Cyber Security. 28.05.26

Why automated penetration testing falls short against AI-enabled attacks

Automated penetration testing can show what’s exposed, but not what an attacker could actually do with it. The Missing Link provides human-led penetration testing services for Australian organisations to validate real-world exploitability across identity, cloud, SaaS, and human processes 

If your security program relies heavily on automated penetration testing, you’re likely getting good visibility but incomplete assurance.

Why this gap matters in an AI-driven threat landscape

Global cybercrime is estimated to cost around $10.5 trillion annually, with the average cost of a data breach reaching $4.45 million. In this environment, identifying vulnerabilities is no longer enough. Organisations need to understand how those vulnerabilities could be exploited and what an attacker could achieve once inside their environment.

This gap is most relevant in identity, cloud, and SaaS environments where automated testing is already in place but does not reflect real-world risk.

AI has changed how attacks unfold. Attackers adapt their approach, combine weaknesses, and move across identity systems, cloud environments, SaaS platforms, and human processes. This reflects a change in how attacks are structured, where reconnaissance, exploitation, and lateral movement can be scaled across environments.

Deepfake voice attacks show how this plays out. AI-generated voice impersonation can be used to bypass MFA through helpdesk processes without triggering traditional controls. These scenarios show how technical weaknesses and process gaps combine to create access.

Many organisations only identify these gaps after an incident, rather than during testing.

What are the limitations of automated penetration testing? 

Automated penetration testing identifies known vulnerabilities but does not reflect how attackers behave or how those weaknesses are combined into real attack paths. 

Penetration testing is a controlled security assessment that simulates real-world attacks to identify and exploit vulnerabilities. Unlike automated vulnerability scanning, which identifies potential risks, penetration testing attempts to exploit those weaknesses to show how an attacker could gain access, move through systems, and impact the organisation.

Automated penetration testing

Where automated penetration testing falls short

Automated tools assess systems in isolation and lack the context to model attacker intent or prioritise attack paths across identity, cloud, and SaaS environments.

Modern attacks do not follow system boundaries. Attackers move between platforms, combine low-risk weaknesses, and adapt their approach based on opportunity. Automated testing does not capture this behaviour.

    • It identifies vulnerabilities, but doesn't validate exploitability

    • It scans systems but doesn't simulate attacker behaviour

    • It reports findings, but doesn't show how access could be achieved

In human-led penetration testing conducted by The Missing Link, identity or SaaS misconfigurations that appear low risk in isolation can become critical once combined into a broader attack path.

This is where organisations move from identifying vulnerabilities to understanding how they can be exploited.

How AI-enabled attackers exploit these gaps

AI changes both the speed and the structure of attacks. Attackers can analyse exposed assets, identity relationships, and permissions at scale. What appear as isolated signals become a structured view of the environment. 

Low-risk issues such as over-permissioned accounts, legacy access rules, or inconsistent SaaS controls can be combined into higher-impact attack paths. These paths are rarely identified by automated testing alone but are uncovered when testing reflects attacker behaviour.

These attacks often resemble legitimate activity. They use valid credentials, authorised tools, and expected workflows, which makes detection and validation more difficult.

Passing automated tests does not mean an attacker would fail. It means the attack path has not been tested.

Human led penetration testing v2-1

Why human-led penetration testing provides a more complete view of risk

Human-led, AI-supported penetration testing addresses the gap between exposure and exploitability by simulating how attacks develop across an environment.

Automated testing identifies exposure, while human-led penetration testing validates how that exposure could be exploited.

This approach focuses on how access is gained, how it expands, and where impact occurs. It connects weaknesses across identity, cloud, and SaaS systems and evaluates how those weaknesses align with business processes.

Rather than producing long lists of vulnerabilities, human-led penetration testing provides clear attack paths, defined impact, and prioritised remediation actions. This allows organisations to understand what is at risk and where to focus.

The Missing Link delivers human-led penetration testing services for Australian organisations that need to understand how attackers would gain access and what impact that access could have across complex environments.

With over 28 years of experience in cyber security, The Missing Link has helped organisations across Australia uncover vulnerabilities, validate real-world attack paths, and strengthen long-term resilience. As one of Australia’s CVE Numbering Authorities, The Missing Link contributes to the identification and disclosure of new vulnerabilities and insight into how emerging threats develop.

FAQs

What is an attack path?
An attack path is the sequence of steps an attacker could take to move from initial access to a meaningful outcome, such as accessing sensitive data or gaining control of systems. This often involves chaining together low-risk issues, misconfigurations, and process gaps across different parts of an environment.

 

When is automated penetration testing not enough?

Automated testing may be insufficient when environments:

  • Rely heavily on identity and access management
  • Span cloud, SaaS, and on-premise systems
  • Include complex user workflows or approval processes
  • Require validation of business impact, not just technical risk

In these cases, risk often depends on how multiple conditions combine, which automated tools are not designed to assess.

Can security gaps exist outside of technical systems?
Yes. Access processes such as helpdesk verification, approval workflows, and exception handling can introduce risk if they are not consistently enforced. These gaps are often not tested by automated tools but can be used to gain or expand access.
How should organisations prioritise remediation?
Remediation should be prioritised based on how vulnerabilities behave in context, including whether they can be exploited, what access they enable, and how they contribute to broader attack paths. This allows organisations to focus on issues that create real risk rather than relying on severity rankings alone.

 

Understand real-world attack paths in the full whitepaper

These challenges are explored in more detail in Human-led penetration testing in an AI-driven threat landscape.

Understand how real-world attack paths develop across identity, cloud, and SaaS environments, and how to test them before they are exploited. 

Download the whitepaper

Latest Insights

 

Author

Matt Dobinson

As Head of Security Consulting at The Missing Link, I lead offensive security engagements focused on red teaming, penetration testing, and adversary simulation. With a background in software development and systems engineering, I help organisations uncover real-world vulnerabilities and strengthen their defences. Outside of work, I’m usually experimenting with firmware or pulling apart how systems behave under pressure. If it runs code, I’m interested in how it works and how it can be broken.