Analysis

AI vs. Human: Who Should Write Your Vulnerability Reports?

Sarah ·

Last quarter, I ran an experiment with my vulnerability management team. We took the same set of 15 vulnerability findings from a recent internal pentest and produced two reports: one written entirely by a senior analyst over about six hours, and one generated by AI (with light human editing) in about 45 minutes. Then I sent both versions to the remediation teams — without telling them which was which — and tracked which report drove faster, more accurate remediation.

The results surprised me. And they've fundamentally changed how my team writes reports.

The Case for AI: Speed, Consistency, and Formatting

Speed

This one is obvious but the magnitude matters. A senior analyst writing a detailed vulnerability report with technical findings, risk ratings, evidence screenshots, and remediation guidance takes 3-6 hours per engagement. AI can produce a solid first draft from structured input data in under 5 minutes. Even with 30-40 minutes of human review and editing, you're looking at under an hour total. That's a 5-6x improvement.

For a team that produces 20 reports a month, that's the difference between "reporting is a full-time job for one person" and "reporting is a task that takes a few hours per week." The freed-up analyst hours go to actual security work instead of wordsmithing.

Consistency

Every analyst writes differently. Some are verbose. Some write in bullet points. Some include detailed reproduction steps; others assume the reader knows how to validate the finding. This inconsistency confuses remediation teams who have to decode a different writing style every time.

AI produces consistent output every time. Same structure, same level of detail, same terminology. Remediation teams told me — unprompted — that the AI-generated report was "easier to action" because they always knew where to find the information they needed.

Formatting and Completeness

AI never forgets to include the CVSS score. It never leaves the remediation section blank because it ran out of time. It never misspells the product name or uses inconsistent severity labels. These aren't glamorous improvements, but they matter when the output is a compliance deliverable.

The Case for Humans: Context, Impact, and Nuance

Business Context

The AI report described a SQL injection finding accurately. It explained the technical risk, provided the CWE reference, and suggested parameterized queries as remediation. Textbook correct.

The human report added one paragraph that changed everything: "This database contains PII for 2.3 million customers and is subject to CCPA. Exploitation of this vulnerability would trigger mandatory breach notification within 72 hours." That context turned a "high" finding into a board-level conversation. AI didn't know that. It couldn't have.

Impact Assessment

AI is good at generic impact statements. "An attacker could gain unauthorized access to sensitive data." Humans write impact statements that resonate with the specific audience. "If exploited during the Q4 payment processing window, this could halt transactions for an estimated 4 hours, impacting approximately $2.1M in revenue." One of those statements gets a finding remediated in a week. The other sits in a backlog.

The Subtle Stuff

Humans catch things AI misses entirely. Chain vulnerabilities — where finding A is medium severity alone but critical when combined with finding B. Environmental factors — "this server is scheduled for decommission in 6 weeks, so remediation should focus on compensating controls rather than patching." Organizational politics — knowing which team lead needs a phone call versus an email, knowing that the last three reports to this business unit were ignored and escalation is needed.

None of this fits into a template. All of it matters.

The Experiment Results

Remember those two reports I sent to remediation teams? Here's what happened:

  • Remediation speed: The AI report drove slightly faster initial response (remediation teams started working 1.2 days sooner on average), likely because the consistent formatting made findings easier to parse and assign.
  • Remediation accuracy: The human report had a 13% higher rate of correct first-fix — meaning fewer findings that were "remediated" but needed rework because the team didn't fully understand the issue.
  • Escalation rate: The human report prompted 3 escalations to management for resource allocation. The AI report prompted zero. Those escalations resulted in two critical findings getting fast-tracked.
  • Stakeholder satisfaction: When I finally revealed which was which, the remediation teams said they preferred reading the AI report but trusted the human report more.

The Pragmatic Answer

Use both. Specifically, use AI for the draft and humans for the judgment layer.

Here's the workflow my team adopted after this experiment:

  • Step 1: Analyst conducts the assessment and documents findings in a structured format (we use a simple JSON template: finding title, technical details, evidence, affected systems, CVSS score).
  • Step 2: Structured findings go through AI to generate a full narrative report with consistent formatting, proper control references, and standard remediation guidance.
  • Step 3: Analyst reviews the AI draft and adds three things that only a human can: business context, chained-risk analysis, and audience-appropriate impact statements.
  • Step 4: Final review for accuracy, then delivery.

Total time: about 90 minutes per engagement, down from 4-5 hours. And the output is better than either pure-AI or pure-human reports because it combines the consistency and completeness of AI with the context and judgment of a human analyst.

What I'd Tell a Team Lead

If report writing eats more than 20% of your analysts' week, AI drafting will pay for itself in the first month. But keep humans on severity calls, business impact, and remediation priority. The AI has never sat in your change advisory board meeting. It doesn't know which system the CFO cares about.

The teams shipping the best reports right now let AI do the first draft and then spend their time on the part a model can't fake: knowing which finding will actually keep the CISO up at night. That division of labor works. Arguing about whether AI or humans write better reports misses the point entirely.