AI渗透测试已实现全链路自动化漏洞发现，成本下降并超越人类——从工具授权向持续AI安全订阅转型

In early 2025 an anonymous document branded "Unpatched AI" published >100 previously unknown Microsoft Access and Office 365 vulnerabilities with full technical proofs, stack traces and exploit chains, indicating an autonomous LLM‑steered vulnerability‑research pipeline that combines fuzzing, symbolic execution and generative narration. The security community recognized the findings as genuine and highly automated, prompting the realization that autonomous systems are beginning to compete—and in some cases outperform—human researchers in offensive security tasks, moving up public bug‑bounty leaderboards and scaling attack‑surface coverage without human guidance. Traditional penetration testing relies on periodic, human‑driven engagements that cannot keep pace with rapid software change; the 2025 Verizon DBIR notes >67 % of breaches involve unpatched flaws >90 days old despite recent assessments. A new class of AI‑native pentesting platforms unbundles expert‑labor constraints by coupling LLMs with exploit tooling, real‑time telemetry and proprietary data, offering fully autonomous agents or copilot‑style assistance that execute exploits in safe sandboxes, verify findings, and generate actionable reports. Early platforms promised automation but suffered shallow coverage, static detection logic, poor cloud‑native support and alert fatigue ("50 000 criticals, zero real"). Current systems excel at low‑hanging issues (XSS, SSRF, misconfigs) and business‑logic flaws that can be inferred from intent, but still lag in complex chained authorizations, race conditions and environment‑specific contexts requiring deep contextual reasoning. Regulatory frameworks (SOC 2, PCI, ISO 27001) require human‑led assessments, creating auditability and liability gaps for fully autonomous tools. The emerging shift is toward continuous, AI‑augmented testing integrated into CI/CD pipelines, blurring the line between testing, pentesting and red‑teaming.