AI Sharpens the Question. It Doesn’t Change the Answer.

For decades, the cyber security industry has sold its customers the wrong product. Cyber penetration tests deliver thick reports full of findings, but lacking context, prioritisation, and narrative about what an attacker would do with any of them. The result is ‘value as volume’, further worsened through lack of contextualised insight.

The result? A security team paralysed by findings, and a business’ ability to innovate slowed to a crawl. AI doesn’t fix that. Frontier models like Mythos will accelerate it: the same noise, faster, and at greater scale.

Having been failed time and again throughout my career procuring legacy pen testing engagements to protect the enterprises I worked within, I founded CovertSwarm to cut through the noise and confusion they often deliver, to focus instead upon the breach narrative the industry seems unable to provide. Not a list of ‘everything we found’, but a clear account of how an attacker would reach what matters to your business. AI sharpens the question. It doesn’t change the answer.

Pen test paralysis

At our foundation in 2020, the pattern was already clear. The industry had spent decades getting better at finding weaknesses but missed the key client need – signposting those vulnerabilities whose fix would outpace genuine threats. A pen test report would land on a CISO’s desk (as they did on mine!) with five hundred items in it. Most were noise. A few were impactful. Nothing in the report told you one from the other.

The result, predictably, was paralysis and drawn-out negotiations with product engineering and TechOps teams. And a security culture increasingly looked down upon with suspicion and frustration.

The dangerous attacker has never been the one with the better scanner. It’s always been the adversary whose mission is to bring your business to its knees, reputationally, operationally, financially. Someone who takes a weakness, chains it through your people, your premises, and your systems, and turns it into a story that ends with your customer database in their hands and your share price on the floor.

Few organisations fail because of a single vulnerability exploited in isolation. They fail because an adversary chains a handful of them across constantly evolving surfaces that no scanner touches, into a single kill chain. Tools find weaknesses. Humans pursue impact. That gap, between a client’s accidental creation of risk and its subsequent detection pre-exploit, is what we built CovertSwarm to close.

What AI changes, and what it doesn’t

Now AI is here, the conversation around it is missing the point. Frontier models like Mythos are extraordinary at the bottom of the attacker stack. They will ultimately scan, read code, and chain digital exploits faster, surfacing weaknesses no human researcher has the time to look for. They will find more vulnerabilities in your environment in a week than any pen test team could find in a year. Useful for the defenders who use them well. Disastrous for the bug bounty and pen testing firms whose value proposition is finding things and proving value in thick reports…

What these AI tools can’t do is attack the full surface. They live in the digital domain. They don’t pick up the phone and convince your helpdesk to reset an executive’s password. They don’t tailgate through a secured door, or notice that the cleaner has the wrong badge, or drop a network device behind a printer on your office floor. They don’t reason about your reputation, your regulators, your customers, or the specific attack path that would do the most damage to your business.

The adversary you should be afraid of does all those things. AI sharpens that adversary, but it does not replace them. The result is a faster, smarter, more creative human, with machine speed at their back, attacking your business across digital, social, and physical surfaces simultaneously. That’s the threat. That’s what your defences need to be measured against.

Operating the wrong threat model is the brake on your innovation

Here’s what this means for the business you run. Operated poorly and with incorrect threat modelling, cyber security acts as a brake on innovation. When you treat the perimeter as the problem, you over-invest in scanners and under-invest in the people, processes, and detection that catch real attackers. When you treat ‘findings’ as the metric, you measure the wrong thing and reward the wrong work. When you treat AI as the enemy, you mistake the tool for the operator, and you will spend the next decade preparing for the wrong fight.

The companies that outpace the combined human-and-AI threat won’t be the ones with the longest list of remediated vulnerabilities. They’ll be the ones who’ve looked at their business through the eyes of a real adversary, repeatedly, and asked the only question that matters: would the paths that adversary could take to kill us be detected, contained, and stopped? That question should be asked continuously, or you’re not taking security seriously enough – no matter what your public statement will say upon breach.

The model: Constant Cyber Attack

From CovertSwarm’s founding, we built a modern, fit for purpose capability called Constant Cyber Attack. The analysts now have a name for the category we have defined: Continuous Offensive Security Testing. We’ve been the model of it since before it had a name. Real adversary emulation, applied continuously, across digital, social, and physical surfaces, and across the identity, third-party trust, code, and infrastructure dependencies a determined attacker exploits. All wrapped in a simple monthly subscription.

Every Attack Plan we deliver each month produces two artefacts:

Firstly, a traditional vulnerability report – comprehensive, the kind of document AI can now generate at industrial scale. Because this does cover your ‘cyber hygiene’.

But secondly, and critically, a THIN breach report – which does the work the cyber industry has failed to deliver, showing you which weaknesses, chained across which surfaces, have let our team into your business TODAY. Not just what was found, but what worked and why. And how you can rapidly close that gap.

This breach document is what a board can act on. The document a CISO can defend a budget with. The insight AI-native tooling cannot produce, because it requires the one thing those tools don’t have: an adversary applying judgment to your specific business.

We’ve used frontier models in our own work for years, and we’ll continue to use whatever sharpens our edge. The attacker who’ll compromise you uses these tools. So do we. That isn’t coincidence. It’s the reason CovertSwarm exists.

Six years on our mission remains the same – and evolving AI models provides us (and your genuine attackers) with a lethal edge, but in our case used to help you outpace your threats that move faster than they did a year ago and will move faster next year. What we built to solve the noise and lack of context delivered by pen testing turns out to be the model that holds in the AI era, too.

Context. Intent. Narrative. Continuity. These aren’t features of a product or service. They’re the work itself.

Three questions for your C-suite

If you sit in the C-suite, here’s what I’d ask you to think about:

1. Ask whether your business is being tested by an adversary, continuously, across every surface that a genuine attacker could use against you: digital, social, and physical?
2. Ask whether the cyber reporting that lands on your desk tells you what an ethical attacker did to you this month and what the impact would have been, or does it just list what was found?
3. Ask whether your investment in security is buying you confidence, or volume?

Six years ago, almost no business could answer yes to these three questions.

The good news is that you can answer each of them positively, as a client of CovertSwarm, today.

Anders Reeves is the founder and CEO of CovertSwarm. If the three questions at the end of this piece made you uncomfortable, that’s probably the point.