The short answer is: not yet.
We are making real progress in AI-assisted offensive security, but most of that progress is uneven across the pentest workflow. Teams often talk about "autonomous pentesting" as one capability when it is really three different capability classes:
- scanning
- exploitation
- reasoning
Treating these as one thing leads to inflated expectations and weak risk decisions.
Why this is trending now
Two forces are converging.
First, AI-cybersecurity work is accelerating fast in both industry and research. OWASP published the first version of its AI Testing Guide in November 2025 and explicitly frames AI testing as a trustworthiness and safety problem, not only a vulnerability checklist (OWASP AI Testing Guide).
Second, autonomous and semi-autonomous pentest frameworks are multiplying, and benchmark papers are becoming much more explicit about where they fail. That gives us better signal than hype.
Scanning is the most automatable layer
Scanning has always been the most tool-friendly phase.
NIST SP 800-115 describes vulnerability scanning as a way to identify hosts, software versions, missing patches, and misconfigurations, and to generate targets for deeper testing (NIST SP 800-115).
That same guidance also points out the limit: scanners struggle with aggregate risk from vulnerability combinations. In practice, this is where pure scanning workflows produce false confidence.
OWASP makes a similar point from the web app side: automated tools are useful, but effectiveness alone is poor for bespoke applications and should not be treated as a complete test strategy (OWASP WSTG v4.1).
So yes, scanning is close to autonomous in many environments. But scanning is not equivalent to penetration testing.
Exploitation is where constraints become real
Exploitation is not just "run the next command."
It depends on assumptions that frequently break in real engagements:
- target-specific context and custom business logic
- authorization scope and rules of engagement
- safe handling of production impact and rollback paths
NIST is direct that intrusive testing requires clear authorization boundaries and explicit rules for what is allowed and prohibited during assessments (NIST SP 800-115 PDF).
That governance burden does not disappear because an agent can execute tooling. If anything, it increases.
Reasoning is the current bottleneck
Reasoning is where most "autonomous pentest" claims still collapse.
Recent benchmark work is useful here:
- The USENIX Security 2024 PentestGPT paper reports LLMs can perform specific sub-tasks, but struggle to maintain full scenario context through an entire engagement (USENIX PentestGPT).
- A 2024 follow-up benchmark paper found leading models still fall short on end-to-end pentesting, even with minimal human assistance, with recurring issues across enumeration, exploitation, and privilege escalation (arXiv 2410.17141).
- PentestEval (Dec 2025) decomposes six pentest stages and reports weak stage-level performance overall, with end-to-end pipelines around 31% success and autonomous agents failing almost entirely (arXiv 2512.14233).
That pattern is consistent: tool use is improving faster than long-horizon reasoning quality.
A practical model for 2026
The current reality is best described as supervised autonomy.
| Layer | Current AI maturity | Human role |
|---|---|---|
| Scanning and enumeration | High in structured environments | Define scope, tune coverage, validate noise |
| Exploit path execution | Medium in constrained labs and CTF-like targets | Gate actions, validate safety, enforce ROE |
| Multi-step reasoning across full engagement | Low to medium | Maintain strategy, verify assumptions, resolve ambiguity |
That means AI can already remove a lot of repetitive effort. It cannot yet replace expert judgment across the full workflow.
So, are we close?
Close to autonomous scanning and semi-autonomous pentest orchestration? Yes.
Close to reliable, minimally supervised, end-to-end autonomous pentesting in real production environments? No.
The gap is not only model capability. It is the combination of reasoning reliability, context continuity, and operational safety constraints.
Final note
The strongest teams are not waiting for full autonomy. They are redesigning pentest operations around human-led reasoning with AI-accelerated execution. That is where the practical value is today, and where the risk is most manageable.