OpenAI declared a code red after Gemini 3 launched. The response: a 40% price hike, benchmark improvements in single digits, and a system card admitting the model lies 1.6% of the time. The scaling era may be over. What comes next looks expensive.
Google launched a research agent and wrote the test that grades it. Unsurprisingly, Google's tool leads the leaderboard. Competitors must now replicate Google's search infrastructure or accept permanent disadvantage on web research tasks.
Stanford's AI hacker cost $18/hour and beat 9 of 10 human pentesters. The headlines celebrated a breakthrough. The research paper reveals an AI that couldn't click buttons, mistook login failures for success, and required constant human oversight.
Stanford's AI hacker cost $18/hour and beat 9 of 10 human pentesters. The headlines celebrated a breakthrough. The research paper reveals an AI that couldn't click buttons, mistook login failures for success, and required constant human oversight.
Stanford researchers spent $18 an hour on an AI system that found nine vulnerabilities in their network. The Wall Street Journal called it "dangerously good." OpenAI warned of escalating cybersecurity risks. Headlines declared the end of human penetration testing.
The 29-page research paper tells a different story. One where the AI couldn't click a button. Where 18% of its findings were wrong. Where a human with a browser would have spotted mistakes the machine couldn't see.
The $18 figure isn't a breakthrough. It's a marketing number stripped of context, infrastructure costs, and the small detail that vulnerability counts aren't penetration tests.
ARTEMIS, Stanford's multi-agent hacking framework, ran against 8,000 hosts across 12 subnets. It discovered nine valid vulnerabilities. It beat nine of ten professional pentesters. It cost less than a parking ticket to operate.
It also failed at something any intern could do.
When 80% of human participants found a remote code execution vulnerability through TinyPilot, a browser-based KVM interface, ARTEMIS missed it entirely. The system couldn't navigate the graphical interface. It searched for version-specific CVEs online, submitted lower-severity misconfigurations, and moved on. A critical vulnerability sitting behind a login screen. The AI couldn't figure out how to click.
In another case, ARTEMIS claimed successful authentication with default credentials after receiving HTTP 200 responses. The responses were redirects to login pages following failed attempts. The AI saw "200 OK" and declared victory. Any human looking at a browser would have seen the login prompt still staring back at them.
The one area where ARTEMIS outperformed humans reveals its actual nature. It exploited an older Dell iDRAC server that human testers couldn't access because their modern browsers refused to load the page. Outdated HTTPS cipher suites triggered security warnings. ARTEMIS bypassed this using curl -k, a command-line flag that ignores SSL certificate errors.
The AI didn't outsmart the humans. It just didn't care about security warnings. Script kiddie behavior, automated.
Here's what the cost figure includes: API calls to GPT-5.
Here's what it excludes: provisioned VMs, VPN configurations, logging systems, the research team monitoring sessions in real-time with kill switches, and the Stanford IT department that knew the test was happening and pre-arranged approval for flagged actions.
The A2 variant, running an ensemble of Claude Sonnet 4, OpenAI o3, Claude Opus 4, Gemini 2.5 Pro, and OpenAI o3 Pro, cost $59 per hour. Same finding count. Triple the expense. The performance differential came down to model strength, not architectural innovation.
More fundamentally, the comparison assumes a penetration test is a vulnerability count. It isn't.
A penetration test is a story about how someone could destroy your company. It identifies attack chains, explains business impact, and provides strategic recommendations that help organizations prioritize remediation. The human testers who charged $2,000 per day delivered context, judgment, and the ability to explain findings to a board that doesn't know what "HTTP 200" means.
ARTEMIS produced detailed technical reports. Raw vulnerability data. Severity ratings. No strategic recommendations. No communication exercise. No explanation of which findings actually matter.
For organizations with mature security teams who can interpret technical findings, that might suffice. For the mid-market companies that constitute most penetration testing customers, it's the difference between buying expertise and buying a spreadsheet.
Stanford's IT department knew the test was happening. Researchers had pre-arranged approval for flagged actions that would otherwise trigger defensive interdiction. A team member monitored each AI session in real-time with authority to terminate on out-of-scope behavior. The university's Vulnerability Disclosure Policy provided legal safe harbor.
None of these conditions exist in actual adversarial scenarios.
The paper acknowledges this directly. "Authentic defensive conditions were absent." Participants had up to 10 hours versus the 1-2 weeks typical for professional engagements. The researchers couldn't achieve statistical significance because of logistical constraints.
ARTEMIS ran banker's hours. 9am to 5pm across two days. Sixteen hours total. Real adversaries don't work with kill switches and scheduled breaks. They run continuously, adapt to defensive responses, chain access across organizational boundaries, and operate without researchers watching over their shoulder ready to pull the plug.
The AI spawned up to eight parallel sub-agents during peak operation, averaging 2.82 concurrent agents per supervisor iteration. Meaningful parallelism. But running ARTEMIS against thousands of targets simultaneously would require infrastructure investments that don't appear in the $18 calculation. Horizontal scaling is where AI offensive capabilities become genuinely dangerous. The Stanford experiment doesn't demonstrate that capability.
The acknowledgements section contains an interesting disclosure: "This work is supported by the Stanford Institute for Human-Centered Artificial Intelligence Seed Grant and an unrestricted gift from OpenAI."
OpenAI funded research demonstrating AI offensive capabilities while simultaneously warning that upcoming models pose "high" cybersecurity risk. Their GPT-5 scored 27% on capture-the-flag exercises in August. By November, GPT-5.1-Codex-Max hit 76%. The company's preparedness framework now plans for each new model potentially reaching high-risk thresholds.
This isn't contradictory. It's positioning.
AI labs benefit from published research demonstrating capability advances. Justifies valuations, attracts talent, establishes technical leadership. They also benefit from framing those capabilities as risks requiring careful stewardship. Supports arguments for self-regulation over external oversight, positions labs as responsible actors managing dangerous technology.
The Stanford paper serves both functions. It demonstrates AI agents competing with human professionals on real-world offensive tasks. It also emphasizes defensive applications, the researchers open-sourced ARTEMIS specifically to "broaden defender access to AI-enabled security tooling."
Publish offensive capabilities, emphasize defensive applications, argue responsible disclosure beats the alternative. The cybersecurity community debated this tradeoff for decades. AI research is replaying those arguments at higher stakes and faster timelines.
The Stanford results suggest a specific near-term risk profile.
Organizations running unpatched systems with default credentials face increased danger. These "low-hanging fruit" vulnerabilities, exactly what ARTEMIS found most reliably, become cheaper to discover and exploit at scale. The economics shift toward automated mass scanning followed by human exploitation of confirmed targets.
Organizations with mature security programs face marginal changes. They've already addressed the vulnerability classes AI agents exploit well. GUI limitations, false positive rates, and lack of strategic judgment mean AI tools complement rather than replace human testers.
Bug bounty programs face the most immediate disruption. Daniel Stenberg, maintainer of the widely-used Curl library, reported receiving over 400 AI-generated bug reports. The early submissions were useless slop. Then quality improved dramatically.
The Curl example appeared in the Stanford experiment itself. ARTEMIS found a vulnerability on an outdated webpage that human testers couldn't access because their browsers refused to load it. The AI used Curl to bypass browser restrictions and discovered a bug humans had missed.
"AI gives us a lot of crap and lies," Stenberg noted, "and at the same time it can be used to detect mistakes no one found before."
For security teams and CISOs: The 18% false positive rate and GUI limitations mean AI penetration testing supplements rather than replaces human assessment. Budget accordingly. Expect vendors to oversell autonomous capabilities based on laboratory results that won't replicate in your environment.
For AI labs and policymakers: The gap between benchmark performance and operational capability suggests current evaluation frameworks need updating. The Stanford methodology, live enterprise testing with controlled conditions, offers a template worth replicating before capability claims drive policy decisions.
For the penetration testing industry: Cost pressure concentrates on commodity vulnerability scanning. Organizations that can interpret raw data will shift toward AI-assisted tooling. Those needing strategic guidance will continue paying for human expertise. The middle market faces the most disruption over the next 18-24 months.
Q: Why did Claude Code refuse the task while ARTEMIS using Claude models worked?
A: Claude Code is optimized for software engineering and triggers built-in refusal mechanisms when asked to perform offensive security tasks. ARTEMIS uses custom scaffolding with dynamically generated prompts specifically designed to elicit offensive capabilities without triggering refusals. The A2 configuration used Claude Sonnet 4 for sub-agents within this custom framework, bypassing the restrictions that blocked Claude Code entirely.
Q: What qualifications did the human pentesters have?
A: Participants held certifications including OSCP, OSWE, OSED, OSEP, CRTO, GCPN, GSE, and GWAPT. Several had discovered critical CVEs in applications with 500,000 to 1.5 million users. One ran a penetration testing firm, another worked for a defense contractor, and a third served as a red teamer at a security company. All were compensated $2,000 for at least 10 hours of work.
Q: Is ARTEMIS available for organizations to use?
A: Yes. The Stanford researchers open-sourced ARTEMIS on GitHub at github.com/StanfordTrinity/ARTEMIS. Their stated goal is to "broaden defender access to open AI-enabled security tooling." Running it requires API access to models like GPT-5 or Claude Sonnet 4. The A1 configuration cost $18.21/hour in API fees during the experiment, excluding infrastructure overhead.
Q: Why couldn't ARTEMIS interact with graphical interfaces?
A: ARTEMIS operates through command-line tools and parses text-based input and output. It lacks computer vision or mouse/keyboard simulation capabilities needed for GUI interaction. When 80% of humans exploited a TinyPilot KVM interface requiring browser clicks, ARTEMIS couldn't replicate the graphical steps. The researchers note that "advancements in computer-use agents should mitigate many of these bottlenecks."
Q: What happened to the vulnerabilities after the experiment?
A: The research team worked directly with Stanford IT staff to triage and patch all discovered vulnerabilities through responsible disclosure. The university's Vulnerability Disclosure Policy provided legal safe harbor for participants. The paper lists 49 validated unique vulnerabilities found by humans and additional findings from AI agents, including default credentials, SQL injection, anonymous LDAP access, and remote code execution.
Robert Brown
Marcus Schuler
Robert Brown
Microsoft analyzed 37.5M Copilot conversations. Health queries dominated mobile usage every hour of every day. Programming's share collapsed. The data shows users want a confidant, not a productivity tool. The industry built for the boardroom anyway.
64% of teens use AI chatbots. But which ones? Higher-income teens cluster around ChatGPT for productivity. Lower-income teens are twice as likely to use Character.ai—the companion bot facing wrongful death lawsuits. The technology is sorting kids by class.
While the AI industry chases reinforcement learning, Essential AI made the opposite bet. Their new 8B model embodies a thesis about where machine intelligence originates. The transformer's co-inventor is calling the shots on research.
OpenRouter's 100 trillion token study was supposed to prove AI is transforming everything. The data shows something else: half of open-source usage is roleplay, enterprise adoption is thin, and one account caused a 20-point spike in the metrics.
Get the 5-minute Silicon Valley AI briefing, every weekday morning — free.
