AI agents are moving deeper into cybersecurity tools, shifting from advisory interfaces into the operational layer of security testing. The change is especially visible in application security, where vendors are using AI not only to summarize findings or prioritize alerts, but to help scanners perform the steps needed to test modern applications.
One of the most practical examples is authenticated dynamic application security testing, or authenticated DAST. DAST tools test running applications from the outside, looking for vulnerabilities in live web applications and APIs. Authenticated DAST goes further by scanning the areas of an application that sit behind login pages, where customer portals, dashboards, billing systems, admin panels, internal tools, and role-specific workflows often live.
That is where DAST has long run into a scaling problem. Authentication is essential for meaningful application coverage, but it is also one of the hardest parts of the scan to configure and maintain. Login flows change. Session handling breaks. Multi-step authentication, single sign-on, redirects, front-end changes, and role-based access can all interfere with a scanner’s ability to reach the parts of the application that matter most. Veracode’s dynamic analysis guidance still refers teams to Selenium scripts for authenticated scans and advises them to manually test those scripts to confirm that login works as expected. OWASP ZAP has also described the challenge of authenticated scanning, noting that authentication may need to work both directly and through a browser-driven path, which creates practical complexity for scanning tools.
The business problem is straightforward: when authentication configuration fails, security coverage shrinks. A scanner may still run, but it may be testing only the public-facing parts of an application. Bright Security puts the issue bluntly in its 2026 guidance on DAST for single-page applications: many real vulnerabilities live behind authentication, and scanners that cannot handle login flows reliably are not scanning the application that matters. Checkmarx makes a similar operational point in its 2026 DAST guidance, advising teams to regularly validate authentication handling because changes to login mechanisms or token formats can silently reduce coverage.
That is why AI agents inside scanners are becoming a more meaningful category than AI as a dashboard feature. The value is not simply that a security product has an AI label. The value is that AI may be able to reduce a recurring configuration burden that has kept authenticated testing narrow, brittle, or dependent on a small number of specialists.
Outpost24’s Scale DAST product is a useful example of this shift. The company says its new AI-powered authentication capability allows Application Security and DevSecOps teams to describe login steps in plain language. An AI agent then executes those instructions as part of the authenticated scan. The goal is to replace some of the fragile manual setup associated with scripts or browser recordings, making authenticated scanning faster to configure, easier to maintain, and more scalable across large application portfolios.
“AI in security testing has moved from novelty to expectation, but the real test is whether it removes friction or just adds noise,” said Omri Kletter, Chief Product Officer at Outpost24. “Scale’s AI-powered authentication applies AI to one of the most persistent operational challenges in DAST, turning authentication setup into a natural-language workflow that can adapt as applications change. This is the direction we are taking across the platform: practical AI that makes security work faster, easier, and more scalable.”
That is a narrower claim than “AI will secure applications,” and it is stronger because of that. The feature is aimed at a specific operational bottleneck: helping the scanner get through authentication and maintain access to the parts of the application that need to be tested. For AppSec teams, that could mean less time repairing authentication scripts, fewer coverage gaps caused by changing login flows, and more applications scanned in an authenticated state.
The larger pattern is also visible across the application security market. AI is increasingly being inserted into developer and security workflows as an active layer: scanning code, testing applications, prioritizing risk, helping validate exploitability, and generating remediation guidance. Checkmarx describes agentic AI security tools as assisting across the software delivery lifecycle by scanning code, APIs, containers, infrastructure as code, and other development assets. In parallel, security researchers and vendors are increasingly discussing agentic testing systems that go beyond static findings and interact with live environments, though those systems vary widely in maturity and claims.
For enterprises, the practical question is what these agents are allowed to do. A scanner that reads instructions and executes login flows needs access to credentials, test accounts, sessions, and application environments. That raises governance questions around credential handling, permissions, audit logs, test-account boundaries, role separation, and failure detection. The more AI agents become operational actors inside cybersecurity tools, the more organizations will need to treat them as controlled participants in the security workflow rather than passive software features.
Outpost24’s example points to where the category is heading. AI agents are not only being used to explain vulnerabilities after a scan. They are beginning to help the scan happen in the first place.
That is the meaningful shift. In cybersecurity, AI’s next phase may be judged less by how impressive the interface looks and more by whether it removes real operational friction without creating new control problems. In DAST, authenticated coverage has long been one of those points of friction. AI agents are now moving inside the scanner to help solve it.