Application security penetration testing has stagnated. AppSec hasn't had any developments that compare in breadth and scope to red teaming, the more holistic approach to network pentesting. Yes, we continue to work around the margins of the common vulnerabilities that are inherent to web and mobile applications, and new vulnerabilities will continue to impact server software and middleware. But we have not evolved our testing methodology alongside the development methodologies we have informed. And no, duct taping generative AI onto our existing tools in the vain hope a use case or two will fall out doesn't count. At (Re)clarative, we believe it is time to pursue new AppSec testing strategies through the development of new tools.