The Future of Pentesting: Can AI Replace Human Expertise? ⎥ Jyoti Raval
Welcome to the written recaps of the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.
Today I’m joined by Jyoti Raval, a security leader with a diverse background across consulting, product security at Qualys and Harness, and now serving as Director of Cyber Security Engineering at Baker Hughes.
Jyoti is a passionate pentester and international speaker. She’s also the author of Phishing Simulation and MPT: Pentest in Action and has discovered multiple CVEs.
Beyond her technical expertise, Jyoti is committed to empowering women in cyber through InfosecGirls and leads the OWASP Pune chapter.
Together we explore:
- What the future of pentesting will look like
- Can AI truly replace human expertise, or if manual assessments are still essential for context understanding?
- The mindset shift needed when transitioning into security leadership
- How to navigate the challenge of becoming a security leader coming from IC
The Impact of AI on Pentesting
AI is revolutionizing the way pentesting is conducted, transforming traditionally manual processes into automated systems that can handle tasks like reconnaissance, scanning, and fuzzing. However, as Jyoti highlights, automation can only go so far.
"AI is already transforming pentesting. If you look at automated reconnaissance and scanning, finding those low-hanging fruits, or threat intelligence correlation, they do really well," Jyoti explains. "They can even do fuzzing, exploit generation, and documentation—these are a few clicks away now."
Despite these advancements, she is believes that human intervention remains essential. While AI can automate routine tasks, it cannot replace the creative and contextual thinking that only a human can bring to pentesting. "Manual assessments are going to remain vital," she notes, emphasizing that AI struggles to understand the nuances of business logic vulnerabilities or perform creative exploitation in real-time
"Number one, we do have contextual understanding when we are pentesting a solution, which AI lacks. We could get creative in exploitation. AI could have a set of rules, but on runtime, you need the human touch to really make those exploitations creative," Jyoti elaborates.
Business Logic Vulnerabilities: Where AI Struggles
When discussing the challenges AI faces in detecting complex business logic vulnerabilities, Jyoti provides an explanation why she thinks this way: "When it comes to human manual pentesting, you know that this functionality goes back and relates to another user login. You understand the potential for privilege escalation or unauthorized functionality," she explains. "These flaws are still going to be human-specific."
AI, Jyoti explains, can identify vulnerabilities based on the design of a system, such as forms or inputs. But it struggles to understand the broader business context.
The key question, however, is how long will this limitation persist? Detection of business logic vulnerabilities has already become more advanced with the introduction of specialized solutions, including Escape’s proprietary algorithm, which demonstrates how AI can begin to tackle these nuanced issues to replace pentesting. As AI continues to evolve, it’s likely that these tools will gradually close the gap.
Hybrid Approach: Combining AI and Human Expertise
As organizations face growing pressure to reduce security testing costs, Jyoti advocates for a hybrid approach, combining AI-driven tools with manual pentesting expertise. "We would move more towards a hybrid approach where we would do AI-augmented pentesting, but there would be a skill shift," she suggests.
This shift is reflected in the changing role of pentesters. "We are going to transform pentesters into AI operators," she says.
Rather than fully relying on AI or traditional manual testing, security teams will need professionals who can use AI to enhance their efforts and interpret the findings accurately:
"They'll need to really use the capability that AI brings in and then understand how to guide, validate, and interpret those AI-driven assessments."
In-House vs. External Pentesting: Building Internal Security Capabilities
If I want to put it short and sweet: Internal team handles day-to-day security automation, your secure development lifecycle practices, and external pentesters are brought in periodically for audits, compliance, and, as I mentioned, an unbiased perspective.
Another key topic in our conversation was the debate between building in-house pentesting teams versus outsourcing the work to external testers. While Jyoti acknowledges the value of third-party audits for compliance, she strongly believes in the power of internal teams who possess intimate knowledge of the organization’s products and systems.
"I am biased towards building internal capabilities in-house. Internal teams handle day-to-day security automation, secure development lifecycle practices, and can leverage contextual knowledge about your products and applications," she explains. "External pentesters are brought in periodically for audits, compliance, and unbiased perspectives."
This in-house approach fosters a deeper understanding of security challenges, allowing teams to proactively address vulnerabilities and integrate security into the development process.
MPT Tool (Pentest in Action): Managing Complex Pentest Workflows
In our conversation, Jyoti shared the inspiration behind MPT, a tool she developed to address the complexities of managing multiple pentests across large organizations. "When dealing with a large organization that has multiple product lines, and multiple pentests running in parallel, you need one source of platform that gives you that single source of truth for how your risk assessment looks," she explains. "I was developing a solution, which ingests a lot of information and gives you that holistic view of your risk posture."
The tool is designed to help security teams better allocate resources, track pentesting progress, and provide a clear overview of security risks. "It also lets your developers know what is coming in their queue and lets your pentester know what is in the queue, transferring that knowledge base and efficiently planning your resources for your team managers." This feature ensures that pentests are assigned to the right resources, avoiding bottlenecks and ensuring that the right expertise is applied to the appropriate tasks.
Jyoti elaborates, "It gives you perspective on how many resources you have, how many pentests you have in queue, how many resources are already engaged in pentest, and what that queue in terms of resource allocation and testing looks like. So you can do that correlation in the dashboard and allocate the pentest to the correct resource."
By providing a centralized platform for tracking pentests, this tool not only boosts efficiency but also ensures that security teams have a clear understanding of their testing capabilities and current workload, all while facilitating better communication across departments.
The Role of Leadership and Mentorship
As Jyoti transitioned from pentesting to a leadership role in product security, she spoke about the critical mindset shift that comes with taking on a more strategic responsibility. "Moving from the technical side to the strategic side involves a lot of skill and influence development," she notes. "While you're improving your skill set, it's also a mindset shift. You need to work on feedback, set goals, and make systematic efforts."
She also discussed the importance of mentorship in her career journey, noting that finding the right mentor is essential for growth. "You always look up to someone who you feel connected with, someone who understands where you're coming from," she explains. "There is no right or wrong leadership style. It's about finding what works for you."
Translating Technical Concepts for Business Leaders
A particularly insightful part of our conversation focused on how security professionals can communicate complex technical issues to business leaders. Many security issues, especially vulnerabilities, are challenging for non-technical stakeholders to understand. Jyoti suggests framing security risks in a way that highlights their business impact.
"For example, if there's a vulnerability like XXE (XML External Entity) injection, you don't need to explain the technical details. You can simply say, 'This functionality was not authorized to be done by user A, but due to a flaw in design, user A can perform this action,'" she explains. By using language that business leaders understand, security professionals can make a compelling case for addressing vulnerabilities in ways that resonate with decision-makers.
Closing Thoughts: "Zero Trust" is often misunderstood
As Jyoti reflects on the evolution of the cybersecurity industry, she notes that organizations must continue adapting to new challenges, particularly with the rise of AI and automation. "Security is evolving quickly, and we must shift our focus towards continuous verification and context-aware access," she says, critiquing the overuse of buzzwords like "Zero Trust," which she feels is often misunderstood.
In her view, Zero Trust is a mindset—a strategy of "never trust, always verify"—rather than a specific tool or product. She advocates for more grounded, actionable approaches like continuous verification, which align with the principles of Zero Trust without falling into buzzword traps.
As we closed the conversation, Jyoti left us with a valuable piece of advice for anyone starting their career in security: "Security Engineering" by Ross Anderson is a great book to gain both a technical and strategic understanding of security.