teflon

@oegerikus @Xbow Cool post i watched the video and this exactly the type of work i do with AI as a bug hunter

Nifty. If you love this as I do, come work at @Xbow !

@rez0__ @vokaysh Great in some ways, however, websocket support sucks

@vokaysh the burp destroyer

annndddd another friend: > Took your advice, built a hacking companion in Caido. Found and submitted a bug within an hour.

@TechCrunch @rez0__ did u read roys statement?

Cluely CEO Roy Lee admits to publicly lying about revenue numbers last year techcrunch.com/2026/03/05/clu…

@zseano @rez0__ I didnt even think of feeding it my h1 reports im so dumb lol. Ill try that today

@rez0__ I need to try this.. 👀

a good friend of mine said to me this morning:

@rez0__ Yeah its crazy claude found me 3 rces in the last 4 days

It is hard to communicate how much bug bounty has changed due to AI in the last 2 months: not gradually and over time in the "progress as usual" way, but specifically this last December. There are a number of asterisks but imo coding agents basically didn't work for security research before December and basically work since - the models have significantly higher quality, long-term coherence and tenacity and they can power through large and long hacking tasks, well past enough that it is extremely disruptive to the default bug bounty workflow. Just to give an example, over the weekend I pointed Claude Code at a new program's scope and wrote: "Here are the target domains. Enumerate subdomains, grab all the JavaScript bundles, run the full analysis pipeline (endpoints, secrets, source-sink tracing, postMessage handlers), fuzz the discovered paths, spider the authenticated surface, check for IDORs on user APIs, test any interesting GraphQL endpoints, and write up an HTML report of everything you find." The agent went off for ~30 minutes, ran into multiple issues (auth failures, WAF blocks, malformed responses), researched solutions, resolved them one by one, analyzed the JS, fuzzed endpoints, tested access controls, and came back with the report. Two confirmed vulnerabilities and a handful of interesting leads. I didn't touch anything. All of this could easily have been a full weekend of manual work just 3 months ago but today it's something you kick off and forget about for 30 minutes. As a result, bug bounty hunting is becoming unrecognizable. You're not manually clicking through Burp Suite and hand-testing parameters one by one like the way things were since this industry started, that era is over. You're spinning up AI agents, giving them targets *in English* and managing and reviewing their output in parallel. The biggest prize is in figuring out how you can keep ascending the layers of abstraction to set up long-running orchestrator agents with all the right skills, memory and instructions that productively manage multiple parallel hacking instances for you. The leverage achievable via top tier "agentic engineering" for security research feels very high right now. My friends and I have been building out custom skill libraries for Claude Code - things like JS static analysis pipelines, authenticated fuzzing, IDOR testing frameworks, GraphQL introspection - and sharing them with each other. Each person's agent gets better as the collective skill set grows. We're finding more bugs in a week than we used to find in a month. It's not perfect, it needs high-level direction, judgement, hacker intuition, oversight, iteration and hints and ideas. It works a lot better in some scenarios than others (e.g. especially for targets with thick JavaScript clients where you can verify findings with a curl command). The key is to build intuition to decompose the target just right to hand off the recon and testing parts that work and help out around the edges with the creative exploitation. But imo, this is nowhere near "business as usual" time in bug bounty.

@NahamSec @Gtr_Cliff What i thought as well for a sec haha

@Gtr_Cliff Elite ball knowledge

❌ RTFM ✅ Use AI instead

Been working on a new tool for bug bounty hunters and will be looking for some testers in the near future, message me if you are interested! chaoticrecon.com

@S1renHead_ Yes its definitely new changes bc we've never had the issue until today when his messages started being flagged as potential spam

@thedawgyg curious, what LLM model do you use? I've been experimenting with opus 4.6 for 0day hunting in chrome libraries with AFL today and have had some luck, one high i validated and will submit soon

Started up some agents to work tonight. Have 1 agent that is looking for nothing but stored xss, 1 on SSRF, 1 on sqli, and will see whch can have the most valid success by morning. ive got them 'competing' in a competition with each other to see who's better.. lol

@vitobotta @IamKyros69 Curious whats wrong with ur extension? It works for me for the most part wxcept when creation new passwords in fields instead of copying them manually

@IamKyros69 My favourite is Vivaldi. The only reason why I have been using Brave is because the Bitwarden extension doesn't work perfectly in Vivaldi. For the past couple of days I have been testing Opera and I actually like it.

Can you name a single browser better than Brave?

I've created the first publically available #OpenClaw (#ClawdBot/#MoltBot) honeypot. github.com/0xksdata/openc…

@thedawgyg I also have some contacts. Shoot me a DM :)

Do I know anyone that knows how to exploit things on Windows? While trying to go to bed last night, was thinking about the vuln and figured there's alot more things that are likely vuln to it.

@Oluwakomiyo_ @the_IDORminator @0xdef1ant At one point i had close to 1k in a project

@the_IDORminator @0xdef1ant 300 to 400 tabs.... 😳😳😳 🙌🙌

Race Condition IDOR, $36,750 Where automation fails is often in the gray areas. In the case of this bug, an IDOR existed by integer "orderId", which would allow viewing and hijacking someone else's order by simple swapping the order number - but ONLY IF the order had not yet completed. We see here that the order is 10099780. If we increment up by 1 to 10099781, it may have said "not found" (404) or access denied (403), and we keep incrementing upwards to maybe 10099788 (eight orders higher), and suddenly we get data back (200). You tinker around a bit more, come back to that same number, and now it says access denied (403). Hrmm. So you increment up again, and get another hit, which again turns to access denied in a matter of seconds or minutes. After some pondering, you realize it turns out that once an order is completed, the access control kicks in, but not while the order is still in progress. Well ain't that fun. From an attackers perspective, what can we do with this? What is the risk? Imagine you could change the shipping address on someones uncompleted order and intercept the product they are about to pay for. Or increasing the quantity of the product they are purchasing. Suddenly you have a warehouse full of goods you didn't pay for. That's not good for the company! Perhaps automated tooling was used to scan this, but if no other orders were in progress in lower environments, maybe it got missed. Sometimes things just don't get found until they are in production for so many reasons. If you are gonna do some #hacking, may as well do it on #bugbounty programs and get paid for it instead of wasting time on HTB and random labs. "Hey random guy, how did you get so good at hammering?" Random Guy: "I used the hammer every day for 5 years."

@Microsoft plz fix your apps i need my work email

Thank you to @NahamSec for inviting me on his channel to talk about some amazing bugs. Go check it out here: youtu.be/uW7COsIKTXM?si…

@4ng3lhacker @ctbbpodcast It was great!

Thanks to everyone who attended our @ctbbpodcast masterclass!

Bruh 💀 Drop yours in the comments!

@thedawgyg @medusa_0xf

I wonder who caused this 🤔

@Jhaddix what service do you use to get the gray scale customer logos on your site?