Vulnerability Research Is Cooked

2026-04-03 · Source: Simon Willison's Weblog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, quick

Summary

Thomas Ptacek's blog post, "Vulnerability Research Is Cooked," published on April 3, 2026, asserts that advanced frontier models will profoundly and rapidly transform vulnerability research and exploit development within months. He predicts a "step function" change where a significant portion of high-impact vulnerability research, potentially most of it, will involve simply directing an AI agent at source code to discover zero-day exploits. Ptacek attributes agents' efficacy to their inherent knowledge, pattern-matching capabilities, and brute-force search. These models encode vast correlations across source code, understand documented bug classes like stale pointers and type confusion, and excel at the implicit search problems involved in pattern-matching bug classes and constraint-solving for reachability and exploitability. The article was partly inspired by a Security Cryptography Whatever podcast episode featuring Anthropic's Nicholas Carlini.

Key takeaway

For security researchers and CTOs evaluating cybersecurity investments, understand that the economics and practice of vulnerability research are undergoing a rapid, fundamental shift. Your teams should explore integrating frontier AI models into their exploit development workflows now, as these agents can automate significant portions of zero-day discovery, potentially reducing manual effort and accelerating threat identification. Failing to adapt risks falling behind in identifying and mitigating critical vulnerabilities.

Key insights

Frontier AI models will drastically accelerate vulnerability research by automating zero-day exploit discovery.

Principles

• AI agents excel at pattern-matching bug classes.
• Exploit outcomes are testable success/failure trials.

Method

Point an AI agent at source code and instruct it to "find me zero days," leveraging its encoded knowledge of bug classes and correlation across codebases.

In practice

• Use AI agents for automated exploit development.
• Leverage AI for constraint-solving in vulnerability research.

Topics

• Vulnerability Research
• AI Agents
• Exploit Development
• Frontier Models
• Bug Classes

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Scientist, Research Scientist

Related on AIssential

• Frontier AI and the Future of Defense: Your Top Questions Answered — Frontier AI models accelerate vulnerability exploitation and social engineering, demanding machine-speed defense and proactive security measures.
• Claude just BROKE the ENTIRE INDUSTRY... — Frontier AI models now autonomously discover and exploit zero-day vulnerabilities, posing significant cybersecurity risks.
• everyone JUST got HACKED... — AI models are rapidly accelerating vulnerability discovery and enabling autonomous, sophisticated cyberattacks.
• AI skills security, Open AI Deployment Company & zero days — AI's impact spans secure agent development, enterprise integration, and cybersecurity, creating both new challenges and solutions.
• AI Just Solved the Wrong Half of Cybersecurity — AI models now possess emergent, autonomous vulnerability discovery capabilities, outpacing human remediation efforts.
• Everyone's getting hacked — AI is rapidly accelerating both cyber attack capabilities and defensive measures, creating an "AI vs. AI" security paradigm.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.