Page 138 - Cyber Defense eMagazine September 2025
P. 138

Development of Test cases

               •  Pen testers develop test cases based on the testing target, which is mostly developed by referring
                   to various international standards like Penetration Testing Execution Standard (PTES), pen Web
                   Application  Security  Project  (OWASP),  Open  Source  Security  Testing  Methodology  Manual
                   (OSSTMM) etc.
               •  This can be a cumbersome effort as multiple sources needs to be referred to & test cases need
                   to be created
               •  AI  can  be  used  here  to  develop  the  preliminary  test  cases  by  referring  to  the  most
                   critical/acceptable industry frameworks (> 2 or 3, which may be humanely difficult)
               •  These test cases can then be finalized for each target by a human by applying the contextual
                   application knowledge (Business knowledge, architecture, criticality etc.)



            During Testing:

            Information gathering phase/reconnaissance

               •  Before an actual pen test is conducted, different types of open source & proprietary tools are used
                   to automatically detect and identify vulnerabilities on the target, but the reports generated has lot
                   of data & noise in it
               •  Tools which have AI integrated in it may provide a more refined & intelligent report which may be
                   possible for the tester to immediately start using & thereby reducing time & effort



            Exploitation Phase

            This is the most important & complex phase of the pen testing activity. It may require lot of maturity of
            the processes & skills within the function & pen testers to start leveraging AI in this phase. Leveraging AI
            in this phase requires a functional understanding of LLMs or Reinforcement based learning models (Most
            popular  models  which  are  the  base  on  which  AI  pen  test  tools  are  created),  along  with  hands-on
            experience with the tool itself, so how do we achieve this?

               •  Develop  a  training  plan  which  includes  development  of  functional  knowledge  on  LLMs,
                   Reinforcement based learning models
               •  Develop practical use-cases & hands-on experience in working with AI enabled pen testing tools
                   like PentestGPT, Deep exploit, etc.
               •  Based on the experience gathered, develop standard operating processes on how human pen
                   testers can leverage AI in exploitation phase
               •  Start with simple use-case first

            The  benefits  of  AI  enabled  pen  test  vs  traditional  manual  pen  test  was  demonstrated  in  research
            published  in  “International  Journal  of  Scientific  Research  in  Computer  Science,  Engineering  and
                                          th
            Information Technology” on 12  Dec’2024





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          138
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   133   134   135   136   137   138   139   140   141   142   143