| ▲ | JohnMakin 2 days ago |
| From WSJ article: > The AI bot trounced all except one of the 10 professional network penetration testers the Stanford researchers had hired to poke and prod, but not actually break into, their engineering network. Oh, wow! > Artemis found bugs at lightning speed and it was cheap: It cost just under $60 an hour to run. Ragan says that human pen testers typically charge between $2,000 and $2,500 a day. Wow, this is great! > But Artemis wasn’t perfect. About 18% of its bug reports were false positives. It also completely missed an obvious bug that most of the human testers spotted in a webpage. Oh, hm, did not trounce the professionals, but ok. |
|
| ▲ | tptacek 2 days ago | parent | next [-] |
| False positives on netpens are extremely common, and human netpen people do not generally bill $2k days. Netpen work is relatively low on the totem pole. (There is enormous variance in what clients actually pay for work; the right thing, I think, to key off of is comp rates for people who actually deliver work.) |
| |
| ▲ | iwassayinbourns 2 days ago | parent | next [-] | | As a data point, when I worked in consulting 10+ years ago doing network (internet/ext), web app, mobile etc our day rate was $2k AUD flat for anything we did, and AFAIK we were at or below market cost. I know for sure that the big four charged closer to $3000 for what I understood to be a worse service (I have nothing to back that up apart from occasionally seeing awful reports). We did not an insubstantial amount of netpen at that amount. Granted, AUD isn’t USD, but I wonder what their day rate is now. | | |
| ▲ | raesene9 2 days ago | parent [-] | | My experience of UK pentest rates was that they've stagnated or even gone down over the last 20-25 years. In the early 2000's banks were paying ~£1000-£1200/day for pentesters from boutiques and when I stopped being in that industry ~5 years ago, it was largely the same or even lower for larger companies that could negotiate day-rates down. Big-4 tried to charge more but that's really tricky when you're in direct competition with boutiques who have more testers than you. By contrast US rates were a lot higher ($2k+/day) and also scopes were larger. A UK test for a web app could be as low as 3 days (even less for unauthenticated) where the US tended to be 1-2 weeks. One reason they've gone down is outsourcing to lower cost regions, and I'd guess that LLM/AI automation will accelerate that trend... |
| |
| ▲ | bongodongobob 2 days ago | parent | prev [-] | | [dead] |
|
|
| ▲ | pedro_caetano 2 days ago | parent | prev | next [-] |
| Fair, but if you look at most tools for Static Code Analysis they will have equal or worse performance with regards to false positives and are still seen as added value. If this is inexpensive (in terms of cost/time) it will likely make business sense even with false positives. |
| |
| ▲ | JohnMakin 2 days ago | parent [-] | | But that isn’t the claim. The claim is an agentic pen tester “trounced” human testers. Static analysis tools are already trivial and cheap to automate, why would you need an agent in the loop? | | |
| ▲ | pedro_caetano 2 days ago | parent [-] | | I agree with your point that the claim is exagerated. My counterpoint is even if they are subpar, they will still make business sense if they are inexpensive, much in the same way that Static code analysis tools aren't great but because they are inexpensive they still make sense during development. |
|
|
|
| ▲ | oofbey 2 days ago | parent | prev [-] |
| We cannot consider this report unbiased considering the authors are selling the product. |
