Adaptive and AI-Augmented Security Testing: A Systematic Survey of Program Analysis, Feedback-Driven Testing, and Hybrid Learning-Based Approaches

A new systematic survey by Michael Wienczkowski, published on arXiv, examines the state of adaptive and AI-augmented security testing across five key domains: structural program analysis, DevSecOps, feedback-driven fuzzing, LLM-based test generation, and hybrid learning systems. The study screened 22,088 raw records from four major databases to select 55 peer-reviewed papers for in-depth analysis. The core finding is a persistent disconnect between structural program representations (like abstract syntax trees, control-flow graphs, and code property graphs) and adaptive testing mechanisms such as reinforcement learning or LLM-driven generation. This gap, termed "structural-adaptive fragmentation," means that no existing system incorporates human triage signals — such as developer decisions on warnings — as feedback to refine structural models or guide adaptive testing.

The survey identifies five open research challenges, including the need for semantically grounded feedback loops and polyglot frameworks that work across multiple programming languages. While LLMs have shown promise in automated test generation, they often lack grounding in actual program semantics. Similarly, feedback-driven fuzzing excels at iterative input refinement but doesn't leverage structural code analysis. The paper argues that closing the fragmentation gap could dramatically improve vulnerability detection in CI/CD pipelines, reducing false positives and enabling continuous, human-in-the-loop security testing at scale.