| ▲ | Sytten 2 days ago |
| Yes because all the valuations right now are based on a bet that this will replace a huge chunk of the service/consulting budget toward an AI budget for pentest. This will not happen. |
|
| ▲ | tptacek 2 days ago | parent | next [-] |
| I have no stake in this market, but: human-in-the-loop AI-mediated pentesting will absolutely slaughter billable hours for offensive security talent. Hell, if Fortify and Burp Scanner were actually good, you wouldn't even need the last few years of LLM advancement to accomplish that; the problem is that current automation is not very good. LLM-augmented automation happens, as a weird quirk of fate, to be almost laser-guided at the weaknesses of that technology. |
| |
| ▲ | big_youth 2 days ago | parent | next [-] | | That markets been slaughtered for a while. Pretty much every big tech company has built up strong internal security teams and automated as much as possible. Look up what happened to NCC Group post Matasano acquisitions, I joined within a year of the isec/matasano/intrepedus acquisitions and saw a slow ride down. After 5 years the rate was still $2500 a day and everyone with real talent left to internal teams for much much higher pay. NCC Group is now a scan shop operating out of the phillipines, I still have one friend that works there from the isec days! The exception being some leet places like Trail-Of-Bits. | | |
| ▲ | tptacek 2 days ago | parent [-] | | Late-period NCC doesn't look great. But I've been a buyer of these services for the past 5 years (a seller, of course, for the 15 years leading up to that) and rates have not gone down; I was shocked at how much we ended up spending compared to what we would have billed out on comparable projects at Matasano. I don't know enough about the low-end market to rebut you there (though: I saw what my muni paid for a bargain-basement assessment and was not OK with it), but the high end of the market definitely has not been slaughtered, and I definitely think that is coming. |
| |
| ▲ | Sytten 2 days ago | parent | prev [-] | | Yes and no, it will kill the "I ran a nessus scanner and charged you 8k for it" kind of pentests but not the core of the service market IMO. Pentesters will be more efficient so I guess this could be considered a slash in hourly rate if they kept the same pace. LLM are good at getting signals but actual hacking it is still meh. Juniors will have a hard time that I agree. The current level of findings of LLM is at their level. | | |
| ▲ | tptacek 2 days ago | parent [-] | | I disagree with you about the first paragraph but have to say that, distinctively to the security and the services markets, you can't say "juniors will have a hard time of it" without also saying "this is going to fundamentally disrupt services budgets". The two statements mean the same thing. |
|
|
|
| ▲ | 6r17 2 days ago | parent | prev [-] |
| Do you think they could move toward other technologies if they show maturity in that sector that AI cannot provide ? |
