AI Policy

Last updated: 21 June 2026

AI is a useful tool. For many tasks it shortens the time it takes to get from nothing to something useful, and it gives people with less experience access to capabilities they might not otherwise have. That is a genuinely valuable capability.

Penetration testing is a different context. A pentest is a high-trust engagement that involves accessing a client’s systems, discovering vulnerabilities, and handling sensitive information at every stage: infrastructure details, credentials, internal data, and business logic. The moment that information is passed into a third-party cloud AI system, the client has lost control of it, and the tester has lost the ability to guarantee confidentiality.

AI-assisted testing also carries a quality risk. Automated tools and AI-generated analysis can give the appearance of thorough work without the substance of it. That is similar to what has long been sold as penetration testing when the reality is a vulnerability scan with a report written around it. We do not do that, whether the automation is script-based or AI-generated.

Some clients also operate their own strict no-AI policies, prohibiting the use of third-party models for processing company information. An engagement where the tester is silently feeding client data into cloud models would breach that policy. We consider it our responsibility to be explicit about where we stand.

How we use AI

Our testing work is manual and consultant-led. Findings, reconnaissance output, client data, and testing artefacts are not passed into third-party or cloud-based AI systems at any stage of an engagement.

Where AI tools are used internally, they are limited to tasks that do not involve client data. Any AI-assisted output is reviewed by the consultant before use. Clients work directly with the consultant throughout their engagement, so there is no layer of AI-generated analysis between the work and the delivered report.

This reflects the same commitment stated throughout this site: we do not outsource or subcontract testing, and we do not automate away the work a client is paying for.

How we address the CREST principles for AI-enabled activities

CREST publishes nine principles for AI-enabled activities. The following explains how we approach each one.

Accountability and governance

We have assessed how AI could affect service delivery, client outcomes, and data handling at each stage of a penetration test. Our primary governance control is not to use AI in client-facing delivery. Any limited internal AI use is subject to the same professional standards that apply to all of our work.

Transparency of use

AI is not used in our testing methodology, our findings analysis, or our report-writing. We do not use AI tools that interact with client data at any stage of an engagement. Where that changes, we will update this policy and communicate the change to clients.

Documentation and auditability

Testing methodology, findings, and conclusions are produced and documented by the consultant directly. There is no AI-generated content in our deliverables that could be attributed to a model rather than to a person. Reports reflect the consultant’s direct observations and professional judgement.

Boundaries and control

The consultant retains direct oversight of all testing activity throughout the engagement. There are no autonomous or semi-autonomous AI processes operating in our assessments. Scope is agreed with the client before the engagement begins and is not subject to AI-driven expansion or modification.

Data handling, sovereignty and client control

Client data, including anything discovered during testing, is not transferred to third-party AI providers. It is handled in line with our engagement terms and the client’s own requirements. Clients with specific data handling requirements, including those with no-AI policies, can raise these at the scoping stage, and we will confirm in writing how they are met.

Security and confidentiality

Client data is handled under the terms agreed at the start of the engagement. The absence of third-party AI processing means there is no additional data-sharing exposure introduced by AI tooling. Outputs, findings, and reports are treated as confidential and shared only with the agreed client contacts.

Secure development of AI tooling

We do not develop AI tooling for use in client engagements. If that changes, we will apply appropriate development, testing, and governance practices before deploying any such tooling, and we will update this policy to reflect it.

Supply chain assurance

We do not rely on third-party AI providers in our service delivery. There is no AI-related supply chain dependency that could affect the continuity, confidentiality, or quality of a client engagement.

Resilience and business continuity

Because AI is not used in the delivery of testing services, there is no AI dependency that could affect service availability or data handling if a model or platform becomes unavailable. Our testing capability is not contingent on access to any external AI system.

Questions about our use of AI

If you have questions about our approach to AI, or if you have specific requirements around AI use in your engagement, please contact us before the engagement begins.

Email: contact@exploitr.com

We are happy to confirm our approach in writing as part of the scoping process.

Changes to this policy

We may update this policy from time to time. The version published at the time of your engagement will apply.