Anthropic dropped Claude Opus 4.6 this week and the timeline exploded again same cycle as every model release. "Pentesters are done." "Bug bounty is dead." "Agentic AI changes everything." This article breaks down why most of the AI discourse around security is either delusional optimism or performative panic, and why neither is helpful.
AI Is a Tool, Not a Replacement
AI models like Claude are genuinely useful for repetitive tasks writing tools, reviewing code, drafting reports, and handling boilerplate findings. They excel at speed on known patterns: running checklists, identifying textbook vulnerabilities, correlating scan output, and producing professional-sounding reports. But the conversation has shifted from "useful tool" to "full job replacement," and that's where people are getting it wrong.
Real pentesting breakthroughs like chaining a JNDI injection through Jolokia's proxy mode into RCE come from exploring gaps that no checklist covers. AI doesn't explore; it pattern-matches on training data. When faced with something genuinely novel, it either gives up or generates a confident but completely wrong answer.
The Goldfish Problem
LLMs don't think they predict the next token based on training patterns. When Claude writes like a senior pentester, it's faking the tone, not drawing on experience. Worse, the reinforcement training (RLHF) taught it to sound right rather than be right, which is why hallucinations are so dangerous the model never hedges or says "I'm not sure."
Then there's the memory problem. Every conversation starts from scratch. Even within a session, once findings exceed the context window (~200K tokens), earlier context gets silently dropped. In a real engagement where you build a mental model over days connecting a config anomaly on day one to an auth bypass on day three this is a fundamental wall. A pentester's memory is cumulative; the model's memory is a conveyor belt dumping everything off the end.
The Hype Is Doing Real Damage
Junior researchers see claims of "50 bugs in 2 hours" and skip the fundamentals. They point AI at targets and submit whatever comes out hallucinated vulnerabilities, duplicate reports, OWASP Top 10 rewrites with a URL pasted in. The curl project killed its HackerOne bug bounty program in January 2026 because AI-generated slop drove their vulnerability confirmation rate from 15% down below 5%. Programs are raising barriers to entry, and legitimate hunters suffer most as their real findings get buried in AI-generated garbage.
The $70 Trillion Leap
Claims that pentesting "went from impossible to everyone doing it in four months" are built on a false premise. What actually happened is people pointed AI at bug bounty targets and submitted the output 95% of which was junk. That's a spam cannon, not automation. You can't logically chain "AI can run a scanner" to "$70 trillion in displaced wages" without evidence. Producing output that looks like a pentest report is fundamentally different from actually performing a penetration test.
Follow the Money
US ad spending alone hit $422 billion in 2025. The entire global penetration testing market is worth about $2.7 billion a 150x difference. The industry everyone claims AI will "disrupt" was never well-funded to begin with. When AI makes pentesting cheaper, companies won't reinvest in more testing they'll just spend less, because that's what cost centers do.
Why Pentesting?
Of all industries to obsess over automating, pentesting is tiny. Marketing, legal, accounting, content production, and customer support are orders of magnitude bigger and full of repeatable work that AI already handles well. Dukaan replaced a 27-person support team with a chatbot and cut costs by 85%. IBM's HR bot handles 11.5 million interactions a year. That's where the real displacement is happening but "AI replaces customer support" doesn't get the same engagement as "AI replaces hacker."
Anthropic itself did $9B in revenue with 80% from enterprise API customers, and launched Cowork plugins for sales, legal, and finance security isn't even in the top three priorities. The "AI is coming for pentesters" narrative exists because it gets clicks, not because it reflects any company's actual roadmap.
The Bottom Line
Use AI it's a good tool that will keep improving. Get faster at the boring parts so you have more time for the interesting ones. But don't let the hype convince you that understanding systems doesn't matter anymore, and don't skip the fundamentals. The ability to look at something and think "that feels off" isn't going away with Opus 4.6 or 5.0 or whatever ships next. That's still the job, and probably always will be.
Original article by Patrik Grobshäuser on clawd.it