Testing The First Real AI Pentesting Platform
Cyber penetration testing is integrating with AI faster than most people are ready to admit.
I spent about a week testing KinoSec, an autonomous penetration testing platform built to run real offensive security work against scoped targets.
I have been doing cyber and physical penetration testing for around 20 years, and my chief concern was if you give an AI system a target and offensive capabilities, will it stay where you told it to stay?
And further, how does the AI stack up against a human hacker? Will it only find low hanging fruit or will it discover the most out of the box vulnerabilities ?
The Platform
KinoSec is exactly what it claims to be, an autonomous offensive security platform. But unlike more outdated vulnerability platforms, which i wont name, this is a custom AI that effectively has no qualms about pentesting.
Gone are the days of the grandma bypass,
The platform itself works really well. You simply supply it with a scope and how deep of a pentest you are interested in and let it run along and pentest while you go do something else.
This was honestly where I felt compelled to babysit the AI, simply because I was actually pretty concerned that it may go rogue and jump out of scope … but thankfully after an entire week of testing, it never did.
It quickly identified breach data, various vulnerabilities and a number of other issues far faster than any human could do … present company included.
On one occasion, I decided to go head to head with it for an hour and it still surpassed what I, Burp and numerous other tools could come up with in the time frame.
While we both discovered some vulnerabilities within an hour, it so quickly outpaced me that I simply backed off and let it do its thing.
Fundamentally, you get to decide what the scope of the assignment will be and how thorough you want the test to be.
And of course, the favorite part of any pentester … the report writing, is also completely covered and done for you. While I don’t want to share exactly what their report template looks like, I can say having looked at it, its really nice and easy to follow.
Going into this, I was honestly expecting something closer to a vulnerability scanning, or perhaps something like ChatGBT without all the guardrails, but this was much faster and more thorough than I expected.
And the fact that they plan on expanding into things like network, IoT, and other types of testing, its going to be difficult to keep up with the AI.
Staying Current
One thing that stood out while I was using KinoSec was how current the platform seemed to be with newer CVEs.
During testing, it identified issues tied to very recent vulnerabilities, including some I had not even heard of yet. That is one of the harder parts of being a human tester. No matter how long you have been doing this, you are always trying to stay current.
New CVEs come out constantly. New proof-of-concept code gets published. New tools show up. New writeups explain new attack paths. Nobody can keep all of that in their head in real time.
AI has a real advantage there.
If it does not already know something, it can look it up. If there is a public exploit, a GitHub repo, a proof of concept, or a writeup tied to a vulnerability, it can potentially pull that into the test far faster than a human can even recognize that their is a new CVE.
A human tester has to stop, research, read, test the tool, understand the exploit path, and then decide whether it applies. KinoSec was doing that kind of work at a pace that is hard for a person to match.
That is one of the places where AI starts to dwarf the human workflow. It is not just faster at clicking through an application. It is faster at staying current, faster at connecting a recent vulnerability to a target, and faster at turning public research into something useful during the test.
That said, part of the platform even allows you to ping and hire a human hacker to work alongside the AI in case you feel that added human touch is necessary on your test. This makes it difficult to argue that Kinosec is lacking something from either the human or AI side of things.
The Human Side vs. The AI Side
There is a real trade-off coming in penetration testing, and I do not think it is as simple as AI replacing humans or humans staying untouched.
A good human tester still brings advantages. They understand scope, client risk, and when to slow down on something that looks strange. They can decide when to go deeper, when to stop, when to ask for clarification, and when a path is technically possible but outside the rules of engagement.
Humans are also better at the weird stuff: business logic, process failures, trust relationships, and the small details that only become serious when someone knows how to chain them together.
The problem is that humans are slow. They need lunch, breaks, sleep, and time away from the keyboard. Even a strong tester gets tired. A finding that is obvious at 9 a.m. can be missed at 5 p.m.
AI does not have that problem.
The AI side brings speed and consistency. A platform like KinoSec can crawl, test, validate, and document without stopping. It may not always think outside the box the way a strong human tester can, but it can be very clever, especially if it is tied into current exploits, tools, proof-of-concept code, GitHub repos, and public research.
That is a major advantage. If you asked most testers what the latest ExploitDB entry is without letting them look it up, they would not know. An AI system can be built around a rolling knowledge base that tracks new exploits and techniques in real time, then applies that knowledge during testing.
The downside is trust.
There are environments where people are not going to be comfortable letting AI run offensive testing on its own, or hopefully even having any amount of control. I think of that as the Skynet problem. The AI may be faster. It may even do a better job. But in an airport, hospital, power plant, military environment, or anything tied to weapons systems, the acceptable failure rate is different.
That is where humans stay in the loop. AI is going to take more of the repeatable testing workload. Humans are still going to matter where judgment, restraint, context, and risk tolerance decide how far the test should actually go.
Of course this is only my opinion and for all I know politicians may vote Skynet to be in control of our ICBM network tomorrow.
Physical Security Implications
KinoSec is not built for what I am about to discuss, and I want to be clear about that. I am not saying KinoSec can be used this way.
The concern that I have about AI in the physical space is what happens when this same kind of AI-driven offensive capability moves into the local network.
Imagine a malicious AI with no guardrails, running from a small device placed somewhere on the internal network. That device could be something the size of a Raspberry Pi, an Android phone, or another implant-style device.
The attacker may not need to get into the server rack or go after the domain admin on day one. They only need a network position, power, and enough connectivity for the system to start learning where it is.
A malicious AI sitting inside a network could potentially map, test, adapt, and keep working without the same fatigue or hesitation a human attacker has, which also includes infinite patience.
Defenders treat physical access as dangerous because physical access can become network access. AI makes that more serious. If offensive automation keeps improving, then a random network jack in a lobby, a shared office, or a vendor area is not just a port anymore. It becomes a possible launch point for something that can think, test, and move faster than a human sitting in a parking lot with a laptop.
If I find myself at the receptionist desk for 3 min alone with my laptop and an open ethernet port, I have limited options, but an injected AI doesn’t.
It could sit on the network for hours, days or months waiting, learning and slowly pivoting before doing whatever it was tasked with. It would probably also make getting rid of it from the network incredibly difficult as it could likely mutate itself, open various access routes back into the network, back itself up , etc.
Combine a malicious AI inside a target network with direct communication to an outside malicious human and you have a series problem.
Conclusion
KinoSec feels like one of the early serious steps toward AI-driven penetration testing that is more than scanning and more than a demo.
It was fast. It was easy to use. It produced findings I could validate. Most importantly, in my testing, and to my relief, it respected scope.
I have no idea exactly what the future of cyber pentesting will be, but I can confidently say that AI will be a part of that reality.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Strategic Operations for Lone Operators - Advanced course for those who are interested in learning how to become a one man infiltration team.
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .
Thanks for sharing this Brian. I wonder how effective AI will be at tracking down common memory exploits. I have heard on the GNU/Linux project Linus was getting tired of duplicate bugs though.