A few weeks ago I wrote about how AI is going to impact bug bounty. That post was mostly predictions. This one is about what’s actually happening right now.
First off, that prediction is already coming true. Since that post, there’s been an explosion of people posting about their bugs found with claude code on X.
I’ve been using AI coding agents (specifically Claude Code) as my primary hacking companion for a couple months. Not as a side-thing, but as my main way to hack. And the results have been stupid good. I’ll post a Q1 update soon that details it all. I personally think that the biggest reason it’s now possible is that Anthropic’s 4.6 models made a huge leap in their understanding of hacking.
One Big Component
Most people building AI hackbots (including me, initially) have their agents making raw curl requests or writing custom scripts. It works, but it’s messy. Reproducing what the agent did is painful. Validating findings means asking the agent or grepping through logs instead of being able to look at the request and response side by side.
I wrote a guest post on the Caido blog about a new skill I helped build that connects AI agents directly to Caido’s SDK. The TLDR: your agent can now programmatically create replay sessions, manage findings, pull auth tokens, search request history, and do everything you’d normally do by clicking around in the proxy UI. And it all happens through the same Caido instance you already use.
The real win is human-in-the-loop without any extra effort. Your agent runs, finds stuff, creates replay sessions with descriptive names. You open Caido and it’s all right there. Same interface you already know. You can verify, edit the replay tabs as well, dig deeper, etc. There’s no extra context switching between your agent’s output and your tool that youre used to.
As I mentioned in the Caido post, using this setup, I’ve found 15 vulnerabilities in the last 6 weeks. Most of them High or Critical severity.
Two Main Arguments
The biggest two buckets of thought on this topic online are:
- Anyone can do it, even your grandma
- There’s no way AI is coming for pentesters/bug hunters jobs
So let me address each of those. First, I do think it’s easy to forget all the stored knowledge that top-tier talent has. We’ve seen hundreds or thousands of bugs and not-bugs, so it’s really easy for me to dismiss or triage bugs when Claude says “JACKPOT! THIS IS CRITICAL!”. And it’s often not. For this reason, Grandma can’t do it. And pointing Claude code at the right target/scope/endpoints for high ROI also requires decent taste. THAT SAID, the economics for how cheap tokens are under Claude Max subscriptions and the value of even Low bugs in bug bounty, I actually do think it’s possible for beginners to make money for the next couple months by jumping on this train.
The second group of thoughts around pentester/hunter impact is really interesting. I think human-in-the-loop is going to be big for at least a couple years. That’s why the Caido skill is so great. It loads up traffic, requests, and findings right into the tool you’re already using. Also, if you don’t think this will impact your job, please please please just do three things for me:
- Tell Claude Code (Opus) to make some bughunting/pentesting skills to use
- Point it at some scope
- Watch it work
If you’re a skeptic, I think it will surprise you.
What this means
I said it in my last post and I’ll say it again: people using AI agents are going to capture the majority of bug bounty market this year. The low-hanging fruit will get more sparse. The attack surface coverage will be broader. Hunters who adapt will do well. Hunters who don’t will have a rough time.
For pentesters and red teamers, the same logic applies. More ground covered, more thorough testing, and you still maintain the careful human oversight that clients expect.
Get started
If you’re not using coding agents for hacking yet, start now. If you want to try the Caido skill, check out the Caido skill. It’s open source and it works with models as small as Haiku.
And if you want to hear me and other hunters talk about this stuff every week, we cover it on Critical Thinking Bug Bounty Podcast.
- Joseph
Sign up for my email list to know when I post more content like this. I also post my thoughts on Twitter/X.
