🤖 AI Summary
Traditional security testing tools deployed in CI/CD pipelines lack adaptability and struggle to effectively integrate program structure with dynamic feedback, resulting in low detection efficiency and high false-positive rates. This work presents a systematic survey of adaptive and AI-enhanced security testing approaches, introducing for the first time the notion of “structural-adaptive disconnection” to highlight the systemic misalignment between program structure representations and adaptive mechanisms. It advocates for incorporating human-in-the-loop signals into a closed-loop model refinement process. By synthesizing techniques from static and dynamic analysis, feedback-driven fuzzing, large language models, and code property graphs (CPGs), the study analyzes 55 high-quality research efforts, identifies five key open challenges, and proposes a unified research agenda for semantic-aware, feedback-driven, and multi-language-supported security testing frameworks.
📝 Abstract
Modern software systems are increasingly developed within rapid continuous integration and deployment (CI/CD) pipelines, where ensuring security prior to release presents significant technical and organizational challenges. Traditional static and dynamic analysis tools provide valuable structural and behavioral insights, yet they often operate in non-adaptive workflows and produce large volumes of warnings requiring manual triage. Feedback-driven fuzzing and search-based testing approaches have demonstrated the power of iterative input refinement guided by execution signals, while large language models (LLMs) have shown promise in automated test generation but frequently lack semantic grounding in program structure. This paper presents a systematic survey of adaptive and AI-augmented security testing research across five domains: (1) structural program analysis for vulnerability detection, (2) DevSecOps and continuous security testing, (3) feedback-driven fuzzing and search-based testing, (4) LLM-based automated test generation, and (5) emerging hybrid systems integrating program analysis with adaptive learning. We analyze fifty-five peer-reviewed studies drawn from a systematic search of four major databases yielding 22,088 raw records. Our analysis reveals a persistent disconnect between structural program representations (ASTs, CFGs, and CPGs) and adaptive testing mechanisms. We characterize this as structural-adaptive fragmentation: a systematic separation that neither paradigm individually addresses. No existing system incorporates human triage signals as feedback for refining structural models. We conclude by identifying five open research challenges and outlining a unified agenda for semantically grounded, feedback-driven, polyglot security testing frameworks.