In the two years since world leaders, tech bros, and Elon Musk met at Bletchley Park for the first-ever global AI summit, many of their unsettling predictions about the weaponisation of AI by cybercriminals have become reality. A recent assessment by the UK’s National Cyber Security Centre concluded that all types of cyber threat actors – state and non-state, skilled and less skilled – are now using AI.
While state-sponsored cyber threat actors were the first to leverage AI’s potential for hacking, the NCSC says AI has also made it easier for “novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations.”
After ‘ransomware-as-a-service’ was used by the criminals behind several of 2025’s spate of cyberattacks on leading British retailers, the NCSC’s warning of the “commoditisation of AI-enabled hacking capability” is chilling. Yet, despite its obvious potential for misuse, AI can also give a decisive advantage to those of us who are committed to keeping malicious hackers at bay. In fact, AI technology is perfectly suited to one of the central pillars of any organisation’s cyber defence – the ceaseless search for vulnerabilities in its IT infrastructure.
Traditionally, this function has been performed periodically by ethical hackers, skilled cybersecurity professionals who probe and test for weak spots in digital assets, such as webpages and web servers, that are collectively known as the ‘attack surface’. In a process called penetration testing, ethical hackers stage simulated attacks to identify chinks in the organisation’s defences. They then design and implement fixes to close any gaps before a bad actor can exploit them.
While manual ‘pentesting’ remains a vital component of effective cybersecurity, it can now be turbocharged by the addition of AI-powered ethical ‘hackbots’. These are automated systems which run 24/7 to identify and eliminate potential vulnerabilities in the attack surface. But unlike a conventional, algorithmic program, AI hackbots possess two huge advantages: the ability to work autonomously, while also learning from the systems they interact with and adapting their behaviour according to the information they glean.
Underpinned by a Large Language Model, hackbots have an enormous knowledge base and can spot all common vulnerabilities while also detecting odd behaviour and malfunctions. Crucially, they’re also capable of scanning applications constantly, adapting and exploring potential lines of attack in the way a hostile hacker, whether human or AI, would.
Hackbots as heroes
At a basic level, AI hackbots automate many of the repetitive and time-consuming tasks that a skilled ethical hacker would carry out. But their value far exceeds that of a mere timesaver – their adaptive, autonomous research capability enables them to uncover previously unknown security flaws. Deployed correctly, hackbots will integrate seamlessly with the existing tools used by ethical hackers, serving as a powerful force multiplier rather than just a fillip to human productivity.
This, of course, raises the prospect of the perfect partnership between a highly trained ethical hacker, attuned to the traits, morals and motivations of malicious hackers, and an ethical hackbot able to continuously scan vast attack surfaces, learning and locating potential weaknesses.
But with the hackbot serving as a formidable research assistant, the flesh and blood cybersecurity professional will be able to focus more attention on the challenges that demand creativity, morality and human problem-solving skills. Over time, this partnership may evolve into a symbiosis in which the human supervises, validates and guides the operations of hackbots, as well as manage the important ethical implications of autonomous testing. Fighting fire with fire it may be. But responsibility will always rest with the human firefighter.
Andre Baptista is the co-founder of the ethical hacking platform Ethiack and a visiting professor at the University of Porto.
