Vulnerability Research Is Cooked

The Coming Zero-Day Flood

Within the next few months, AI coding agents will drastically alter both the practice and economics of exploit development. Frontier model improvement won't be a slow burn, but rather a step function. Substantial amounts of high-impact vulnerability research will happen simply by pointing an agent at a source tree and typing "find me zero days".

Key Insights

The Bitter Lesson Hits Security

The author references Richard Sutton's "Bitter Lesson" — that general-purpose learning methods outperform domain-specific expertise. This is about to hit software security like a brick to the face.

"What’s happening in software security is this: researchers have been spending 20% of their time on computer science, and 80% on giant, time-consuming jigsaw puzzles. And now everybody has a universal jigsaw solver."

AI's Advantage

• Frontier LLMs already encode supernatural amounts of correlation across vast bodies of source code
• They know all documented "bug classes" — stale pointers, integer mishandling, type confusion, allocator grooming
• Vulnerability finding is pattern-matching bug classes and constraint-solving — precisely what LLMs are gifted at

Carlini's Results

Nicolas Carlini from Anthropic's Frontier Red Team used a trivial approach: run the same Claude Code prompt across every source file in a repo asking for exploitable vulnerabilities. Success rate: almost 100%.

He aimed at Ghost (popular CMS) and it spat out a broadly exploitable SQL injection vulnerability — without any security-specific tooling.

Implications

• Chrome, iOS, Android should plan for an interesting 2026
• No longer need elite human attention, exotic bug classes, or chemical accelerants
• A hundred instances of Claude/Codex will stay up all night for anyone who asks

Saved: 2026-03-31 | Source: Lobsters (lobste.rs)