Scene 1 (The Question I Should Have Asked)
The ROI question changed everything.
Instead of trying to prove business logic vulnerabilities were exploited at scale, literally a question the data couldn’t answer, I could analyze what different vulnerabilities cost to find versus their exploitation probability. Suddenly, the competitive landscape made sense.
LLMs excel at finding high-probability, low-skill vulnerabilities. Unpatched CVEs dominate breach statistics, around 80% of successful attacks exploit known vulnerabilities that organizations simply haven’t patched. SQLi, XSS, XXE, all the OWASP Top 10 classics. These are pattern-matching problems. Automated scanners can run 24/7, cost nickels compared to human labor, and catch the bugs that show up in every DBIR report.
XBOW’s claim that they find 90% of what human pentesters find? It’s probably true. For that 90%.
But that 90% represents the wrong threat model for certain organizations. Business logic vulnerabilities, the other 10%, have different exploitation probabilities depending on who the attacker is.
For external threat actors, business logic exploitation is low probability. They don’t understand your business model, your workflows, your edge cases. They’re scanning the internet for easy wins. But for insiders, employees, contractors, former staff, exploitation probability is HIGH. They know exactly where the money flows, what controls can be bypassed, which validation rules are missing.
These vulnerabilities can’t be found through pattern-matching. They require intimate understanding of what the application is supposed to do, and creative thinking about how to make it do something else. You need to understand not just HOW the application works, but WHY someone would abuse it. That comes from experience, years of finding creative ways to break trust boundaries, chain seemingly-unrelated features, and exploit gaps between intention and implementation.
LLMs can’t do this. Not today. Maybe not ever. They can pattern-match against known vulnerability types. They can’t reason about business context they’ve never seen before.
So. That being said, who actually would then need this expensive human pentesting?
“If I had an hour to solve a problem I’d spend 55 minutes determining the proper questions to ask, for once I know the proper question, I can solve the problem in less than five minutes.” – Albert Einstein1
Scene 2 (Who Actually Needs a $20K Pentest?)
So who actually needs expensive human pentesting in an age where AI can find 90% of vulnerabilities for a fraction of the cost?
The answer isn’t comfortable: most companies probably don’t.
If your primary threat model is ransomware, data breaches, and external attackers scanning the internet for easy wins, XBOW and similar tools will catch what matters. The OWASP Top 10, unpatched CVEs, misconfigurations: these are the vulnerabilities that dominate breach statistics. Automating their detection makes economic sense.
But there’s a category of organizations where business logic vulnerabilities, that expensive 10%, matter more than the automated 90%. Organizations where the real threat isn’t external attackers, but insiders who understand the system. Where the financial impact isn’t measured in breach notification costs, but in fraud losses that never get classified as security incidents.
Entertainment companies with pre-release content. I once found a vulnerability chain that let anyone download unreleased films before their official premiere. The flaw wasn’t a single catastrophic bug. It was several small issues chained together: an API that didn’t check authentication, missing rate limits, predictable file URLs. Individually, each seemed minor. Together, they meant anyone who understood the workflow could programmatically capture entire movies. Millions in contract damages. Future deals with creators at risk. And because it’s content theft, not a data breach, it never shows up in security statistics. The real threat? Insiders who already know the workflow; contractors, post-production staff.
Fintech companies. Fraud prevention matters more than breach prevention. Business logic bugs enable account takeover, transaction manipulation, promotional code abuse: things that directly impact the bottom line through fraud losses, not breach notification costs.
Gaming companies. Virtual currency manipulation, item duplication bugs, economy-breaking exploits that undermine the entire business model.
HCM and payroll systems. Insider threats around compensation tampering, benefits fraud, timecard manipulation. These get handled as HR violations, not security incidents, so they’re invisible in breach statistics.
The hard truth: Most companies don’t need me. But the ones who do, REALLY do.
Most companies face commodity threats and need commodity solutions. But if your threat model includes insiders, fraud, or IP theft. If business logic vulnerabilities would cost you more than breach notification, then you need humans. Not because AI can’t help, but because the problems require context AI doesn’t have.
That realization left me with a choice: compete with AI on volume, specialize in high-value targets, or find a way to partner with the tools that were disrupting my field.
“The opportunity is to make sure the right people are working in the right places in the right company.” – Simon Sinek2
Return to the Pentester’s Guide to AI Disruption: A 6-Part Series