{"id":2768,"date":"2025-07-08T10:00:42","date_gmt":"2025-07-08T01:00:42","guid":{"rendered":"https:\/\/bestpathresearch.com\/?p=2768"},"modified":"2025-07-08T10:31:55","modified_gmt":"2025-07-08T01:31:55","slug":"20250707","status":"publish","type":"post","link":"https:\/\/bestpathresearch.com\/en\/2025\/07\/08\/20250707\/","title":{"rendered":"AI-Assisted Penetration Testing"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt Best Path Research, we recently completed a black box web application penetration test for a major Japanese company. By combining manual testing with AI-driven tools, we identified critical vulnerabilities more quickly and effectively than we could have done with manual methods alone. We were able to successfully mitigate a number of serious potential vulnerabilities before the site was released publicly.\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Reinforcement Learning use in Penetration Testing<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tBased on modern generative AI (genAI) and machine learning (ML), we\u2019re now applying reinforcement learning\u00a0(RL) techniques to further automate parts of the web application testing process, starting with popular, and potentially high-risk, open-source blogging and website software. These RL-based agents learn to autonomously identify and probe common security flaws and mis-configurations in an isolated environment, mimicking the ways in which an experienced, malicious, human hacker might attempt to discover and exploit the same vulnerabilities.\u00a0\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Mitigating LLM Exploits in Public-Facing Systems<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWe\u2019re also focusing on securing public-facing large language models (LLMs) which can be susceptible to exploits through prompt injection or jailbreak techniques which can leak sensitive information or execute unintended actions. Such exploits are conceptually similar to classic SQL injection vulnerabilities which were a focus in our recent web application pen-testing work. Our future work includes testing frameworks and safeguards to help companies safely deploy LLMs in production.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Generative AI Threats<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe flip side to the many positive uses of genAI is that they are already being used by attackers to craft convincing phishing emails and realistic social engineering attacks. Recent hacks even use audio and video genAI models to trick employees into revealing sensitive information during telephone calls or in video messages. With our decades of combined experience in AI and ML, we\u2019re also developing tools to detect and defend against these evolving threats before they reach end users.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt Best Path Research, we\u2019re using AI to strengthen both offensive and defensive security capabilities, helping companies stay safe and secure in a rapidly changing threat landscape.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

At Best P […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_locale":"en_US","_original_post":"https:\/\/bestpathresearch.com\/?p=2764","footnotes":""},"categories":[27],"tags":[],"class_list":["post-2768","post","type-post","status-publish","format-standard","hentry","category-news_en","en-US"],"_links":{"self":[{"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/posts\/2768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/comments?post=2768"}],"version-history":[{"count":6,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/posts\/2768\/revisions"}],"predecessor-version":[{"id":2775,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/posts\/2768\/revisions\/2775"}],"wp:attachment":[{"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/media?parent=2768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/categories?post=2768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bestpathresearch.com\/wp-json\/wp\/v2\/tags?post=2768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}