2026年 AI 智能体在渗透测试领域的应用现状报告：AI 驱动的主动安全未来趋势

Insights from 200 security leaders on thefuture of AI-driven offensive security AI is rewriting the rules of offensive security. As AI-enabled adversaries become more prevalent,security teams are adopting their own AI agents to stayahead. This change marks the beginning of a long-termshift from human-led penetration testing toward ahybrid approach incorporating agentic AI. The long-termshift has begun. Still a mission-critical priority for95%oforganizations, pentesting now includes agentic AIas a means to test more assets, more effectively. Here’s what earlyadopters aretelling us about it. As enterprises face a rapidly expanding attack surfacethat strains traditional methodologies, agentic AI isemerging as the scalable, continuous solution. But theoverall vision of agentic AI in pentesting is still unfolding. T H I SS U R V E Y O F 2 0 0 S E C U R I T Y L E A D E R S O U T L I N E S I N I T I A L B E S T P R A C T I C E S F O R A G E N T I C A I I N P E N T E S T I N G The dawn of the early adopter A willingness to go all-in 87% 95% O FO R G A N I Z A T I O N S A N T I C I P A T E T H A TA G E N T I CA I W I L L R E P L A C E T H E I RT R A D I T I O N A LP E N T E S T I N G S E R V I C E S O FO R G A N I Z A T I O N S H A V E M O V E DB E Y O N DT H E E V A L U A T I O N P H A S E The industry’s expectations for this technology are profound—95% of surveyedorganizations anticipate that agentic AI will displace traditional pentesting services,though the degree varies: 49% expect complete or significant displacement. Moreover,one in four organizations expect to conduct pentesting exclusively through agentic AIwithin the next three years—a projected increase of 67% from current adoption levels.Advanced users are particularly bullish. Organizations already utilizing agentic AI are1.4X more likely to believe these systems will completely replace traditional servicescompared to those in the pilot phase. Currently, 87% of organizations have moved beyond the evaluation phaseand are either actively planning a pilot, currently testing, or have alreadyintegrated agentic AI into their pentesting programs. These early adoptersare the vanguard of a movement toward agent-led security operations. Trust is a primary catalyst 87% O FO R G A N I Z A T I O N S T R U S TA G E N T I CA I T O T E S T T H E I RE N T E R P R I S EE N V I R O N M E N T S Humans + AI is the gold standard 64% O FO R G A N I Z A T I O N S I D E N T I F Y A G E N T - L E D ,H U M A NO V E R S I G H T A S T H E I R P R E F E R R E DO P E R A T I O N A LM O D E L This rapid adoption is underpinned by an extraordinary level of confi-dence in the technology’s efficacy. In fact, 87% of organizations surveyedreport a high or complete level of trust in agentic AI to effectively testtheir enterprise environments. Notably, organizations that have fullydeployed these systems are 2.2X more likely to express complete trustcompared to those still in the pilot phase. Keeping humans in the loop allows organizations to implement the scalability ofmachines with the safety net of human expertise. In fact, 64% of organizationsidentify agent-led, human oversight as their preferred operational model. The Pentesting Paradox:A top priority that’s under-executed When it comes to pentesting, ascalability wall exists: While 95% oforganizations rank pentesting as atop or high priority, on average, theyarepentesting only 32% of theirattack surface. S E C U R I T YL E A D E R S C I T E S E V E R A L F R I C T I O N P O I N T S T H A T P R E V E N TM A N U A LT E S T I N G F R O M S C A L I N G Ineffective Triageand Communication Limited Scale Manual testing that relies heavily onhuman talent can be difficult to scale,making it challenging to keep pace withrapid application development cyclesand dynamic cloud-native environments. Over half (55%) of organizations reportthat traditional testing struggles toeffectively communicate findings to keystakeholders. This leaves a coverage gapwhere68% of the environmentis untested, creating blindspots that adversaries areincreasingly adept at exploiting. High Costs For roughly one-third of organiza-tions, the situation is even morecritical, with20% or lessof theirinfrastructure receiving regularassessment. Lack of AccurateRisk Identification Because high-quality manual testingservices are resource-intensive, they canbe expensive and are often relegated toperiodic snapshots. Organizations are grappling with internalinefficiencies where security personnelmay not take action due to a lack ofcontext. Agentic AI for pentestinghas concrete advantages With agentic AI for pentesting, securityteams are able to test a wider attacksurface and close the coverage gap. Infact, 45% of organizations that are alreadyusing agentic AI for pentesting are makingit their No. 1 priority. Fueling this transitionis the demand for improved security aswell as operational efficiencies. What is the primary driver for agentic AI adopt