What the experts say: Machine learning in offensive security
- Article tags
In our first blog, we introduced the Machine Learning Classifier, a built-in mechanism designed to help slash the number of false positives in fuzzing.
In the second part, we showed how we built and trained the ML Classifier.
Now, in the third and final part, we’re handing over the mic. It’s one thing for us to talk about machine learning in offensive security, but what do experts think?
We asked.
ML has real offensive potential - when it’s focused
Pete Herzog, ISECOM founder and longtime ethical hacker, puts it plainly: ML is useful, but only when it solves specific problems.
“What machine learning does well, even at its simplest, is finding anomalies and patterns. As long as you have enough data, that is.
It delivers tangible value in offensive security, but only when properly implemented for specific challenges. In my experience, mostly investigations, but also in pen tests and incident response, ML creates genuine advantages for processing and analyzing massive datasets for anomalies that can be huge time sucks.
For example, I recently used it to suss out anomalies from internal network traffic to find where the leaks were, especially apps running on desktops that would be good to abuse in phishing.”
What doesn't work? According to Herzog, throwing ML at everything just because you can.
“The real value for attacks comes when ML can find holes, things someone forgot to block, or had misconfigured.
Years ago, long before the AI hype, I built a simpler ML tool that learned from blocked attempts and found new paths through a firewall, similar to how I'd approach it manually. But being automated, it could try things that showed promise and reduced the scope to where the patterns led, greatly reducing the attempts I would need to make to avoid getting blocked.
Of course, the problem was DNS. It's always DNS.”
Herzog says ML becomes essential when you're dealing with the volume and sophistication of modern threats.
“We had to apply ML a few years ago to analyze months of exchange traffic for a financial client, and found fraud in seemingly normal requests. The pattern was so subtle, no human would spot it without machine help.”
Recon, phishing, evasion - ML works here
Spiros Pitikaris from CENSUS has seen ML shine in live offensive operations.
“Machine learning is increasingly valuable in offensive security, particularly in reconnaissance, initial access, and evasion. For example, as seen in our offensive security operations, ML can rapidly analyze large volumes of open-source intelligence to identify viable targets and weak points.”
Pitikaris says during phishing campaigns, ML can be used to craft context-aware, highly personalized lures that improve success rates.
“During evasion, ML enables malware to adapt based on detection failures, enhancing persistence.
However, ML should not replace human judgment. Tasks requiring context and intuition, like deep social engineering, often fall short when only automated. Moreover, poorly validated models can mislead operators with false signals.
ML is of value when it complements, not replaces, human expertise.”
ML should find patterns - not pick payloads
Argiro Birba, cybersecurity consultant at Accenture, sees ML’s biggest value in pattern recognition.
“In cybersecurity, machine learning provides added value when it helps uncover non-obvious patterns, especially in large, dynamic attack surfaces.
Using ML to identify anomalous authentication behaviors across enterprise environments or privileged accounts can be quite beneficial for a project team.”
Birba says another instance is phishing simulation:
“ML can cluster user behaviors and identify who is most susceptible to tailored phishing, helping project teams refine their campaigns and improve realism.
However, Birba warns that ML is not a silver bullet.
“An important ‘don’t’ is relying on ML to autonomously select exploits or payloads. This often leads to inefficient or noisy attacks, and human operators still outperform ML in context-sensitive decision-making.
Likewise, using ML to drive generic port scanning or OS fingerprinting adds complexity with little return.”
ML should make operators better, not replace them
Daniel Card, a long-time offensive security consultant, sees opportunity in ML, but only if it’s used to support human decision-making.
“Organizations should be investing in understanding where this can enhance their capabilities, from research, capability development, and operator assistance.
You can build tools that support operators dynamically. As well as making reusable tools to increase efficiency.”
That’s exactly what we aimed for with the ML Classifier: to help security teams cut the noise, get to signal faster, and stay in control.
What we’ve learned, and how we built for it
All four experts agree on a few key themes:
ML excels at finding patterns, clustering behaviors, and analyzing large datasets quickly.
It can improve phishing campaigns, reconnaissance, evasion, and anomaly detection.
But ML is not a free pass to automate every decision. When used blindly or in the wrong areas, it creates noise, not clarity.
The best ML tools are tightly scoped and human guided.
That’s exactly how we approached the ML Classifier. It’s designed to:
Spot fuzzy detection patterns in large, noisy datasets
Catch “soft 200s” and multilingual 404 errors
Reduce false positives by up to 50%
Maintain >92% precision
It doesn’t try to find exploits, fingerprint systems, or replace analysts. It does one job, well.
Want to see how the classifier works in practice?
It’s already live in the Website Vulnerability Scanner and URL Fuzzer.
Use it to save time, reduce noise, and make better decisions faster, just like the experts say.
