I've been looking into AI pentesting agents for awhile now. All of the ones finding real vulnerabilities are fuzzing agents that look at the source code.

As far as black-box testing, I haven't seen anything that impressive yet. Most of the open source ones have found mostly simple vulnerabilities. I think of it as a slight step up from a commercial scanner. With the current cost of tokens and the fact that all of these companies are burning through money, it's just not practical for most companies.

Things will change when the token cost gets really cheap and/or it's efficient enough to run at the speed we have now on off-the-shelf hardware.