From Controlled to the Wild: Evaluation of Pentesting Agents for the Real-World
Abstract
AI pentesting agents are increasingly credible as offensive security systems, but current benchmarks still provide limited guidance on which will perform best in real-world targets. Existing evaluation protocols assess and optimize for predefined goals such as capture-the-flag, remote code execution, exploit reproduction, or trajectory similarity, in simplified or narrow settings. These tools are valuable for measuring bounded capabilities, yet they do not adequately capture the complexity, open-ended exploration, and strategic decision-making required in realistic pentesting. In this paper, we present a practical evaluation protocol that shifts assessment from task completion to validated vulnerability discovery, allowing evaluation in sufficiently complex targets spanning multiple attack surfaces and vulnerability classes. The protocol combines structured ground-truth with LLM-based semantic matching to identify vulnerabilities, bipartite resolution to score findings under realistic ambiguity, continuous ground-truth maintenance, repeated and cumulative evaluation of stochastic agents, efficiency metrics, and reduced-suite selection for sustainable experimentation. This protocol extends the state of the art by enabling a more realistic, operationally informative comparison of AI pentesting agents. To enable reproducibility, we also release expert-annotated ground truth and code for the proposed evaluation protocol: https://github.com/ethiack/ethibench.
Community
Current AI pentesting benchmarks emphasize task completion in constrained settings rather than realistic vulnerability discovery. We present an evaluation protocol that measures validated vulnerabilities across complex targets using expert-annotated ground-truth, LLM-assisted matching, ambiguity-aware scoring, repeated evaluation of stochastic agents, and efficiency metrics. The protocol enables more realistic and operationally informative comparisons of AI pentesting agents, and we release ground-truth annotations and the evaluation protocol code for reproducibility.
What isn't stated nearly enough is how these models will be used to exploit the human vulnerabilities in these systems. Yeah agents can search and execute these exploits, you could've always written a script to do that, and sometimes they may be able to find things you couldn't sometimes the reverse. I don't really know where I'm going with this. Basically I think automated agents taking typical pentesting approaches won't be nearly as effective as using a false consensus to convince the human elements to become the attack vectors themselves. Just a guess.
This is an automated message from the Librarian Bot. I found the following papers similar to this paper.
The following papers were recommended by the Semantic Scholar API
- AgentCyberRange: Benchmarking Frontier AI Systems in Realistic Cyber Ranges (2026)
- STAGE-Claw: Automated State-based Agent Benchmarking for Realistic Scenarios (2026)
- RIFT-Bench: Dynamic Red-teaming For Agentic AI Systems (2026)
- A Survey of LLM-Driven Penetration Testing: Taxonomy, Co-Evolution, and Open Challenges (2026)
- Human-on-the-Bridge: Scalable Evaluation for AI Agents (2026)
- SeClaw: Spec-Driven Security Task Synthesis for Evaluating Autonomous Agents (2026)
- ProofAgent Harness: Open Infrastructure for Adversarial Evaluation of AI Agents (2026)
Please give a thumbs up to this comment if you found it helpful!
If you want recommendations for any Paper on Hugging Face checkout this Space
You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: @librarian-bot recommend
Get this paper in your agent:
hf papers read 2605.10834 Don't have the latest CLI?
curl -LsSf https://hf.co/cli/install.sh | bash Models citing this paper 0
No model linking this paper
Datasets citing this paper 0
No dataset linking this paper
Spaces citing this paper 0
No Space linking this paper
Collections including this paper 0
No Collection including this paper