Leveraging AI for Smarter Bug Bounties | Bug Bounty Village, DEF CON 32

🔍 Leveraging AI for Smarter Bug Bounties | Talk by Joel Noguera & Diego Jurado
🛠 DEF CON / Bug Bounty / AI / AppSec / Automation

In this talk from DEF CON’s Bug Bounty Village, Joel Noguera and Diego Jurado from XBOW share their research into how large language models can be used to automate parts of the bug bounty workflow — from recon to exploitation.

Over the past few months, their team built and tested autonomous agents capable of solving real-world challenges with minimal human input. They walk through what worked, what didn’t, and how AI might realistically assist (not replace) security researchers.

🧠 What’s Covered:

AI as a Bug Hunter
→ What does it take to mimic human intuition, creativity, and decision-making?

Real-World Demos
→ Autonomous exploitation of JWT and XSS vulnerabilities
→ Upload bypasses, CSRF handling, and recon logic — all without human guidance

Scaling and Evaluation
→ Benchmarks from PortSwigger, PentesterLab, and custom challenges
→ 85% success rate on previously unseen test sets

Humans vs AI
→ Results from a controlled test with 5 professional pentesters
→ Where AI excels, and where human experience still leads

Human-in-the-Loop
→ Prototype showing how AI can be guided and corrected mid-process
→ Feedback loops and safer, more useful automation

📊 Results at a Glance:
75% success on PortSwigger challenges
72% on PentesterLab
85% on novel validation benchmarks

📁 Vulnerabilities Covered:
XSS, IDOR, JWT, CSRF, SSRF, misconfigurations, and more — with a focus on realistic web bugs seen in live environments.

📌 Want to try it yourself?
The team plans to release their benchmarks and tooling soon. Keep an eye on:
🌐 https://xbow.com/
🐦 https://x.com/Xbow

This talk is a look at where AI fits into the offensive security toolkit — and where it still has a long way to go.

#BugBounty #AI #AppSec #CTF #SecurityResearch #Automation #Pentesting #DEFCON