Most security products that say “AI” use a language model as a summariser at the end of a traditional scan. Pentrova uses AI earlier and more narrowly: to decide what is worth testing next, given what the application has revealed so far. It does not decide whether a finding is real.
This post draws the boundary precisely — what the model is allowed to do, what only evidence is allowed to do, and why keeping those two jobs apart is what makes the output trustworthy.
The boundary, stated plainly#
There are two distinct jobs in an automated pentest:
- Prioritisation — choosing which endpoint, parameter, or behaviour to investigate next.
- Adjudication — deciding whether an attempted exploit actually succeeded.
Pentrova lets AI own the first job and forbids it from the second. That separation is deliberate: a model is good at recognising that something is worth a closer look, and it is not a source of truth about whether an exploit worked.
What AI is allowed to do#
AI helps Pentrova adapt. Instead of grinding through a fixed checklist, the adaptive test planner concentrates effort where the attack surface is richest and skips what does not apply. That is what lets a run assemble escalation chains a static scanner would never reach — and every planning decision is logged with its reasoning, so the run stays auditable after the fact.
This mirrors how a human pentester works: form a hypothesis about where the interesting bugs are, then go test it. The model accelerates the hypothesis step. It never gets to declare victory.
What only evidence is allowed to do#
Whether something becomes a finding is settled by evidence, not by a model. Every finding is verified against the live target, and Critical and High findings are reproduced inside a sealed sandbox with a captured request/response and a reproducible command. If the behaviour cannot be substantiated, it never reaches your queue — no matter how plausible it looked to the planner.
This is the same principle as deterministic proof over probabilistic CVSS: a confident-looking guess is still a guess, and a guess is not a finding.
Why the boundary builds trust#
The payoff is that you do not inherit the model’s mistakes. Because AI never writes a finding into the report, a hallucinated vulnerability cannot reach you — the verification step would fail to reproduce it and drop it. You get confirmed impact with the evidence attached, which is the only output an engineering team can act on without re-litigating every line.
Key takeaways#
- An automated pentest has two jobs: prioritisation and adjudication. Pentrova gives AI the first and forbids it the second.
- AI drives the adaptive planner — concentrating effort where the surface is richest — with every decision logged.
- Evidence, not a model, decides what becomes a finding; unverifiable behaviour is dropped.
- Keeping the boundary strict means model mistakes never reach your queue.
FAQ#
Does Pentrova use a language model to write findings? No. The model helps decide what to test next. Findings are written only after the exploit is verified against the live target — and for Critical/High, reproduced in the sandbox. The model has no authority to publish a finding.
Can an AI pentest hallucinate vulnerabilities? Only if you let the model adjudicate. Pentrova does not: an unverifiable behaviour fails the reproduction step and is dropped before it reaches your queue, so a hallucinated finding cannot ship.
Is the AI’s decision-making auditable? Yes. Every planning decision is logged with its reasoning, so you can review why each step was attempted after the run completes.
See how the adaptive planner fits the platform pipeline, or start a free engagement.