Why I'll never hire a junior pentester again
A founder confession: ever since an AI agent runs my recon, the ROI on a junior pentester is dead. And that's excellent news for the seniors.
I'm going to say out loud what a lot of cybersecurity founders only think to
themselves: the junior pentester, as an entry-level job, is dead. This isn't a
hot take. It's what my numbers proved to me in three months.
What a junior used to do
For years, juniors got the same work: recon. Enumerate 300 subdomains, scan
the ports, fingerprint the stacks, probe the low-hanging fruit, sort the
results, write an interim report. Three to five days of work. Billed at
$600–$1000/day to the client. Decent margin for the firm, formative experience
for the junior, an entry point to become a senior in two or three years.
That model is collapsing.
What Sentinelle does today
An offensive AI agent runs the same recon in forty minutes. Not roughly.
Better: it chains weak signals a human misses through fatigue, and produces a
reproducible report with exact commands. When I lay the two deliverables side
by side, the agent's report wins eight times out of ten.
Cost: a few dollars in tokens. Not a junior's salary, plus benefits, plus
management overhead, plus training time.
The common mistake
The mistake is to assume this replaces seniors. It's the opposite. It frees
seniors from the repetitive grind they hate, and gives them the time for
offensive creativity the unconventional exploit chain, the business-logic
abuse, the 0-day. That's where human added value remains total.
So I don't hire juniors anymore. I hire seniors directly, pay them a premium
salary, and give each one ten Sentinelles to drive. ROI per head is 4–5× the
old model.
The objection: "how do we train juniors then?"
Honest answer: differently. Juniors become seniors by spending six to twelve
months operating AI agents learning to read their reports, challenge
their conclusions, write the playbooks. It's a different learning path, faster
and more strategic. The junior is no longer a recon subcontractor; they're an
agent operator.
Those who resist this evolution are still selling fixed-scope engagements and
billing $1000/day for recon. They'll disappear quietly, the way developers who
refused version control did in 2008.
For independent pentesters
If you're reading this and you're a freelance pentester, here's the only
advice that matters: use an AI agent starting today, even for free. The
market for "generalist pentester doing manual recon" is going to dry up. The
market for "senior pentester augmented by AI" is going to explode.
Sentinelle has a free plan for that. It's what I'd give my 2024 self if I
could.
The honest test
If you're skeptical: take an authorized target (a public bug bounty program),
run Sentinelle on it, and compare what it finds with what you'd have found in
two days. If you find more than it does, write to me. I want to pay you. If
it's the other way around and that's what's going to happen then you know
what to do with your workflow.
Did you enjoy this article?
Written by
Chris
Tech builder · Agentic AI & offensive security
A tech-obsessed builder, I'm building Sentinelle — an autonomous offensive-security AI agent. I write here about agentic AI, AI-assisted pentesting, and what I learn shipping offensive tooling.
