Can ChatGPT Help Pen Testing?

ChatGPT has generated a ton of buzz between the end of 2022 and now as the fastest-growing app in history with already over 100 million users. While ChatGPT has moved the needle in productivity for some, it poses a very important question. Can ChatGPT be misused by hackers with malicious intent to perpetrate cybercrime? On the contrary, can it help with Pen Testing in any way?

As a leading Penetration Testing Service provider, BreachLock’s Founder & CEO, Seemant Sehgal, shares his expert perspective on ChatGPT’s potential impact on cybersecurity while Cybercrime Magazine’s Steve Morgan asks the important questions. Check out the video or read on for the transcript.

Can ChatGPT Perpetrate Cybercrimes? Can It Help With PenTesting?

Steve Morgan

“I’m Steve Morgan, founder of Cybersecurity Ventures and Editor in Chief at Cybercrime Magazine. I’m here today with Seemant Sehgal, Founder & CEO at BreechLock, developers of a world-class, award-winning Pen Testing as a Service (PTaaS) platform. Seemant, welcome! Great to have you with us.”

Seemant Sehgal

“Great to be back with you, Steve.”

Steve Morgan

“So, Seemant, we have to chat about ChatGPT, because this is coming up with just about everybody we’re talking to. It’s all the rage now, Microsoft just invested $10 billion into the company – give us kind of a high-level for anyone who maybe has their head buried in the sand and hasn’t heard about it: What is ChatGPT?”

Seemant Sehgal

“So, I think we need to go a little bit into the background. The hype is not here without reason, right? There are obvious reasons why everybody’s talking about it. Basically, it’s the company behind it. I think that that’s where all the hype starts – it’s OpenAI.

ChatGTP is a product that is built on an AI model called GPT 3, which is an advanced language processing model, as they call it – the differentiation there is that this is a very natural way of interacting for a computer to interact with a human. So, what does that mean? It means that the computer can take the context into account, it can understand a little bit of emotion, which is where the context is coming into play, and it’s got a ton of data that it’s constantly learning from that comes from the users. Also, I was playing with it myself and I think it goes back to September 2021 where the data is dated, so you don’t always get the latest information.

Also, I played around a little bit with the coding capabilities of ChatGPT and it’s actually a mess. Also, recently, it’s interesting to see that OpenAI changed the structure of the company so that they can attract larger investments because they started as a nonprofit and now, they’re looking for larger investments for the impact they want to make.”

Can ChatGPT be Used Maliciously for Cybercrime?

Steve Morgan

“Seemant, can ChatGPT help perpetrate cybercrimes? And if yes, how?”

Seemant Sehgal

“That’s a very interesting question. It’s an interactive system, so there is no way for that computer to know if you are coming in with malicious intent or if you’re a good hacker – it’s going to respond to you. However, I’ve seen for myself that the prompts on ChatGPT, when you ask them for reverse TCP IP-ready shell code, as an example, they are getting better. They would flash their policies and say, “this is an ethical boundary and can be misused, so we cannot give you an example like that,” right? So yes, it can be misused just for the simple reason that it’s an interactive system and good and bad guys can both interact with it.”

Can ChatGPT be Used to Make Pen Testing Easier?

Steve Morgan
“So, the flip side of the coin would be cybersecurity, and in particular, penetration testing where you have deep expertise. Is there any way at all that ChatGPT could aid or improve penetration testing?”

Seemant Sehgal
“Definitely – there’s a ton of information in there, so for a pen tester to be able to get steps to reproduce something, it’s rather easy, right? You essentially have a virtual assistant that you can chat with to see which technique would suit certain kinds of tests. There’s some basic code that you can get out of it as long as you have the ability to modify it to your advantage, specifically for learners that are new to the game of pen testing. There’s a ton of information that they can learn from it – and rather quick and very precise.”

Steve Morgan
“This is an interesting topic and I know we can hear a lot more about it. I’d love to have you come back on and discuss this again in a few months, and I hope it’s not because we’re hacked by ChatGPT.

Seemant, thank you for joining us today – that was great. Hope to talk with you again soon.”

Seemant Sehgal
“It was a pleasure, Steve.”

Steve Morgan
“I’m Steve Morgan, founder of Cybersecurity Ventures and Editor in Chief at Cybercrime Magazine. Joining us today was Seemant Sehgal, Founder & CEO of BreachLock, developers of a world-class, award-winning pen testing as a service (PTaaS) platform.”

Discover Modern Pen Testing with BreachLock

Want to learn how you can accelerate pen testing by 50% and reduce total cost of ownership (TCO) with human-led, AI-enabled penetration testing services? With BreachLock’s award-winning, analyst-recognized Pen Testing as a Service (PTaaS), you can get access to a flexible, easy-to-use, penetration testing platform that enables your DevOps team with DevSecOps testing solutions to meet your compliance and security goals.

Schedule a discovery call to learn how our 800+ clients are meeting compliance requirements (e.g., PCI DSS, SOC 2, HIPAA, GDPR, and ISO 27001), passing vendor assessments for third-party risk management (TPRM), and rapidly improving their security posture with simple, yet effective penetration testing results and remediation guidance.