LLMs That Actually Pen Test: What Post-Training for Security Means for Your AI Stack

LLMs That Actually Pen Test: What Post-Training for Security Means for Your AI Stack

Security researchers have spent years arguing that LLMs should be more helpful with offensive security tasks. The models kept refusing. Now someone just shipped a post-trained model that does the work instead of lecturing you about responsible disclosure, and it reportedly found thousands of real zero-days. That is not a headline you can ignore if you are building any kind of AI system that touches code, infrastructure, or automated pipelines.

What Actually Happened

Two things landed close together that, read side by side, tell a clear story about where AI security tooling is going.

First, the Argus Red team shipped a CLI-accessible model that they post-trained specifically for penetration testing. The pitch is simple: instead of a general-purpose model that refuses to explain how buffer overflows work, you get one that treats offensive security as the actual task. No jailbreaks, no prompt engineering gymnastics. The model was trained to do the job.