AI and the Future of Pentest Reporting and Vulnerability Management

Empower your workflows with AI

Cybersecurity leader Jason Haddix from Arcanum Security and AI expert Michael Bell from PlexTrac joined forces for an educational session on the transformative impact of artificial intelligence on offensive security processes and workflows. Specifically they covered how AI can:

• Enhance the speed, accuracy, and comprehensiveness of pentest reporting
• Empower visibility and prioritization in vulnerability management 

Jason Haddix is the CEO and “Hacker in Charge” at Arcanum Information Security. Jason has had a distinguished 20-year career in cybersecurity previously serving as CISO of Buddobot, CISO of Ubisoft, head of Trust/Security/Operations at Bugcrowd, director of penetration testing at HP, and lead penetration tester at Redspin. Jason is a hacker and bug hunter, currently specializing in recon, web application analysis, and emerging technologies. 

As the head of AI at PlexTrac, Michael leads AI innovation, collaborating closely with the engineering team and the CTO to advance cybersecurity solutions. Michael supports the integration of large language models and helps develop cutting-edge solutions that align with PlexTrac’s mission to deliver unparalleled cybersecurity services.

Together these AI experts discussed technical and practical ways you can support both your offensive security reporting and vulnerability management. 

Watch the full webinar or read on for the highlights. 

How AI Impacts the Future of Pentest Reporting and Vulnerability Management

Enhance pentest reporting

Generative AI presents a huge opportunity to streamline pentest reporting, both for the creators and recipients of the reports. Jason and Mike began the webinar with a discussion of the areas they see as most ripe for automating with AI. 

First, AI can help with quickly adding expert insights to reports. For Jason that new content was information for defenders that isn’t typically included in pentest reports. He said, “That was the first place where I really use AI in pentest reporting was to basically add a whole bunch of defensive information that I think my clients had never got. And when my clients received these reports, they were like, ‘This is amazing. We have never seen a pentest company go this deep in remediation. And can you do more of this?’ Our red team reports end up looking like purple team reports sometimes, which is really interesting.”

AI is also extremely useful for differentiating report content for different audiences or adapting the technicality of the language. Jason explained, “One of the things I found in the research was that technical testers are usually the first drafters of pentest reports. And so the first thing that was really apparent is that they spoke to, in their findings descriptions, other testers. They spoke a lot of techie, which is great. I speak techie and I love techie, but there is a different audience in the executive section, and there’s a different audience actually in the findings too — developer tie-ins and stuff like that. And speaking to a developer rather than a security person has to be something you do.”

A third area they discussed as low hanging fruit for automating with AI was adding content that provides business value. “And then the other place I found was just business impact, right? Like not a lot of people were really tying their vulnerabilities into business impact,” said Jason. 

Jason and Mike agreed the most immediate value of AI in reporting is using generative AI to efficiently improve report quality with deeper insights for specific readers.

“The AI was, was great at both of those things. So taking a very technical topic and helping me realize when I was being too technical and breaking it down for another audience, and then also giving me developer-focused communication, which was things like you don’t think of every day,” said Jason.

Empower vulnerability managment

They went on to cover how AI can help scale vulnerability identification and management. Mike said, “But I think that we can always develop — hackers and attackers and threat actors are always developing as well — to find new vulnerabilities and to find those things that us as humans on a small scale don’t take into account. And so leveraging AI and different language models to identify those things and pick out those things on a large scale is kind of where I see the industry going.”

Jason explained how he suggests leveraging AI to power vulnerability management: “What you can do is you can take your vulnerability management, all of your vulnerabilities that you have in your vulnerability management program. You can ask the AI based on subsections of that data to help you discover things like regressions or other places where those vulns might exist on your networks, both internal and external and also similar vulnerabilities. Now is AI the best tool for that always? Sometimes AI is the best tool for that. Sometimes a hybrid solution of AI and actual programming and or scripting is a solution to that.”

Leverage Plex AI to steamline pentest reporting

PlexTrac’s new Plex AI is the industry’s first and only AI pentest report authoring assistant. This capability exponentially speeds report writing by auto-generating findings writeup and recommendations and analyzing data sets to create narrative sections based on your findings.

Jason said, “If you’ve ever written reports before, you know how much of a pain it could be, right? It’s like a lot of times custom vulnerabilities that aren’t in a database already you’re completely writing those from scratch. You can make typos, you can describe something too technically like we talked about. And the button [in PlexTrac], you just push it and magic happens and out comes a description, technical remediation advice and yes you have to review it like everything, but the model is really really good. And honestly it’s been a lifesaver in writing reports for our stuff.”

Find out more about PlexTrac’s AI capabilities.

Explore resources from the webinar

Interested in further learning on AI for pentesting and vulnerability management? Here are links to resources mentioned in the webinar: 

• https://www.arcanum-sec.com/training-overview
• https://gandalf.lakera.ai/ 
• https://jhaddix.gumroad.com/l/vsperu
• https://learnprompting.org/courses 

PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.