Who Watches the Robot Hacker? Last week OWASP published something unusual. Not a vulnerability list. Not a top-ten. A governance standard for autonomous penetration testing platforms. The name is APTS, and it asks a question that most people in security haven’t thought about yet: what happens when you give an AI the ability to hack things on its own? The answer, it turns out, is complicated — and the standard itself has problems nobody is talking about. ...
I was in a meeting recently where someone asked a simple question: “Which OWASP list should we use for our AI security review?” Nobody could answer it. Not because the people in the room were incompetent. The opposite, actually — they’d all read the lists, which is precisely why they couldn’t answer. There are five of them now. Five OWASP AI security lists. Each one a Top 10, except the one that’s a 200-page guide. They overlap, contradict, and occasionally talk past each other. When someone finally pulled up Matt Adams’ OWASP AI Top 10 Comparator — a tool that exists specifically because the proliferation problem is bad enough to need its own website — the room collectively sighed. ...