The Future of Penetration Testers in the Face of AI: An Interview with Paul Petefish

The podcast The Secure Disclosure welcomes Paul Petefish, co-founder and president of Evolve Security, a company specializing in penetration testing (pentesting) and cybersecurity training. Paul discusses his 20-year journey in the field, including his time at Solutionary (acquired by NTT in 2013) and the creation of Evolve Security in 2016, which focuses on a 20-week bootcamp to train professionals. The debate centers on the future of penetration testers in the face of AI. Paul believes that humans will remain essential to oversee tools, especially in production environments, where the risks of "hallucinations" or unpredictable behaviors from AI agents persist. AI excels in level 1 tasks (reconnaissance, discovery) but struggles with logical vulnerabilities or privilege escalation. Attacks targeting AI systems, such as "prompt injection," are evolving: a recent example allowed remote code execution via Gemini integrated into CI/CD pipelines of Google and other Fortune 500 companies. AI models hallucinate non-existent packages (up to 50% in some scenarios), exploiting incorrect relationships in their vector bases. Paul recommends testing these tools in a sandbox, without connecting them to real accounts, due to the risks of blind trust given by underlying systems.