CeramicSkate0 Blog adventures

CeramicSkate0s Blog (Yes I finally made one) and its not shiney

View on GitHub

Web App Pentesting Problems at scale

Since being tasked to perform the now notorious (in my close circles) ‘quality’ 4 day web app pentest. Ive had to scale and speed up EVERYTHING. Faster Scoping, Faster Recon, Faster exploitation, Faster reporting, Faster EVERYTHING. Its been a tall order (then i had to lead others to do it. Also faster). Often (literally always) i’m evaluated against MAJOR pentest firms say big 3, HUGE pentest shops (with deep bench’s), AI powered software products, other internal teams, overseas teams, and even the entire Bug bounty lineup including the AI there.

BTW side bar take a look at curls AI slop stuff its great (yw).

That said these larger more traditional firms do still get the 2 weeks or longer testing windows, plus the months of reporting and scoping. IDK what they charge but it feels traditional and costly.

So how do I compete and WIN as a sole lonley red headed step pentester?

Well… BLUF (BUZZ word alert!) AI and Automation. ALOT of it. Oh and skill but thats out of scope for this :)

So if you think this is going to be an, AI does it and wins all the things for the gold article….YEY!!!..WRONG!…you may want to stop reading…this aint it :)

AI, I have found (even Q4 2025<—BTW major changes happened here for code in most models..IMO its likely why you see a lot of market movement with software companies around that time) is more the intern (and honestly im being VERY gracious) i cant get at my role. It cant hack even after you bypass guardrails on them. Honestly couldn’t even make a good wordlist when i asked it to for a pentest but had no issue when i asked another way.

Honestly i often find getting access to an chat bot is its own challenge…and the {REDACTED PRODUCT} in {REDACTED OS CHAT CLIENT} is painful to work with (IMO)….Now I dont have tokens or funds for them for more lets say targeted models…because of course i dont, why would I lol, which is not true for my competition as they love keep mentioning to me.

So what do I do?

Well i’ve been doing this hacking thing for many many years now and i follow the rules.

Mainly “Shut the F*** up”. So I wont be giving secret sauce here either. ;)

But i need cert creds so here we are.

But as with any input output machine, web app, or AI if you ask or produce the right input you get the (mostly) right output. You still need to know how to code. You still need to know how to hack. You still need to understand tech. You still need to know how to write a report……wait… scratch that ;)

I will also say this..its possible now for a single hacker in a very short period of time to be as productive as a entire large scale pentest shop with a deep bench and years of experience in the space AND produce a similar if not better pentest product. I know ive done it…for a couple years now.

Also this article (unlike most) was not written with AI..’by design’!

Oh did i mention i also do all the remediation’s for all my findings while working on these pentests? eah we will get to that next time.

lol AI had issue rewriting this