I think it’s excellent that your team is investing in security and supplementing with AI enabled testing tooling.
The intent of creating a Penetration Testing program was to streamline testing for app specific use cases, we’ve put together a large team of security researchers with Atlassian and marketplace specific testing experience.
We feel it the offers partners a unique proposition to get experienced testers at a competitive price, to provide higher value vulnerability results than utilizing any other third party. That being said, we wanted to allow partners to utilize alternative vendors by providing a large industry recognized pre-approved CREST list minimizing the need to do manual, one-off approvals of vendors.
Usage of AI PenTesting won’t be recognized for this program for a couple reasons as it was a consideration:
- Enterprise customers won’t accept automated tooling as valid independently completed PenTests.
- We see more value from experienced pentesters with Forge platform specific experience.
My opinion as a security professional which you can take with a grain of salt: AI PenTest products are non deterministic, they’re typically built on a collection of agents designed for specific common vulnerability classes, these tend to hook into headless OpenSource and commercial security tools.
They do a great job of detecting common vulnerabilities that existing vulnerability scanners can detect in a deterministic way, they provide a nice addition to your vuln management programs but aren’t going to yield the same results as an experienced tester with domain experience of our platform.
Since these tools are designed around specific vulnerability classes, there are entire categories of vulnerabilities or security misconfigurations that can be built into Forge apps that these tools aren’t designed to look for.