Penetration testing: Taxonomies, trade-offs, and adaptive strategies

IF 4.9 3区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computers & Electrical Engineering Pub Date : 2025-09-19 DOI:10.1016/j.compeleceng.2025.110686

Sitanshu Kapur, Praneet Saurabh

{"title":"Penetration testing: Taxonomies, trade-offs, and adaptive strategies","authors":"Sitanshu Kapur, Praneet Saurabh","doi":"10.1016/j.compeleceng.2025.110686","DOIUrl":null,"url":null,"abstract":"<div><div>Modern cybersecurity faces increasing complexity due to the growth of cloud-native platforms, legacy systems, and the proliferation of IoT devices. Traditional penetration testing methods, such as manual exploits and signature-based scanners, offer precision, but lack scalability and adaptability. Conversely, AI-based approaches, which employ techniques such as machine learning, reinforcement learning, and large language models to automate specific phases of the penetration testing workflow, introduce adaptability but also face significant challenges, including data dependency, limited interpretability, and high computational cost. This review focuses on three core questions: the comparative strengths and weaknesses of conventional and AI-based penetration testing, the influence of deployment contexts such as cloud and IoT, and how hybrid strategies can balance automation with human oversight. In this review, we focus mainly on the literature from 2010 to 2025, with inclusion criteria based on empirical validation, relevance, and impact. We conclude by proposing a research agenda focused on explainable AI, efficient model deployment, and standardized evaluation benchmarks for next-generation penetration testing systems.</div></div>","PeriodicalId":50630,"journal":{"name":"Computers & Electrical Engineering","volume":"128 ","pages":"Article 110686"},"PeriodicalIF":4.9000,"publicationDate":"2025-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Electrical Engineering","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0045790625006299","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Modern cybersecurity faces increasing complexity due to the growth of cloud-native platforms, legacy systems, and the proliferation of IoT devices. Traditional penetration testing methods, such as manual exploits and signature-based scanners, offer precision, but lack scalability and adaptability. Conversely, AI-based approaches, which employ techniques such as machine learning, reinforcement learning, and large language models to automate specific phases of the penetration testing workflow, introduce adaptability but also face significant challenges, including data dependency, limited interpretability, and high computational cost. This review focuses on three core questions: the comparative strengths and weaknesses of conventional and AI-based penetration testing, the influence of deployment contexts such as cloud and IoT, and how hybrid strategies can balance automation with human oversight. In this review, we focus mainly on the literature from 2010 to 2025, with inclusion criteria based on empirical validation, relevance, and impact. We conclude by proposing a research agenda focused on explainable AI, efficient model deployment, and standardized evaluation benchmarks for next-generation penetration testing systems.

查看原文本刊更多论文

渗透测试：分类、权衡和适应性策略

由于云原生平台、遗留系统和物联网设备的激增，现代网络安全面临着越来越复杂的问题。传统的渗透测试方法，如手动漏洞利用和基于签名的扫描器，提供了精度，但缺乏可伸缩性和适应性。相反，基于人工智能的方法，采用诸如机器学习、强化学习和大型语言模型等技术来自动化渗透测试工作流的特定阶段，引入了适应性，但也面临着重大挑战，包括数据依赖性、有限的可解释性和高计算成本。本文主要关注三个核心问题：传统渗透测试和基于人工智能的渗透测试的比较优势和劣势，部署环境（如云和物联网）的影响，以及混合策略如何平衡自动化与人为监督。在这篇综述中，我们主要关注2010年至2025年的文献，纳入标准基于经验验证、相关性和影响。最后，我们提出了一个研究议程，重点关注可解释的人工智能、有效的模型部署，以及下一代渗透测试系统的标准化评估基准。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Electrical Engineering 工程技术-工程：电子与电气

CiteScore

9.20

自引率

7.00%

发文量

661

审稿时长

47 days

期刊介绍： The impact of computers has nowhere been more revolutionary than in electrical engineering. The design, analysis, and operation of electrical and electronic systems are now dominated by computers, a transformation that has been motivated by the natural ease of interface between computers and electrical systems, and the promise of spectacular improvements in speed and efficiency. Published since 1973, Computers & Electrical Engineering provides rapid publication of topical research into the integration of computer technology and computational techniques with electrical and electronic systems. The journal publishes papers featuring novel implementations of computers and computational techniques in areas like signal and image processing, high-performance computing, parallel processing, and communications. Special attention will be paid to papers describing innovative architectures, algorithms, and software tools.