What we built, Fusion AI, runs at about a third the cost of a traditional external pentest, a human tester still signs off on every finding, and it is not here to replace anybody.
We have been hearing that one a lot. So when Melisa from our Business Capture team sat down with Brian Fehrman and me for this episode of AI Security Ops, she started with, “What is this thing you built, and is it the same hype everyone else is selling?”
The post Everyone’s Selling AI That Kills Pentesting. We Built One That Doesn’t. appeared first on Black Hills Information Security, Inc..
Troy West was in Warsaw when his dinner was interrupted by his phone. But he was happy about it.
West, associate director of cybersecurity for autonomous offensive security company XBOW, had just learned that a trial version of the company’s platform had found a vulnerability that led to a full takedown of a development environment used by Moderna, the pharmaceutical company primarily known for its work related to mRNA vaccines.
It was, by most measures, exactly the kind of outcome a security team dreads. But for West and Farzan Karimi, Moderna’s deputy CISO, it was something closer to a proof of concept. XBOW’s product had done in hours what a human penetration tester could not — and it had done so with a level of persistence and creativity that neither of them had fully anticipated.
The episode is one data point in a much larger shift now rippling through the cybersecurity industry: The artificial intelligence models discovering vulnerabilities are moving faster than the teams that have to patch them.
Across recent conversations and presentations, industry experts said the tools are getting sharper, the attack surface is getting larger, and the gap between finding a problem and fixing it is not closing fast enough. For now, most organizations are caught between the speed of discovery and the slowness of remediation, with vendors across the industry rushing to position their products as the way through.
The inflection point came with Claude Mythos. When Anthropic announced the highly guarded model, security executives at major enterprise technology companies took notice in a way they had not with prior frontier releases.
Zscaler was among the early organizations given access to the model, and CEO Jay Chaudhry told CyberScoop that he directed his team to use it to probe the company’s own applications.
“Are we finding some serious stuff? Yes, indeed,” Chaudhry told CyberScoop at Gartner’s Security & Risk Management Summit. He was careful to note that the findings were not necessarily more severe than those produced by other models. The issue, he said, was volume.
“There aren’t enough resources and cycles to fix all those,” he said.
The reason Mythos changed the calculus, according to Tom Gillis, general manager for infrastructure and security products at Cisco, comes down to code complexity. Legacy network infrastructure was built on tens of millions of lines of code developed over decades, and earlier AI models lacked the context window and reasoning capacity to comprehend it in full.
“The models couldn’t understand the entirety of it before,” he told CyberScoop. “Now they can. That’s why they’re finding all these vulnerabilities.”
The problem runs deeper than application code. Firewalls and network switches often run for decades without updates or reboots, and many have never been patched in any meaningful way. The combination of aging infrastructure and newly capable AI models has created what Gillis described as a meaningful and accelerating shift in attacker capability that the industry’s existing operational rhythms were not built to absorb.
Cisco’s answer to the oncoming vulnerability deluge is a technology it calls Live Protect, a compensated control built on eBPF, a Linux feature that lets security software operate at the kernel level to block threats without rewriting system code.
“It’s a pinpoint, laser-fine control that can shield a vulnerability on a production system,” Gillis said. “We’re not touching or modifying the binaries of that production system.”
The intent is to shrink the window between discovering a vulnerability and the next scheduled patch, allowing IT teams to fix issues without taking systems offline.
“This is a finger in the dike that plugs a hole until you get to new change control windows,” he said, acknowledging that some customers may be tempted to treat the shields as a permanent solution.
The product has been shipping since October, but customer urgency shifted noticeably after Mythos. “Customers are like, ‘Oh, good story, Tom. I’ll think about it.’ Now it’s like, ‘Oh my God, turn this thing on right now.’”
He also noted that eBPF is open source, and said he expects the broader industry to follow.
“While I’m very proud of Cisco leading the market with these compensated controls, I know my competitors have to do this.”
But shielding vulnerabilities only works if you know they exist. Karimi, the Moderna deputy CISO, faced a different problem: His vulnerability management system was surfacing hundreds of high-severity findings with no reliable way to know which ones an attacker could actually exploit. His team had skilled red-teamers, but they were finite resources. What he needed was something that could test continuously, everywhere.
“We have some very senior red-teamers and pen-testers in our organization that are pointed in a specific direction,” Karimi said during a presentation at the Gartner summit. “XBOW is covering different attack stories for us.”
West, who leads offensive security for XBOW, describes the platform as a response to a structural problem in how offensive security has traditionally worked. Human testers scope an engagement, run it, write a report, and move on. The window between tests is where risk accumulates.
“Historically you have exploit developers spending time finding the right vulnerabilities, writing the exploits, finding if those exploits are reachable, and then finding a way to chain them all together,” West said. “That takes a long time.”
Given the realities, Karimi decided to put XBOW through a trial, which produced two notable findings.
In the first, XBOW identified a web application firewall bypass on a company application built on the Spring Boot framework. The bypass involved encoding a single character (a capital “A”) as its percent-encoded URL equivalent (A), which the WAF interpreted as a legitimate request, allowing the bot unfettered access.
The second finding, which was the cause for West’s dinner interruption, was more consequential. West had provided XBOW with access to the source code of an internal application called Orders, used by Moderna’s research partners to procure drug substances, but no login credentials. The platform identified a valid API key embedded in the source code, used it to authenticate, and then began probing the application’s APIs for SQL injection vulnerabilities.
What happened next was not entirely planned. One of those APIs handled a malformed SQL injection attempt in an unexpected way, dumping garbage data into a shared routing application that other services depended on.
“Not only was it able to kick that Orders app I showed you, but it somehow kicked over the entire ecosystem of apps,” West said.
Human pen-testers who reviewed the findings afterward confirmed they were valid, and said they would not have found them on their own. Karimi said despite the outage, his team recognized the value immediately.
“If we’re able to demonstrate where you could have an outage in a safe testing environment, that’s a great signal,” he said.
The broader value, Karimi argued, is in forcing prioritization when bugs are discovered. “If you have exploit proofs, you can provide that plus-one modifier and really point your developers to remediate the top tier of real risk that’s been validated.”
But he does worry about the volume of bugs that will be surfaced by these tools.
“How do we now handle the volume of bugs that have gone up due to AI-driven scale?” he said. “That’s a whole other problem space.”
Across these conversations, a consistent theme was that even as defenders are trying to get arms around the forthcoming wave of bugs, it’s going to be a tremendously uphill battle. That mirrors what some of the industry’s top leaders have been saying for months.
It also mirrors what the model developers themselves have consistently been warning about. In its announcement about expanding access to Mythos, Anthropic admitted the timeline for a publicly available tool similar to its cybersecurity-focused model is shortening, and there are no guarantees it will be released with safeguards.
“In that world, cyberattacks could occur much more often, and in much more unpredictable forms,” the blog post reads.
Gillis was blunter about what happens to organizations that don’t move.
“Some people will be slow to change,” he said. “But the consequence of not making that change is gonna be front-page news. It’s a massive, massive compromise. You know, like, ‘you gave up every credit card number.’ Bummer.”
The post Inside the race to adapt to an AI-powered security world appeared first on CyberScoop.
ANTISOC uses a mix of techniques from traditional penetration tests like red teams, cloud, web applications, externals, internals, and, of course, social engineering. We combine this mix of techniques with a wide-open scope, with the goal of going beyond what a typical pentest can discover.
The post Bad Habits: An ANTISOC Operation appeared first on Black Hills Information Security, Inc..
To get a valid session token to use with Burp Suite tools, I ended up writing a small Python extension (110 lines of code, but who’s counting?) that obtained a new session token for each request, allowing items like Intruder to work as intended. Cool, I was able to use it during the test, but I would like this to be repeatable. So, this blog is releasing Swapper, a regex pattern-based match/replace Burp Suite extension.
The post Swapper – A Pure Regex Match/Replace Burp Extension appeared first on Black Hills Information Security, Inc..
Advice about getting started in pentesting from the BHIS pentest lead, including a learning path and why you should go all in on offensive security skills.
The post Getting Started In Pentesting – Advice From The BHIS Pentest Lead appeared first on Black Hills Information Security, Inc..
The role and demand for red-teaming capabilities are growing, as more exploitable CVEs make their way into criminal hands. Being proactive is no longer a capability that can be reserved for annual tests, but a continuous assessment to determine exposure and even through the validation of an organization's security posture. With this in mind, we are delighted to announce the long awaited availability of Metasploit Pro 5.0.0 – which is not just an update, but a fundamentally new approach to red-teaming, designed with the sole intention of staying ahead of ever-increasingly capable threat actors.
Amongst the multitude of changes, Metasploit 5.0.0 offers an intuitive testing workflow that removes the ever evolving complexity of testing, as well as a suite of powerful new modules and critical enhancements. This is the version you can't afford to miss. For all the technical details, the granular release notes can be viewed here.
Say goodbye to complexity, as Metasploit Pro has completely overhauled the testing workflow. Updates are highlighted by an intuitive user interface, ensuring that your focus remains on high-value penetration testing and vulnerability validation, not fighting the interface. These changes are the foundation for the future, preserving the core functionality you rely on while enabling even more powerful features down the road.
⠀
Stop guessing and start seeing. The new implementation of Network Topology support provides instant, crystal-clear clarity on hosts that have been compromised, have associated cracked credentials, or captured data. For enterprise environments with vast, complex surfaces, we’ve invested in performance improvements, giving you the power to zoom and pan through hundreds of available hosts with zero lag. This is actionable visualization that transforms data into defense.
⠀
Get the necessary assurance before you click 'run.' Metasploit modules can now register crucial vulnerability detection details as part of running. This means that modules capable of running pre-check detection logic give you the full intelligence picture before you attempt exploitation. This new level of transparency and detail empowers you to make smarter, faster decisions, saving you precious time and minimizing the chance of failed module runs and adverse side effects.
⠀
Unleash your inner expert with unprecedented control and efficiency. Advanced users of Metasploit Pro will immediately benefit from multiple UX improvements to the single module run page. Tired of manually configuring options? Users now receive intelligent suggestions for applicable values, including network targets, Kerberos credential cache files, and more – streamlining ADCS workflows.
⠀
Furthermore, you now have the ability to manually choose and configure individual payloads, giving you the final word on how you exploit targets. Metasploit Pro will continue to default to the most common payload for each exploit.
Plus, new quality-of-life improvements for replaying module runs ensure that verifying remediation and re-exploiting targets is a seamless, one-click process. Gone are the days of reconfiguring an entire module run to change a single option. The old list view has also been updated to include the ability to view the module option details that a module was run with. These capabilities can additionally be leveraged by advanced users who are interacting with Metasploit Pro in a programmatic fashion or through the command line interface to see exactly how Metasploit Pro is running modules.
⠀
Finally, boost your team's collaboration with the new session tagging feature. Sessions can now be tagged to facilitate advanced and coordinated post-exploitation workflows. Team members can apply instant, custom tags to track status and flag arbitrary qualities, which significantly improves coordination and organization across multi-person engagements.
Tackle one of the most critical attack vectors in modern networks: Metasploit continues its relentless investment in modern exploitation techniques with the groundbreaking updates to the AD CS Workflows Metamodule. This powerful new feature is a significant advancement, providing security professionals with an automated, comprehensive approach to identifying and leveraging nine common AD CS vulnerabilities.
Now we’ve taken it even further, with new support for the latest and most dangerous ESC flaws: ESC9, ESC10, and ESC16. Take back control of your Active Directory environment and neutralize these threats with surgical precision. For detailed configuration instructions and comprehensive feature documentation, visit our AD CS Workflows MetaModule documentation.
⠀
In fast-moving operations, context can disappear quickly as new sessions come online and analysts shift between tasks. Session tagging brings clarity back to your workflow by letting you attach meaningful labels to every open session. Instead of relying on IPs or hostnames alone, you can tag sessions with identifiers that matter to your team - such as priority, environment, or role - making it easy to group related systems and instantly recognize high-value targets.
⠀
Metasploit Pro now incorporates SAML Single Sign-On (SSO) authentication, providing your team with a simple, unified login experience. By connecting to your centralized directory, users can access Metasploit Pro with the same credentials they use for all other major applications. Administrators can easily configure their identity provider (IDP) to enable a passwordless workflow and utilize existing Multi-Factor Authentication (MFA) services, making access quick, consistent, and part of your standard corporate flow.
These features are available in Metasploit Pro 5.0.0 onwards. We’re also proud to collaborate with our customers, who are often the source of inspiration for product evolution. Ideas for improvements or enhancements can be shared with our Support team to help you refine the idea, then submit it to our Product team on your behalf.
Rapid7 Labs launched a podcast today! Episode 1 of 'Hacktics & Telemetry' is now live on Rapid7's YouTube page. Alongside some expert commentary on emergent threats and an exciting guest spot, the final segment is all about Metasploit Pro 5.0.0. Dive into our official companion blog here, and find the full episode embedded below.
⠀
This blog is for anyone who is interested in finding a good penetration testing company.
The post Finding the Right Penetration Testing Company appeared first on Black Hills Information Security, Inc..
Many web application firewalls (WAFs) can be bypassed by simply sending large amounts of extra data in the request body along with your payload. Most WAFs will only process requests up to a certain size limit. How the WAF is configured to handle these large requests determines exploitability, but some common WAFs will allow it by default.
The post Bypassing WAFs Using Oversized Requests appeared first on Black Hills Information Security, Inc..
One tool that I can't live without when performing a penetration test in an Active Directory environment is called NetExec. Being able to efficiently authenticate against multiple systems in the network is crucial, and NetExec is an incredibly powerful tool that helps automate a lot of this activity.
The post Getting Started with NetExec: Streamlining Network Discovery and Access appeared first on Black Hills Information Security, Inc..
In my journey to explore how I can use artificial intelligence to assist in penetration testing, I experimented with a security-focused chat bot created by Jason Haddix called Arcanum Cyber Security Bot (available on https://chatgpt.com/gpts). Jason engineered this bot to leverage up-to-date technical information related to application security and penetration testing.
The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot appeared first on Black Hills Information Security, Inc..
A common use case for LLMs is rapid software development. One of the first ways I used AI in my penetration testing methodology was for payload generation.
The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot appeared first on Black Hills Information Security, Inc..
Burpference is a Burp Suite plugin that takes requests and responses to and from in-scope web applications and sends them off to an LLM for inference. In the context of artificial intelligence, inference is taking a trained model, providing it with new information, and asking it to analyze this new information based on its training.
The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference appeared first on Black Hills Information Security, Inc..
This webcast originally aired on February 27, 2025. Join us for a very special free one-hour Black Hills Information Security webcast with Corey Ham & Kelli Tarala on why your […]
The post Why Your Org Needs a Penetration Test Program appeared first on Black Hills Information Security, Inc..
Login