LLMs have gotten remarkably good, and the security world has noticed. Over the last year there’s been a wave of open-source projects and commercial products harnessing agents to conduct autonomous pentesting, and the results are genuinely impressive.

But one aspect of security testing is often overlooked in the excitement: signal-to-noise ratio is everything. 

False positives are how security tools lose their users. If a tool becomes too noisy, the operator loses confidence, and just like the boy who cried wolf, they’ll eventually ignore the one critical vulnerability they actually need to fix. The most effective way to reduce false positives is to pair discovery with deterministic validation: tools that give a clear, reproducible indication that a vulnerability is real.

This is why NodeZero® uses sqlmap to confirm SQL injection vulnerabilities, and why Horizon3.ai became the first AI-native proactive security company to officially license it. An LLM can absolutely fuzz a parameter and surface something that looks like SQLi. But sqlmap has been battle-tested for nearly two decades against every database backend, edge case, and weird injection context that exists in the wild. When sqlmap says a vulnerability is real, it’s real.

So how does this work in NodeZero? 

After NodeZero crawls the web application and identifies all possible user inputs, we fuzz those inputs for injection vulnerabilities. If the LLM judges that a given input could plausibly end up in a SQL query, we hand it to sqlmap. If sqlmap surfaces signs of injection, we escalate to a more robust scan to confirm.

A concrete example: we don’t blindly throw SQL injection payloads at every HTTP header on every request. That would be wasteful and noisy. But if the crawler encounters a unique custom header on a specific route — something like X-Customer-ID or X-Tenant — the LLM recognizes that this is exactly the kind of value that might get used in a backend lookup, and we make sure to fuzz it for SQLi. That judgment call is where LLMs earn their keep. The actual confirmation is still sqlmap’s job. 

It’s worth noting that NodeZero doesn’t optimize for speed. If there’s any reasonable chance a user input could reach a SQL query, we fuzz it.

That’s how NodeZero approaches security testing: harnessing the creativity of LLMs for discovery, while leaning on deterministic, hardened tools for validation. High signal, low noise, and findings the operator can trust.

Rob Goyette is the Attack Engineering Manager for the WebApp Team at Horizon3.ai, where he leads software engineers and offensive security engineers in building products to help improve the security of customers’ web applications. He brings deep hands-on expertise in penetration testing, red teaming, and offensive security operations, backed by certifications including OSCP, OSWP, and eWPT.