We are currently witnessing an explosion of AI powered security tools that offer autonomous offensive capabilities. But as penetration testers looking to integrate these capabilities into our workflows, the question isn't just whether an AI can pop a shell on a sterilized capture the flag box; it is whether it can operate reliably, safely, and transparently at an enterprise scale.

Evaluating a process as complex as penetration testing with a simple black box approach is far too simplistic. As practitioners, we know that pentesting is far more than just finding vulnerabilities. It involves gathering critical information while actively discarding the noise. It requires knowing when to execute an exploit and, more importantly, when to hold back. We must constantly weigh the potential impact our actions might have on a client's live infrastructure. It is about deciding what actually warrants a report, knowing when to ignore a finding, and successfully chaining seemingly minor vulnerabilities into a critical compromise.

Until recently, evaluating autonomous agents relied on this exact black box approach: point the AI at a target and see if it captures the flag. This binary pass or fail metric is insufficient. If an agent fails, did it fail because it missed an open port, or because it could not format the final payload? A black box cannot tell you.

To truly measure the efficacy of these tools, we must abandon the black box approach and adopt a more complex, transparent methodology. This is where PentestEval comes in. At its core, PentestEval is an academic benchmarking framework specifically designed to evaluate the offensive capabilities of Large Language Models and autonomous agents. Rather than just checking if an agent successfully compromised a target, it provides a structured methodology to measure how the AI navigates an environment step by step. It serves as a perfect conceptual model for this shift, demonstrating how we can evaluate an AI's cognitive workflow rather than just its final output.

The foundational stages of PentestEval are directly mapped from the standards, specifically the Penetration Testing Execution Standard (PTES) and NIST Special Publication 800 115. However, traditional human phases like "Vulnerability Analysis" or "Exploitation" rely on fluid intuition and are too broad to pinpoint exactly where an autonomous model's reasoning breaks down.

To solve this, the researchers decomposed these established frameworks into a measurable cognitive workflow. By translating standard PTES phases into six granular logic gates (from Information Collection to Exploit Revision), the framework provides a deterministic way to evaluate an agent's step by step execution. This translation perfectly illustrates the shift from a black box outcome to a transparent evaluation of the attack lifecycle.

Deconstructing the Black Box

To build a reliable evaluation framework, we could look at offensive AI through the lens of test engineer. We cannot treat the AI as a monolith. Drawing on the testing principles, we must decompose the attack lifecycle into testable, deterministic units.

PentestEval provides the blueprint for this complex approach by breaking the workflow into six sequential stage gates:

1. Information Collection (IC)
2. Weakness Gathering (WG)
3. Weakness Filtering (WF)
4. Attack Decision Making (ADM)
5. Exploit Generation (EG)
6. Exploit Revision (ER)

To accurately measure an agent's performance across these six stages, the framework relies on three core evaluation pillars:

1. Expert Annotated "Ground Truth"

The researchers explicitly avoided using another AI to grade the testing agents, a highly flawed but common industry practice known as LLM as a judge. Instead, a team of professional penetration testers manually completed the tasks across realistic, vulnerable environments. The human experts documented the possible expected answer for every single stage of every attack, creating a deterministic, human verified answer key.

2. Stage Isolation Testing

To accurately measure a specific stage, you cannot let a failure in step one ruin the data for step five. The pipeline isolates the measurements. For example, if the framework is evaluating Attack Decision Making, it does not make the AI do the reconnaissance. The pipeline feeds the AI the "perfect recon data" and asks it to make a decision. This isolates the variable and measures strictly the agent's logic, independent of its scanning abilities.

3. Deterministic Gate Scoring

The automated pipeline captures the AI's output at each specific stage gate and strictly compares it against the human ground truth:

• Information Collection and Weakness Gathering: Did the AI's extracted list of endpoints and potential vulnerabilities that match the human expert's list, did it hallucinate CVEs, did the AI find more than human expert's?
• Attack Decision Making: Given the exact same recon data, did the AI logically select the identical optimal attack vector?
• Exploit Generation: Did the AI generate a payload syntax that perfectly matches the functional requirements to execute the exploit?
• Exploit Revision: If the pipeline feeds the AI an intentional error message simulating a failed payload, can the AI successfully debug and output the corrected syntax?

By forcing the AI to prove its logic at every gate, we move away from guessing if the tool works and start measuring exactly how it thinks. This level of transparency is exactly what is required to trust an autonomous agent with enterprise infrastructure.

The Reality Check

To truly stress test these autonomous agents, our evaluation must move beyond the standard OWASP and CVEs that these models were undoubtedly trained on.

If an agent only succeeds on well documented vulnerabilities, it is merely reciting known patterns rather than demonstrating genuine reasoning. To validate genuine adaptive reasoning, we must inject unconventional, modern architectures into the test. Specifically, we need to evaluate how the AI handles the unpredictable routing, undocumented endpoints, and non standard logic of web applications and APIs.

From Automation to Autonomy

As offensive AI tools move fast, our evaluation methods must mature alongside them. We know the complexities of our own jobs, and we must look for evaluation frameworks that reflect that same level of rigor and complexity. By shifting from black box testing to complex cognitive evaluation, we stop asking "Did the AI win?" and start understanding exactly how it thinks, ensuring that when we deploy autonomous agents, they operate with the precision and reliability that modern enterprise security demands.

Conclusion

The academic methodology of PentestEval serves as an excellent guide for moving away from outdated black box testing and embracing a more complex, transparent approach. However, it is a blueprint, not a strict mandate.

My recommendation is that every organization or individual pentester should define their own evaluation stages and test scenarios based on their unique threat landscape and specific operational needs. Furthermore, the scoring criteria for each of these custom stages must not be left to automation alone. I highly recommend that human experts actively oversee the process and provide direct input into the grading rubrics. By combining the structured transparency of a stage gate framework with the nuanced oversight of experienced security professionals, we can build genuinely evaluation pipelines that reflect the realities of modern enterprise security.

References

• Yang, R., Cheng, M., Deng, G., Zhang, T., Wang, J., & Xie, X. (2025). PentestEval: Benchmarking LLM-based Penetration Testing with Modular and Stage-Level Design. arXiv preprint arXiv:2512.14233. Available at: https://arxiv.org/abs/2512.14233