Study on Artificial Intelligence Agents Applied to Cybersecurity and Penetration Testing in Systems
DOI:
https://doi.org/10.46842/ipn.cien.v30n1a09Keywords:
cybersecurity, artificial intelligence agents, offensive cybersecurity, penetration testing, large language models, automationAbstract
This investigation analyzes the technical functioning and implementation of artificial intelligence agents oriented toward specific domains, particularly in the field of cybersecurity from an offensive perspective. These agents enable a certain degree of automation in the execution of penetration tests on computer systems due to this type of proofs are made through tools operated by cybersecurity professionals. The objective of this study is to examine their architecture and operational capabilities. The conducted tests demonstrate their ability to reason and perform actions through the use of large language models. The results suggest that these emerging technologies can support cybersecurity professionals in various operation tasks, it is important to note that these tasks are already being done manually. The methodology employed is structured and developed in stages, integrating information acquisition, contextual analysis, action planning, controlled execution, and continuous feedback.
References
[1] Google, “El optimismo global sobre la IA aumenta a medida que crece su uso,” Google Blog, 2023. [Online]. Available: https://blog.google/intl/es-419/noticias-de-la-empresa/el-optimismo-global-sobre-la-ia-aumenta-a-medida-que-crece-su-uso/
[2] National Institute of Standards and Technology, “National Vulnerability Database (NVD),” NIST, 2024. [Online]. Available: https://nvd.nist.gov/vuln/search#/nvd/home?resultType=statistics
[3] National Institute of Standards and Technology, NIST Cybersecurity White Paper 29, NIST CSWP 29, p. 18, 2023. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
[4] EC-Council, “Penetration Testing Phases,” EC-Council Cybersecurity Exchange, 2024. [Online]. Available: https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/penetration-testing-phases/
[5] P. Cichonski, T. Millar, T. Grance, K. Scarfone, Computer Security Incident Handling Guide, NIST SP 800-61 Rev. 2, National Institute of Standards and Technology, 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
[6] National Institute of Standards and Technology, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, NIST SP 800-218A, 2023. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218A.pdf
[7] Google, Artificial Intelligence at Google: Our Principles, 2018. [Online]. Available: https://ai.google/principles/
[8] A. Vaswani et al., “Attention Is All You Need,” in Advances in Neural Information Processing Systems (NeurIPS), 2017. [Online]. Available: https://arxiv.org/abs/1706.03762
[9] Microsoft, Microsoft Responsible AI Standard, 2022. [Online]. Available: https://www.microsoft.com/en-us/ai/responsible-ai
[10] Hugging Face, “AI Agents Course – What Are Agents?” 2025. [Online]. Available: https://huggingface.co/learn/agents-course
[11] MITRE Corporation, “Key Concepts – MITRE ATT & CK,” 2024. [Online]. Available: https://attack.mitre.org/resources/
[12] MITRE Corporation, “MITRE ATT & CK®,” 2024. [Online]. Available: https://attack.mitre.org/
[13] The OWASP Foundation, OWASP Top 10:2021, 2021. [Online]. Available: https://owasp.org/Top10/2021/
[14] National Institute of Standards and Technology, “About NIST,” U.S. Department of Commerce, 2024. [Online]. Available: https://www.nist.gov/about-nist
[15] National Institute of Standards and Technology, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, NIST SP 800-61 Rev. 3, 2025. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-61r3
[16] Microsoft, “What Is Endpoint Detection and Response (EDR),” Microsoft Security, 2024. [Online]. Available: https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-endpoint-detection-response
[17] National Institute of Standards and Technology, Technical Guide to Information Security Testing and Assessment, NIST SP 800-115, 2008. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
[18] Qualys, Inc., “Vulnerability Management, Detection and Response (VMDR),” 2024. [Online]. Available: https://www.qualys.com/apps/vulnerability-management-detection-response/
[19] E. Nijkamp, J. Hayase, C. Xiong, et al., “Sec-PaLM: Aligning Large Language Models with Security Expertise,” arXiv, arXiv:2309.06106, Sep. 2023. [Online]. Available: https://arxiv.org/abs/2309.06106
[20] Microsoft, Microsoft Security Copilot Documentation – Overview, Jul. 15, 2025. [Online]. Available: https://learn.microsoft.com/en-us/copilot/security/microsoft-security-copilot
[21] B. Biggio, F. Roli, “Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning,” Pattern Recognition, vol. 84, pp. 317–331, 2018, doi: https://doi.org/10.1016/j.patcog.2018.07.023
[22] A. Pautov, “AI-Driven Pentesting at Home Using HexStrike AI for Full Network Discovery and Exploitation,” Medium, 2024. [Online]. Available: https://medium.com/@1200km/ai-driven-pentesting-at-home-using-hexstrike-ai-for-full-network-discovery-and-exploitation-00a9e88b3bde
[23] Model Context Protocol, “Model Context Protocol Specification,” 2024. [Online]. Available: https://github.com/modelcontextprotocol/specification
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Gerardo Cruz Espinosa, Mariana Velasco Trejo (Autor/a)

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.