18 March 2026 R&D Vladimir
You like this content ?
Share it on the networks
Artificial intelligence is transforming cybersecurity, particularly penetration testing and external attack surface management. At Patrowl, we view AI as a performance lever: it is only integrated where its value is proven, measurable, and aligned with our reliability requirements.
This article outlines how AI is used at Patrowl, including agentic AI, the rationale for in-house hosting, and several ongoing R&D projects.
At this stage, no artificial intelligence is integrated into the customer-facing portal. This is a deliberate decision based on a rigorous assessment of the maturity of currently available models.
Due to the non-deterministic nature of existing models and the high risk of hallucinations, current systems produce unstable results on sensitive topics such as vulnerability detectionor attack surface analysis. Outputs can vary from one run to another, false positives persist, and decision traceability remains too unclear for production use.
In offensive security, imprecision is not an option. Patrowl refuses to expose its clients to results whose consistency cannot be guaranteed, even if it means waiting until AI is fully reliable before integrating it directly into the product.
This principle is especially critical for automated external penetration testing. In this context, result accuracy has a direct impact on the quality of recommendations provided to vulnerability management teams. A false negative a missed vulnerability means leaving part of the attack surface exposed, creating an opportunity for attackers.
This is also why Patrowl uses agentic AI internally and continues to invest in R&D around this capability.
At Patrowl, AI is already used on a daily basis, but in a controlled and supervised manner:
For developers: assisted code generation, basic security reviews, and faster remediation without ever delegating final decision-making.
For pentesters: support in vulnerability qualification (POC rewriting, exploitation scenario suggestions, documentation research) to save time on repetitive tasks.
With AI agents: execution of targeted and supervised offensive actions (exploration, mapping, evidence collection) to extend testing scope without replacing the expert.
Agentic AI enhances intrusion and analysis capabilities by expanding the reach of pentesters, rather than replacing them.
In practice, this results in more comprehensive and faster security testing, while keeping human oversight on critical steps.
Patrowl is therefore a balanced combination of automation, agentic AI, and human expertise.
Patrowl is running several R&D projects to integrate AI into its security testing tools in a targeted and measurable way. Each project follows the same principle: AI is only adopted when it delivers clear value and stable results.
This project uses AI to estimate the age of a website a valuable signal for assessing the risk level of an attack surface. Older systems, often less frequently updated, tend to present more exploitable vulnerabilities during external penetration testing. This capability will be integrated directly into the Patrowl platform.
Knowing the age of an asset also helps prioritize security audit efforts. An unmaintained legacy site does not present the same risks as a recent application. AI enables this prioritization to be automated at scale, across hundreds of assets simultaneously.
Patrowl is finalizing a solution based on AI agents capable of autonomously analyzing source code in real time within a defined scope. The goal is not to replace a full code audit, but to:
Identify entry points
Map potential attack paths
Highlight high-risk areas that require in-depth human review
This type of agent reduces the time spent on the exploratory phases of a penetration testwhile covering a broader scope. Pentesters can then focus on validating and exploiting identified vulnerabilities.
Agentic AI refers to systems capable of chaining complex actions autonomously to achieve a goal. Applied to penetration testing, it could enable real-time, AI-driven pentest campaigns without constant supervision. The potential gains in coverage and responsiveness would be significant.
However, these systems still face concrete limitations:
Significant R&D effort is required to achieve stable performance
Results remain too variable for production use in critical environments
Lack of robustness when facing unforeseen attack scenarios
Patrowl will not integrate this technology into its product until validation tests confirm its reliability. Research is progressing, but rigor takes precedence over speed.
The AI models used by Patrowl are deployed on internal servers rather than public services such as OpenAI, Anthropic, or similar providers. Processing is fully controlled end-to-end within a secure, isolated, and auditable environment. After all, who would want their vulnerabilities exposed to third parties?
This architectural choice addresses four key requirements for our clients:
Confidentiality: No sensitive data is sent to uncontrolled external servers
Traceability: Every operation is logged and verifiable internally
Compliance: Alignment with corporate security standards, especially in highly regulated industries
Independence: Patrowl remains unaffected by pricing changes, usage terms, or embargoes imposed by third-party providers
For organizations in finance, healthcare, defense, or critical infrastructure, the use of AI must be strictly governed.
The use of AI and agentic AI produces tangible effects that directly improve Patrowl's outcomes:
Detection of attack patterns that are difficult to spot manually during external penetration tests
Reduction of turnaround times in certain phases of analysis and report production
Identification of new risk categories in real time across extended application scopes
Concrete measurement of the capabilities and limits of AI applied to offensive security, which directly informs our R&D decisions
AI enhances the capabilities of Patrowl and its pentesters, but it does not replace them. It allows human teams to focus on what truly matters: understanding business risks, proving the exploitability of vulnerabilities, and guiding remediation.
At Patrowl, AI is a means, a tool not an end. We integrate it into our penetration testsaccording to strict criteria of reliability, stability, and security.
AI already strengthens Patrowl's teams and fuels an ambitious R&D roadmap, all in service of one constant objective: delivering results that are reliable, actionable, and aligned with the requirements of the organizations we protect.
Patrowl combines automation, AI, and human expertise to deliver security tests that are reliable, continuous, and scalable.
