it never sees the data.
  • Act as a glorified search engine to help build commands.

Sensitive AI Uses

Several trusted pentest tools have already integrated AI, aiding pentesters in discovering vulnerabilities to look at more closely.

• Burp Suite’s AI suite helps evaluate scan outputs and perform basic business logic testing. It’s good at ruling out false positives, allowing our pentesters to confirm results more quickly.
• Paid professional versions of many AI tools secure sensitive data and segment information to our pentester’s system, in effect segmenting it from LLM learning tools and other outside uses. These tools can aid pentesters in speeding up processes too:
  • Creating complex tables of affected resources for a report finding.
  • Create initial drafts of phishing email pretexts and landing pages based on customer websites.
  • Translate webpages.
  • Identify discovered information simply by asking “What is this?” to discover the framework or product that generated it. 

Complex AI Uses

Additional, less common, AI attacks involve downloading and running large language models (LLMs) locally, unconnected to the cloud.  Pentesters ask direct hacking-related questions to uncensored models without extensive prompt engineering bypasses. For example:

• Many public LLM commonly block request that are perceived as “harmful” such as hacking and offensive security related questions. These require prompt engineering to bypass, but vetted open-source models, which have been fine tuned to remain “uncensored,” enable specific feedback without fear of data leakage or extensive prompting to bypass.
• Offline secure processing also allows pentesters to fill the context window of models with client details to search for disparate, but connected, details. This includes “‘needle-in-a-haystack” searches, such as parsing leaked logged files while cross-referencing them with scoping documents and fuzzing results to search for new endpoints, sensitive information, or other key details.

These types of complex AI searches allow pentesters to do more in less time. In the past, searches such as these could take testers away from covering all top priority items, so they would have to limit their research. Now AI allows them to follow that hunch and complete the most comprehensive test possible.

Empowering Human Experts for Advanced Attacks

With time-consuming tasks handled by AI, our highly-skilled penetration testers can now dedicate more energy to deep-dives and chained attacks, like complex exploit chains that require creative thinking and real-world context. Manual techniques still excel at uncovering subtle business-logic flaws, advanced privilege escalations, and attacker simulations that go beyond routine vulnerabilities. AI, in this scenario, enables penetration testers and red teams to construct, test, and validate sophisticated attack paths more efficiently. On a side note, our team is much happier because complex manual attacks keep their skills honed and keep their jobs interesting.

The Human-AI Partnership

AI is not a replacement for experienced cybersecurity professionals; it is a collaborative partner. At Raxis, human expertise remains at the center of every engagement. AI’s analytical power, speed, and pattern recognition give experts the space to innovate and simulate the threats that matter most, ensuring security assessments are both comprehensive and cutting-edge.

Blending AI with manual penetration testing gives organizations the strongest defense by combining the scale and speed of automation with the ingenuity and precision of the human mind. As threats evolve, we at Raxis believe that this partnership is the future of proactive cybersecurity.

Interested in more ways that Raxis penetration testers are using AI? Take a look at our new AI-Augmented series, where our pentesters highlight real-world use cases.