Join our Upcoming Free Webinar · Continuous Pentesting in DevSecOps using AI Agents  on July 9 at 8 PM IST / 10:30 AM EST · Seats are LimitedRegister Now
Strobesstrobes
Platform
Solutions
Resources
Customers
Company
Pricing
Book a Demo
Strobesstrobes

Strobes connects every exposure signal to autonomous action, so security teams fix what matters, prove what works, and stop chasing noise.

Book a DemoTalk to an expert
ISO 27001SOC 2CREST
  • Platform
  • Platform Overview
  • Agentic Exposure Management
  • AI Agents
  • Integrations
  • API & Developers
  • Workflows & Automation
  • Analytics & Reporting
  • Solutions
  • Exposure Assessment (EAP)
  • Attack Surface Management
  • Application Security Posture
  • Risk-Based Vulnerability Management
  • Adversarial Exposure Validation (AEV)
  • AI Pentesting
  • Pentesting as a Service
  • CTEM Framework
  • By Industry
  • Financial Institutions
  • Technology
  • Retail
  • Healthcare
  • Manufacturing
  • By Roles
  • CISOs
  • Security Directors
  • Cloud Security Leaders
  • App Sec Leaders
  • Resources
  • Quick Agentic Pentest
  • Blog
  • Customer Stories
  • eBooks
  • Datasheets
  • Videos & Demos
  • Exposure Management Academy
  • Pentesting ROI Calculator
  • Pentest Health Check
  • Security Tool ROI Calculator
  • Company
  • About Strobes
  • Meet the Team
  • Trust & Security
  • Contact Us
  • Careers
  • Become a Partner
  • Technology Partner
  • Partner Deal Registration
  • Press Release

Weekly insight for security leaders

CTEM research, agentic AI trends, and what's actually moving the needle.

© 2026 Strobes Security Inc. All rights reserved.

Privacy PolicyTerms of ServiceCookie PolicyAccessibilitySitemap
Back to Blog
How agentic pentesting separates test failures from real security findings
Penetration TestingOffensive Security

How Agentic Pentesting Separates Test Failures From Real Security Findings

Shubham JhaJuly 8, 202618 min read

Table of Contents

  • Why do unstable applications produce misleading test results?
  • What are the six failure states an agent must distinguish?
  • How do agents restore sessions and application state?
  • When are retries safe and when should they stop?
  • How does a failed test become a false negative?
  • Where do agents still fail and need humans?
  • What must a reliable pentest report disclose?
  • How should you evaluate agentic pentesting reliability before buying?
  • Frequently asked questions
    • How does agentic pentesting handle application changes mid-test?
    • Do AI pentest agents recover from crashes?
    • How is agentic pentesting different from scanners on dynamic apps?
    • What is AI pentest agent reliability measured by?
    • Do agentic pentests report false positives in flaky environments?
    • What does "inconclusive" mean in an agentic pentest report?
  • Sources

Authors

S
Shubham Jha

Share

Table of Contents

  • Why do unstable applications produce misleading test results?
  • What are the six failure states an agent must distinguish?
  • How do agents restore sessions and application state?
  • When are retries safe and when should they stop?
  • How does a failed test become a false negative?
  • Where do agents still fail and need humans?
  • What must a reliable pentest report disclose?
  • How should you evaluate agentic pentesting reliability before buying?
  • Frequently asked questions
    • How does agentic pentesting handle application changes mid-test?
    • Do AI pentest agents recover from crashes?
    • How is agentic pentesting different from scanners on dynamic apps?
    • What is AI pentest agent reliability measured by?
    • Do agentic pentests report false positives in flaky environments?
    • What does "inconclusive" mean in an agentic pentest report?
  • Sources

Authors

S
Shubham Jha

Share

When an agentic pentest fails, the first question isn't whether the application is secure. It's why the test failed. An expired session, a rate limiter, a crashed dependency, and a working authorization control can all surface as "request failed" in a log. They require four different conclusions. Agentic pentesting reliability is the ability to tell them apart, restore state, and retry where it's safe, escalate where it isn't, and mark a path inconclusive instead of marking it clean.

You already know what agentic pentesting is. The question is whether agentic pentesting on unstable applications holds up when the app ships daily, drops sessions mid-flow, and falls over under load.

TL;DR
  • ✓Unstable target behavior can interrupt tests without proving anything about security. A timeout from a flaky pod and a timeout from a WAF deserve different conclusions.
  • ✓A reliable agent distinguishes six failure states: environment failure, authentication failure, tool failure, agent failure, security-control block, and inconclusive.
  • ✓Retries are safe for transient, non-destructive actions and unsafe for anything that mutates state. The retry policy matters as much as the recovery itself.
  • ✓"Not vulnerable" should only mean the test completed and the unauthorized impact did not occur. Anything less is an untested path, and the report should say so.

Why do unstable applications produce misleading test results?

Modern apps don't sit still during a pentest. Deployments happen mid-engagement, sessions expire without warning, services restart under load, and WAF rules update on their own schedule. By the time a two-hour test finishes, the application it started on may be three hotfixes removed from the one it ended on. Most testing tools don't account for any of this. They start with a session, a set of endpoints, and a plan, then execute it linearly regardless of what changes underneath.

When something breaks mid-run, there are two outcomes. The tool either throws an error and stops, leaving an obvious gap, or it keeps going with whatever partial context it has left. The second case is the one that burns you. A session token rotates mid-test, the tool gets a 401, loses the session, and keeps crawling as an unauthenticated user without flagging it. It logs the authenticated paths as tested. Your end-of-day report says the payments flow is clean, but those tests ran without a valid session, which means the access controls you actually care about were never touched. Nothing in the report tells you this happened. No asterisk, no coverage gap, just "tested" next to paths that weren't tested under the conditions that matter.

That's the real problem with pentesting unstable apps. You don't get bad findings you can argue about. You get a clean report with a false foundation and no way to know until something else breaks.

Key takeaway: The danger of unstable apps isn't noisy findings. It's confident reports built on tests that silently didn't run.

What are the six failure states an agent must distinguish?

The six failure states an agentic pentest must distinguish: environment failure, authentication failure, tool failure, agent failure, security-control block, and inconclusive
The six failure states and the correct response to each.

Every action an agentic pentest takes resolves into one of six states. Reliability is the ability to classify each one correctly rather than collapsing them all into "test failed" or worse, "test passed."

1. Environment failure. The application, network, or dependency prevented execution. The payments pod is restarting. Baseline requests fail the same way the payload does. The result says nothing about security, only that the target was unavailable.

2. Authentication failure. The expected identity or session could not be maintained. The session token rotated mid-test, and the agent kept probing as nobody. Results from this state are void and should be marked as such until identity is restored and the test reruns.

3. Tool failure. A browser, proxy, or execution component failed independently of the target. A headless Chrome session crashed. A proxy dropped a request before it reached the server. The target was never exercised.

4. Agent failure. The agent selected, interpreted, or sequenced actions incorrectly. It hallucinated an API parameter that doesn't exist, or lost enough context mid-run to build an invalid plan. The system itself is the failure source.

5. Security-control block. The request consistently reached the target, and a control stopped it. Reproducible 403s across sessions and roles. A WAF response signature. A lockout after repeated attempts. This is a signal, and often a positive one. The caveat: a reproducible WAF response confirms the tested request was blocked. It doesn't, by itself, prove the underlying weakness is unreachable through another variation or workflow.

6. Inconclusive. Not enough evidence to declare the path vulnerable or secure. Many scripted tools give limited visibility here, surfacing only an error, a skipped test, or an incomplete scan status. A reliable agent treats inconclusive as a first-class result: escalated or disclosed in the report, never silently marked clean.

The classification matters because each state demands a different response. State 1 waits and retries. State 2 re-authenticates before proceeding. State 3 restarts the tool. State 4 escalates to a human. State 5 gets logged as a control observation. State 6 goes into the report as an untested path.

A tool without this taxonomy can only tell you "the test ran." It can't tell you what the test actually established.

Key takeaway: "The test failed" is the start of analysis. Which of the six states it failed into determines whether you retry, escalate, report a control, or disclose a gap.

How do agents restore sessions and application state?

An agent is mid-way through testing an authenticated API flow, probing for IDOR on /api/v2/orders/{id}. The app redeploys. The session token is invalidated. The agent gets a 401.

A scripted tool either errors out or keeps probing unauthenticated. A reliable agent classifies this as state 2, authentication failure, pulls fresh credentials, re-runs the auth flow, confirms the restored role matches what the hypothesis requires (not just "logged in" but "logged in as the correct test user with the right entitlements"), and resumes the IDOR probe from where it stopped.

That last confirmation step matters more than it sounds. Re-authenticating into an admin account instead of a regular user account would silently invalidate every access-control test that follows. Identity verification is part of recovery, not an afterthought.

Beyond sessions, a good checkpoint stores enough to make crash recovery in pentesting meaningful: authenticated identity and current role, the endpoints discovered and their observed behavior so far, the workflow stage, prior requests and responses, any target-side state the test created, and the open hypotheses still being worked. When a run crashes outright, task decomposition limits the damage. A crash costs one step, not the engagement. What the agent already learned about the target persists so the restart doesn't cover the same ground.

Key takeaway: Recovery quality is checkpoint quality. An agent that restores a session without verifying the restored identity has recovered execution while quietly breaking the test.

When are retries safe and when should they stop?

Retry transient, non-destructive actions with backoff and a hard cap. Stop the moment the action mutates state, the same error repeats, or the failure classification is uncertain.

A GET against a restarting pod is safe to retry. A payment submission is not. Neither is a password change, a record deletion, or anything that triggers an account lockout. The cost of the duplicate side effect exceeds the value of the retry. For those actions, controlled state verification replaces repetition: check whether the first attempt's intended effect occurred, rather than firing it again to find out.

The stop conditions need as much design attention as the retries themselves. The PentestAgent research (arXiv:2411.05185) formalizes this with hard limits on execution attempts and prompt-level rules that stop execution when the same error repeats, specifically to prevent agents from looping on actions that will never succeed. SHIELDA (arXiv:2508.07935), an exception-handling framework for LLM agent workflows, structures the full chain: classify the exception, attempt bounded local recovery, escalate to a human when local handling fails. Multi-level escalation rather than a crash loop, and rather than silent abandonment.

Retry behavior should vary by action type and target behavior, not run off a fixed timer. Read-only requests against a service with a known recovery window can take bounded retries with backoff. State-changing actions should usually stop after the first uncertain outcome and move to state verification. The endpoint type, the action's risk, and how the service has been behaving all feed the decision. What stays constant is the cap: the agent doesn't try a third time hoping something changed.

Key takeaway: an agent that retries everything is dangerous. An agent that retries nothing is brittle. The policy lives in the classification.

How does a failed test become a false negative?

When a tool can't complete a test and reports the path as clean anyway. This is the costliest failure mode, because nobody knows to go looking. The entire value of classifying agentic pentesting test failures is to prevent this outcome.

The standard that prevents it is strict. A path is "not vulnerable" only when the security hypothesis executed end to end, and the expected unauthorized impact did not occur. Everything else gets labeled as what it is.

The classification logic in practice:

ObservationClassification
Payload fails, baseline succeeds repeatedlyPossible security control
Baseline and payload both failEnvironment failure
Session expires during the testAuthentication failure
Tool returns malformed outputTool failure
Agent cannot establish target stateInconclusive
Unauthorized impact is confirmedVulnerability

And what a single classified action looks like once it resolves:

Baseline request:      succeeded
Modified request:      timed out
Application state:     unchanged
Session:               valid
Retry:                 one controlled retry
Retry result:          403
Control verification:  repeated with second user, 403
Final status:          blocked by authorization control
Confidence:            high

That's not a finding. That's a confirmed control observation. Both outcomes have value. The vulnerability tells you what to fix. The confirmed control block tells you the defense is working. The worst outcome in the table is the one that looks like neither, baseline and payload both fail, because that's where a bad tool marks the path clean and moves on.

Validated findings flow into risk-based prioritization with EPSS, CISA KEV, and asset context. But the validation step has to happen first. Evidence proportionate to the risk of the test, reproducible exploitation where re-running is safe, controlled state verification where it isn't.

Key takeaway: False positives waste hours. False negatives from silently failed tests leave exploitable paths unassessed. The "not vulnerable" bar is where reliability earns its name.

Where do agents still fail and need humans?

Failures concentrate in reconnaissance and exploitation. The published research is specific.

The PentestAgent failure analysis (arXiv:2411.05185) found recon struggling to fingerprint embedded components. The agent identifies the Nginx in front and misses the PHPMailer or Ghostscript running behind it. Those aren't standalone services that Nmap enumerates cleanly. They're components embedded in a web stack. If recon can't see them, nothing downstream tests them, and you have a blind spot that looks like coverage.

Exploitation failures clustered around two things: exploits requiring knowledge the agent didn't have, like credentials it was never given or specialist payload tooling it hadn't encountered, and LLM hallucinations producing commands or parameters that don't exist in the target environment. The agent confidently executes a well-formed request against an endpoint that isn't there.

Novel applications are the other hard case. An agent trained on common stacks meets an unusual auth scheme or a half-broken SPA router and hits states its planning never anticipated. HackerOne's production data, from running agents against 100+ real-world web targets, showed crash rates on novel apps falling roughly 20% as field failures fed back into the product. That figure matters because of what it implies: the improvement came from running against production apps, not from synthetic benchmarks. Novel environments are genuinely where agents break, and exposure is the only way to improve.

A published benchmark makes the human case concretely. AutoPenBench (arXiv:2410.03225), which evaluates agents across 33 penetration-testing tasks from simple exercises to real-world CVEs, found a fully autonomous agent reaching a 21% success rate against 64% for a semi-autonomous setup with a human in the loop. The gap was widest on real-world tasks, where the human-assisted agent mitigated context drift the autonomous one couldn't. That result doesn't prove every human-in-the-loop system beats every autonomous one. It supports human escalation specifically where the agent lacks context, access, or specialist knowledge, which is exactly the failure territory above.

A well-designed HITL system does three things. It lets you switch between full human oversight and autonomous execution depending on target sensitivity. It surfaces enough context at each gate, the exact action, the reasoning, the risk level, so the human makes an informed decision rather than clicking through. And when a human rejects an action, the agent re-plans around the decision instead of retrying the same thing.

Key takeaway: the honest position is that agents fail in known, studied places. The design question is whether those failures escalate cleanly or get buried.

What must a reliable pentest report disclose?

Coverage, confidence, and gaps, alongside the findings.

A report from a stable environment is already hard to trust completely. A report from an environment that was redeploying, rate-limiting, and intermittently failing during the test is only trustworthy if it says so explicitly. That means: what was tested and to what depth, which paths ended inconclusive and why, which actions a security control blocked, where environment failures prevented testing entirely, and what evidence sits behind each finding.

A finding list with none of that context is a scanner export in a report template. It looks complete because it doesn't show you what it missed.

What that looks like in practice, one row per status:

StatusWhat the report should show
Tested and secureHypothesis completed, expected impact absent
VulnerableConfirmed impact and supporting evidence
Control blockedThe exact request blocked and how the block was validated
Environment failureCause, affected path, retry status
Authentication failureIdentity lost, and whether it was restored
Tool or agent failureComponent affected and recovery outcome
InconclusiveRemaining uncertainty and the next action

Once a fix ships, the agent re-runs the specific attack path and confirms the result in minutes. Scheduled recurring runs diff each execution against the last, so new, fixed, and still-open findings surface cleanly instead of forcing a full re-triage on every cycle. That's what makes continuous pentesting on dynamic apps workable: the diff ties the security program to the release cadence instead of running behind it.

How should you evaluate agentic pentesting reliability before buying?

Six tests separate agents that survive your environment from agents that demo well.

  • Ask for the failure taxonomy. If the vendor can't explain how their agent distinguishes an environment failure from a control block from an inconclusive result, it doesn't. Ask what happens in each state, not just the happy path.
  • Point the agent at your flakiest app. The one with the broken staging environment and the undocumented auth flow. Watch whether it classifies, escalates, or reports the flakiness as Critical findings.
  • Kill a session mid-test. Re-authentication without human intervention, with the restored role verified, is table stakes for apps that deploy mid-run. Watch what role it comes back as.
  • Ask what gets marked "not vulnerable." The right answer involves completed hypotheses with inconclusive paths disclosed separately. The wrong answer is silence about untested paths.
  • Probe the retry policy. Ask what the agent does when a state-mutating action fails. "Retry it" is the wrong answer. Ask specifically about payment flows or anything with side effects.
  • Check the escalation model. You want to be able to switch between full human oversight and autonomous execution depending on the target. When the agent hits a hard gate, it should surface the exact action, its reasoning, and the risk level so you decide one step and hand control back. And rejecting an action should trigger re-planning, not a retry. A silent timeout with no disclosure means the gap lands in your report unlabeled.

Run that list against any vendor, Strobes included. If you want to test against your own targets, grab free pentest AI credits and point the agent at the application that's hardest for your current testing process to assess. The unstable one is the best reliability test you have.

Frequently asked questions

How does agentic pentesting handle application changes mid-test?

The agent detects changed application state, classifies the failure, restores identity and context from its checkpoint, and re-plans against the current state instead of executing stale steps. Redeploys, schema changes, and invalidated sessions trigger classified recovery rather than silent test loss.

Do AI pentest agents recover from crashes?

Well-designed agents recover from many crashes through checkpointing, task decomposition, and state restoration, but recovery depends on what state was preserved and whether the failed action changed the target. A crash mid-way through a read-only probe is easy to resume. A crash during a state-changing action needs verification before the agent continues. Production data from HackerOne showed crash rates on novel applications falling roughly 20% as field failures fed back into the product.

How is agentic pentesting different from scanners on dynamic apps?

Agentic systems can add state classification, session restoration, bounded retries, and escalation when the application changes mid-test. Traditional scanners vary widely, but many provide less context about why a path wasn't completed, which on an unstable app can leave untested paths looking covered.

What is AI pentest agent reliability measured by?

Four separate things: execution reliability (whether runs complete), coverage reliability (whether what was claimed tested was actually tested), finding accuracy (whether reported issues are real), and evidence quality (whether each conclusion carries proof proportionate to its risk). A platform strong on the first and weak on the last three is a liability.

Do agentic pentests report false positives in flaky environments?

A well-designed agentic system reduces false positives by requiring validation before reporting, with reproducible exploitation where re-running is safe and controlled state verification where it isn't. Intermittent failures that occur regardless of input get classified as environment noise, not findings.

What does "inconclusive" mean in an agentic pentest report?

It means the agent gathered evidence but couldn't establish enough to declare the path vulnerable or secure. Common causes are environment instability preventing consistent execution, rate limiting interrupting the test sequence, or an auth flow the agent couldn't fully reconstruct. Inconclusive paths should be disclosed in the report with the reason, so a human can decide whether to investigate further or accept the coverage gap.

Sources

  1. Shen et al., PentestAgent: Incorporating LLM Agents to Automated Penetration Testing, arXiv:2411.05185
  2. Gioacchini et al., AutoPenBench: Benchmarking Generative Agents for Penetration Testing, arXiv:2410.03225
  3. SHIELDA: Structured Handling of Exceptions in LLM-Driven Agentic Workflows, arXiv:2508.07935
  4. HackerOne, Agentic Pentesting Learns Faster With Real-World Testing
Tags
agentic pentestingagentic pentesting reliabilityAI pentestingpenetration testingfalse negativesCTEM

Stop chasing vulnerabilities Start reducing exposure

See how Strobes AI agents validate and fix your most critical exposures automatically.

Book a Demo
Continue Reading

Related Posts

Top 10 open source agentic pentesting tools, ranked by what they actually do
Penetration TestingOffensive Security

10 Best Open Source Agentic Pentesting Tools in 2026

Compare the 10 best open source agentic pentesting tools for self-hosted workflows, from PentAGI and PentestGPT to CAI, Strix, and VulnBot.

Jul 8, 202625 min
Vulnerability chaining: how agentic pentesting proves attack paths
Penetration TestingOffensive Security

Vulnerability Chaining: How Agentic Pentesting Proves Attack Paths

Three low-severity findings can chain into one critical breach. See why CVSS misses chained risk and how agentic pentesting proves or rejects each attack path.

Jul 8, 202618 min
What counts as valid proof in an agentic pentest — evidence standard
Penetration TestingOffensive Security

What Counts as Valid Proof in an Agentic Pentest?

Valid proof in an agentic pentest is reproducible, in-scope, and attributable evidence of exploitability. What counts, what doesn't, and how to prove it.

Jul 8, 202618 min