Al: Friend or Foe?

By Jennifer Williams

19th May 2026

Jennifer Williams, Managing Director of Secarma, discussed how artificial intelligence is transforming penetration testing (pentesting) and cyber security while arguing that human expertise remains essential. Drawing on her experience as a former penetration tester, she explained that pentesting is a form of authorised ethical hacking in which consultants identify vulnerabilities, demonstrate how they could be exploited, and provide clients with remediation advice.

Williams distinguished pentesting from automated vulnerability scanning. Vulnerability scanners can identify known weaknesses but lack the ability to assess context, determine real-world impact, or combine multiple vulnerabilities into a larger attack path. Pentesters add this human analysis and judgement, helping organisations understand the actual risks they face.

Although AI capabilities have advanced rapidly, cyber security adoption has been slower. Organisations are only now beginning to request security assessments of AI systems and ask whether AI is being used in pentesting engagements. Williams noted that AI is already well established in defensive security, where it helps monitor networks, detect anomalies, and review software code for vulnerabilities. Offensive security is now beginning to benefit from AI as well.

A central question was whether AI will replace pentesters. Williams’ view was that it will not. Instead, AI acts as a force multiplier, increasing efficiency and enabling testers to achieve more within limited engagement times. She suggested that future pentesters will need a broader mix of skills, including consultancy, communication, and risk assessment, rather than relying solely on technical expertise.

To illustrate AI’s value, she described a real-world engagement involving a cross-site scripting (XSS) vulnerability embedded within a PDF file. The application’s PDF renderer executed malicious JavaScript, allowing a targeted user to be redirected to a fake site designed to harvest credentials. AI helped generate and refine the required code, enabling testers to discover and exploit a complex attack path that would have been difficult to identify within a short engagement.

However, Williams emphasised that the same capabilities benefit attackers. AI lowers technical barriers, accelerates vulnerability exploitation, and dramatically shortens the time between discovery and active attacks. As a result, defenders increasingly find themselves competing against AI-enhanced adversaries.

Much of the talk focused on ethics and governance. Williams argued that AI lacks judgement, proportionality, and an understanding of contractual boundaries. Human testers know when to stop, how to minimise impact, and how to remain within authorised scope. AI can also be confidently wrong, producing convincing but inaccurate findings that require careful validation.

Sakarma has therefore adopted governance controls based on the ISO/IEC 42001 AI management framework. Williams concluded that AI is neither inherently good nor bad; it amplifies human intent. The future of cyber security lies in combining AI’s speed and efficiency with human judgement, accountability, and ethical decision-making.