Less than one in ten of cybersecurity pros trust AI testing tools to find vulnerabilities, with over three-quarters say their AI vulnerability scanning tools missed critical flaws

Cybersecurity professionals are rapidly losing faith in fully automated AI testing tools to find vulnerabilities, with a new report revealing a dramatic drop in trust from 29% in 2025 to just 9% this year. A staggering 78% of these pros report that AI scanning tools have missed critical flaws, forcing a significant industry pivot towards a hybrid model that blends AI's speed with irreplaceable human expertise. This shift marks a crucial recognition that while AI can accelerate initial checks, it often falters when faced with complex, context-dependent threats, leaving organizations exposed to serious risks. This erosion of confidence comes as the 'AI attack surface' expands, making vulnerability detection more complex and leading to a surge in high-risk findings—nearly triple that of conventional software. The Mean Time To Resolve (MTTR) for AI-related security issues has doubled, highlighting how challenging it is to fix these sophisticated flaws, especially those involving Large Language Models (LLMs), with 62% remaining unresolved. The growing problem of 'false positives' and 'false negatives' from AI tools further strains security teams, underscoring that human intuition and contextual understanding are vital for identifying advanced threats and complex 'business logic risks' that AI often overlooks. Looking ahead, the cybersecurity landscape will increasingly rely on a 'hybrid model' where AI handles repetitive tasks like reconnaissance, while human experts validate findings, chain complex exploits, and tackle creative attacks. While tools like Anthropic's 'Project Glasswing' show AI's potential to uncover vulnerabilities at scale, the bottleneck is shifting from finding flaws to human verification and rapid patching. Organizations must prioritize integrating AI strategically, focusing on how it amplifies human capabilities rather than replacing them, to effectively counter the escalating threat of 'zero-day exploits' and ensure robust digital defenses.