What matters most, however, is not the individual model but the broader development behind it. Decision-makers in many organizations are therefore asking one central question: How is AI changing the requirements for technical security analyses?<\/strong><\/p>\n\n\n\n This is exactly what we discussed with Matthias G\u00f6hring, Executive Board Member at usd AG and Head of usd HeroLab.<\/p>\n<\/div>\n\n\n\n We are currently seeing several developments:<\/p>\n\n\n\n One key topic is the role of providers of automated and increasingly autonomous pentests, so-called automated pentests, and how their relationship to traditional pentests is shifting.<\/p>\n\n\n\n At the same time, we are seeing a significant increase in the number of potential vulnerabilities. AI is making attacks more efficient and more scalable. This is putting noticeable pressure on existing vulnerability management processes at many companies.<\/p>\n\n\n\n Simultaneously, AI itself is becoming an object of assessment. Many companies are expanding their applications with AI functionalities - and must therefore evaluate the security and meet governance and risk management requirements, for example under the EU AI Act<\/a>. This has created new fields of work: AI governance and pentesting of AI\/LLM systems<\/a>.<\/p>\n\n\n\n Another point is the quality of security analyses. Especially in regulated environments, it remains crucial that results are traceable, reliable, and audit-ready - regardless of which tools are used.<\/p>\n\n\n\n And last but not least, AI is also changing the way we work ourselves.<\/p>\n\n\n\n Just a few weeks ago, I would have answered that question unequivocally: automated approaches will not replace traditional pentests any time soon. But the pace of change has increased significantly recently. New models and tools are showing progress, particularly in automated code analysis and vulnerability identification.<\/p>\n\n\n\n But at the same time, practice shows us very clearly that we are still a long way from truly autonomous pentests. Even widely discussed solutions reach their fundamental limits in our tests.<\/p>\n\n\n\n From my perspective, one reason for the current perception is that different things are being conflated: the automated search for vulnerabilities with access to source code works significantly better today with AI than it did one or two years ago. That is real progress. But a pentest goes beyond that. It evaluates systems in context, tests application logic dynamically, and combines attack vectors. So far, these steps can only be automated to a very limited extent.<\/p>\n\n\n\n What will change is that automated tests, especially scans, will improve significantly. That is fundamentally a positive development. Regular scans have long been a core pillar of vulnerability management. But for web applications, the quality of results has often been the limiting factor. This is where AI can actually help deliver better results. This enables more frequent testing and raises the security baseline. And that is urgently needed, because attackers are also leveraging the capabilities of AI.<\/p>\n\n\n\n Meanwhile, the market is becoming much less transparent. Many providers advertise \u201cautomated pentests\u201d but without reliable comparisons of results or quality. Each provider develops its own benchmark and then, unsurprisingly, dominates it. Unfortunately, objective measurability and transparency regarding pentest quality still do not really exist.<\/p>\n\n\n\n My evaluation: pentests will not be replaced, but they will become more efficient and more effective through the use of AI. And they have to, because demand is continuously increasing: more IT assets, stronger interconnectivity, growing regulatory requirements \u2013 all while budgets remain limited. Efficiency is therefore not a nice-to-have; it\u2019s an absolute necessity.<\/p>\n\n\n\n The discussion addresses a development we have been observing for quite some time: there are more and more vulnerabilities. AI-based approaches such as Mythos are amplifying this trend. At the same time, we are seeing that the time time-to-exploit is decreasing rapidly. What used to be measured in days is now often only a matter of hours. This creates a major challenge for companies, because they can barely keep up with patching their systems.<\/p>\n\n\n\n From our perspective, however, many of the recommendations outlined in the paper<\/a> are not new. At their core, they reflect familiar best practices: asset inventory, secure software development, threat modeling<\/a>, as well as proper patch and vulnerability management. To address the growing number of vulnerabilities, it is becoming increasingly important to assess and prioritize risks clearly. The challenge lies less in the \u201cwhat\u201d than in the \u201chow.\u201d Especially in complex organizations with many systems and dependencies, consistent implementation in day-to-day operations is demanding. But with an increasing number of findings, these processes are coming under additional pressure.<\/p>\n\n\n\n The specific implementation of these processes depends heavily on the organization in question. The key priority right now, however, is to implement the fundamentals consistently and as quickly as possible, and adapt them to your own IT landscape. We will pick up on exactly what those fundamentals are in a follow-up interview with one of my colleagues very soon.<\/p>\n\n\n\n The paper also recommends using AI to identify vulnerabilities. I would recommend that as well - with the caveat that purely automated testing is not yet sufficient to replace \u201ctraditional\u201d methods such as threat modeling, pentesting, and red teaming.<\/p>\n\n\n\n We are not the only ones who are integrating AI into their processes and tools. For many companies, AI is increasingly becoming an integral part of their applications. As a result, the focus shifts towards the security of the AI integration itself, as it opens up entirely new attack vectors - such as those described in the OWASP Top 10 for LLM Applications<\/a>.<\/p>\n\n\n\n We provide our customers with very concrete support in this area. Our colleagues at the usd Security Consulting work intensively on AI governance and the processes required for the secure integration and operation of AI<\/a> in companies. At usd HeroLab, we have a dedicated team for targeted technical analyses of AI- and LLM-based systems<\/a>. For many customers, we begin well before pentests - with trainings and threat modeling workshops to build a shared understanding of risks, attack vectors, and protective measures.<\/p>\n\n\n\n We have high standards for the quality of our services. And we must, because we carry a great deal of responsibility. Our customers trust us to assess the security of their systems and applications reliably and robustly. For us, it is essential that results are traceable, reproducible, and auditable. This applies to all our customers, but even more so in regulated environments. To put it very clearly: this level of robustness in security assessments cannot currently be achieved through automation alone.<\/p>\n\n\n\n We are convinced that AI will also become increasingly indispensable in pentesting in order to identify vulnerabilities efficiently and systematically. However, a reliable security assessment can only be achieved through context, methodology, and experience. Pentests are therefore far more than just the search for vulnerabilities. Tasks such as scoping, defining realistic attack scenarios, selecting appropriate testing methods, and providing assessment and consultation before and after the test are crucial and continue to grow in importance. These steps require communication with our clients and work best in direct exchange.<\/p>\n\n\n\n To sum it up: we rely on targeted integration of AI into our pentesting methodology and toolchain, combining automation with manual testing. But with our analysts in the driver\u2019s seat at all times.<\/p>\n\n\n\n We continuously evaluate new models and tools - both commercial solutions and open-source approaches. What always matters to us is real-world applicability in pentests. In practice, the results differ significantly from the providers\u2019 benchmarks.<\/p>\n\n\n\n Our goal is to consistently integrate suitable capabilities into our toolchain and methodology. In doing so, we benefit both from advances in foundation models and from our many years of experience and our extensive toolchain. Right now, the focus is on integration, not replacement. I want to emphasize that.<\/p>\n\n\n\n At the same time, we set clear boundaries: client data must remain in Europe and meet our contractual and regulatory requirements - for example with regard to data protection and assurances that data will not be used for AI training. This sometimes slows down the introduction of new models, but we are willing to accept that.<\/p>\n\n\n\n Our ambition remains unchanged: we want to understand technologies early and use them in meaningful ways to better protect our customers. Effective security does not ultimately stem from a single tool, but from a well-functioning interplay of processes, methods, and people - sensibly supported by AI.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.usd.de\/wp-content\/uploads\/Matthias-Goehring_rund-1.png\")
<\/figure>\n<\/div>\n<\/div>\n\n\n\nMatthias, How Is AI Changing the Requirements for Technical Security Analyses?<\/h2>\n\n\n\n
On the Topic of Automated Pentests. A Provocative Question: Will They Eventually Replace Traditional Pentest Providers?<\/h2>\n\n\n\n
In the Context of \u201cMythos,\u201d There Has Been a Lot of Discussion Among CISOs About a So-Called \u201cPost-Mythos\u201d Scenario, Meaning Sharply Rising Numbers of Vulnerabilities. How Do You Assess This, and What Does It Mean for Existing Vulnerability Management Processes?<\/h2>\n\n\n\n
You Said AI Itself Is Increasingly Becoming an Object of Assessment. What Additional Checks Do Companies Need to Perform Now, and How Does This Change Security Assessments?<\/h2>\n\n\n\n
If AI-Supported Tools Take over More Tasks, How Do You Maintain the Quality of Security Assessments - Especially with Regard to Audits, Regulatory Requirements, and Compliance?<\/h2>\n\n\n\n
What Does That Mean Specifically for Your Work at usd Herolab?<\/h2>\n\n\n\n