Companies are still experimenting with automated AI systems to find security weaknesses, but fewer are relying on the technology.
June 26, 2026
In 2025, nearly 3 in 10 security professionals thought that fully autonomous AI systems could satisfy their companies' security-testing needs. But after a year of testing and experimentation, that optimism has largely gone away.
Instead, chief information security officers (CISOs) and other security practitioners have more realistic expectations of the AI-based systems, which often have significant blind spots, are prone to false positives, and can blow through AI budgets, according to a June 25 report released by Cobalt, a penetration-testing-as-a-service firm. The number of organizations willing to rely on AI-powered penetration testing for their security needs fell to 9% in 2026, down from 29% a year earlier. The vast majority of companies preferred a hybrid, human-in-the-loop approach or relegating only non-critical tasks to automation.
Security practitioners are experimenting to find the sweet spot of what can be automated reliably and responsibly, says Gunter Ollmann, chief technology officer for Cobalt.







