Anyone exploring agentic pentesting for web apps and APIs yet?

I’ve been spending some time recently testing the alpha version of an agentic pentesting setup we’ve been developing internally, and it’s been an interesting shift from the usual automated scanning approach.

One thing that stood out early is how much effort typically goes into validating false positives from traditional scanners. With an agent-driven model, the system attempts to verify findings before surfacing them, which has noticeably reduced that noise in my testing flow so far.

It’s still early, and I don’t see it replacing manual testing anytime soon, especially for logic gaps that AI is certainly incapable of analyzing. But it does feel like a practical step toward making automated testing more reliable and helpful.

I’m curious if anyone else here has started experimenting with agentic workflows or similar approaches. Are you seeing real value with the current tools in the market?

We have been building autonomous testing service called AutoExplore for 2years now.

We have same experience with false positives, we also realized it is actually impossible to fully get rid off them. Our latest idea is to enrich the execution context and observed facts with source code information, that should reduce false positives dramatically.

Ref: AutoExplore AI Integration: Exporting Findings for Better Root Cause Analysis

Autonomously testing applications AI driven ways most likely won’t replace manual testing nor automated test scripts, its something else entirely to find new information