A large number of false negatives has significantly eroded confidence in automated AI testing for vulnerabilities, a new study has found.

The report found that the percentage of organisations relying entirely on AI automation for testing sank from 29% to 9% over the period, with nearly half (47%) of respondents now preferring a hybrid testing model. Over three-quarters (78%) said fully automated scanning tools missed critical vulnerabilities. More information can be found here .

Commenting on this, Daniel Bechenea, security manager at Pentest-Tools.com, said the following :

“The decline in confidence around fully automated testing doesn’t surprise me. Automated scanners are very good at repeatedly checking for known classes of vulnerabilities, but security isn’t just pattern matching. Many high-impact issues still require understanding application logic, business context, and how multiple weaknesses can be chained together.

The lesson isn’t that AI has failed. It’s that we’ve become more realistic about where it adds value. AI and automation should help security teams cover more ground, reduce repetitive work, and surface issues faster.

Human expertise is still essential for validating exploitability, investigating edge cases, and prioritizing what actually matters across layers of context (often unspoken, undocumented, and highly dependent on relationships and buried dependencies).

The organisations getting the most value from AI aren’t replacing security engineers with it. They’re using it to make experienced security teams more effective.”