I wouldn't be surprised if we saw a headline in a few years when we find out other actors (e.g. China, Russia) have been buying this data en-masse too.
Did you request a SSL certificate? Those are public, actors use those to scan any newly requested website for known vulnerabilities and other misconfigurations. I suspect you're just looking at standard internet noise :)
Do you run a dedicated "AI SRE" instance for each customer or how do you ensure there is no potential for cross-contamination or data leakage across customers?
Basically how do you make sure your "AI SRE" does not deviate from it's task and cause mayhem in the VM, or worse. Exfiltrates secrets, or other nasty things? :)
I think the underlying point is valid. Agents are a potential tool to add to your arsenal in addition to "throw shit at the wall and see what sticks" tools like WebInspect, Appscan, Qualys, and Acunetix.
Feel free to correct me, but the ML classifier appears to be rather bare. Less than 20 hardcoded payloads with randomized URL encoding as the only augmentation. How does this generalize to novel evasion techniques? Genuinely curious what your eval numbers look like against real traffic.
Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.
I'd say I agree with you there for the low-hanging fruit. The deep research (there's an image filter here but we can bypass it by knowing some obscure corner of the SVG spec) is where they still fall over and need hand holding by pointing them at the browser rendering stack, specs, etc
Maybe in the future when labs train more specifically on offensive work, lots of hand holding needed right now.
Even simple stuff like training the models to recognize when they're stuck and should just go clone a repo or pull up the javadocs instead of hallucinating their way through or trying simple internet searches.
I work in this space. The productivity gains from LLMs are real, but not in the "replace humans" direction.
Where they shine is the interpretive grunt work: "help me figure out where the auth logic is in this obfuscated blob", "make sense of this minified JS", "what's this weird binary protocol doing.", "write me a Frida script to hook these methods and dump these keys" Things that used to mean staring at code for hours or writing throwaway tooling now takes a fraction of the time.
They're straight up a playing field leveler.
Folks with the hacker's mindset but without the programming chops can punch above their weight and find more within the limited time of an engagement.
Sure they make mistakes, and will need babysitting a lot. But it's getting better. I expect more firms to adopt them as part of their routine.