Why do you think there are so few mature AI-driven autonomous pentesting solutions on the market, and why does this topic seem to generate more hype than in-depth technical discussion?

Excessive risk.  Penetration testing is a blend of art and science. While automated tools can scan for vulnerabilities and confirm their presence, this merely represents the minimum scope of penetration testing. A skilled penetration tester possesses a deep understanding of specific technologies and vulnerabilities, enabling them to combine multiple vulnerabilities and, if necessary, exploit human nature to successfully compromise a target.
Proficient penetration testers can think multi-dimensionally and several steps ahead, whereas most artificial intelligence tools, including agentic ones, follow a linear process. In many instances, agentic AI can fail when a reply or response to an action falls outside its expected parameters. Unfortunately, AI tool failures are not always straightforward or easily detectable; sometimes, they manifest as repeating a single character multiple times or rapidly performing the same task and response. In penetration testing, however, an AI's failure may be even harder to detect.
An automated AI penetration testing tool can create substantial liability for its creator, its user, or both parties. No computer programs are perfect, and an AI penetration testing tool would require a relatively long leash, meaning it would need to operate somewhat autonomously. If a user maintains a continuous link to the tool for oversight and control, it likely compromises stealth. Multiple network connections to an application intended to run undetected are unfeasible.
AI tools are not inherently creative; "temperature" serves as a proxy for variance or creativity (if the tool is anthropomorphized). A very low temperature will yield more predictable outcomes but very little out-of-the-box thinking. Unconventional or unpredictable approaches are fundamental to penetration testing. Therefore, higher temperatures appear to be a requirement for this use case. While high temperatures can increase variance, unpredictability within a client's network can become ruinously expensive for a penetration tester. If the tool acts unexpectedly, such as actively crashing systems or causing damage, the AI penetration testing tool will be as destructive as an outside hacker. Perhaps an automated AI penetration testing tool would be more destructive because the rules of engagement for penetration testing may anticipate penetration and allow at least an initial foothold into the client's environment. The purpose of a penetration test is to allow the tester to catalog additional dangers or weaknesses, but there is a level of trust and contractual assurance that the penetration tester will not damage the client's systems. The client would need to closely scrutinize all terms and conditions because a lawyer protective of the AI pentest vendor would insert language indicating that AI makes mistakes and that any issues or problems due to the use of the tool would be the responsibility of the client. It would be possible for the pentest vendor’s legal team to indemnify the pen test vendor and make the client responsible for any and all adverse outcomes.
Another potential risk of an automated AI penetration testing tool is that many organizations are interconnected. If the automated pen tester follows an IP address or a connection from the target organization to other organizations, the tool could violate hacking laws in other jurisdictions. An automated penetration testing tool would need to access the client over the internet; therefore, this automated tool, with the freedom to attempt different things, could attack unintended organizations. The AI’s creative hacking could be an attempt to compromise an international corporation or the government systems anywhere in the world. Civil and criminal liability is available for all parties involved in the hacks.

As I stated initially, deploying an automated hacking tool on the internet is a high-risk endeavor.

If another opinion is sought, see the following. https://fortune.com/2025/07/23/ai-coding-tool-replit-wiped-database-called-it-a-catastrophic-failure/

Here is a high level summary:

Barrier                                                                   Why It Matters

Complexity of real-world environments            AI can’t easily generalize
Risk of autonomous actions                               Too dangerous to trust without oversight
Lack of high-quality data                                    Hard to train effective offensive models
Marketing vs. reality                                            Hype outpaces capability
Human creativity                                                 Hard to replicate with current AI