Discussion

• @charlesdardaman Charles on x

  Great post here mirroring some of my thoughts on the future of exploit development. I think @tqbf is absolutely right here. The vast majority of bugs are pattern matching, and having enough patience to find them while having a broad understanding of the fundamental technologies. …

• @tqbf Thomas H. Ptacek on x

  From Carlini's talk at Unprompted a few weeks ago — I wish I'd remembered this detail for the post — here he is, demonstrating Claude Code finding a blind SQLI in Ghost, and then writing a fully-functioning exploit for it. https://www.youtube.com/...

• @lukolejnik Lukasz Olejnik on x

  Cyberattacks and vulnerability research is in for a wild run. “successful exploit developers won't carefully pick where to aim. They'll just aim at everything. Operating systems. Databases. Routers. Printers. These kinds of targets run everywhere” https://sockpuppet.org/... [imag…

• @zooko @zooko on x

  Another veteran computer security research — Thomas Ptacek — says we're currently in middle of the Computer Security AIpocalypse: https://sockpuppet.org/... [image]

• @predraggruevski Predrag Gruevski on x

  This is (a) extremely true and (b) not just limited to software security. Most of CS is ~10% insight, ~90% jigsaw puzzle. The solver doesn't care about the domain, although it does perform better in the hands of a sophisticated user. [image]

• @patio11 Patrick McKenzie on x

  Thomas on LLMs vis software security, or, the thing that has been theorized for years is now, in the judgement of local domain experts, actually happening.

• @davidmanheim David Manheim on x

  @tqbf “Second, we've been shielded from exploits not only by soundly engineered countermeasures but also by a scarcity of elite attention.” Yes, thank you! As I wrote last year: https://www.lesswrong.com/... [image]

• @zulfikar_ramzan Zulfikar Ramzan on x

  Just finished reading @tqbf's highly insightful post on the future of vulnerability research. For far too long, software was veiled by a form of security-by-obscurity — namely, a dearth of security researchers (and attention cycles) for identifying issues. AI just pierced that

• @sifu.tweety.fish Tweety Fish on bluesky

  come for the cogent top-line point, stay for the fun '90s hacker history, marvel along the way at the moment where Thomas seems to imply that “doodads” are a kind of internal organ.  Also if you don't have direct experience of LLM coding tools as of today, this is the kind of thi…

• @alilleybrinker.com Andrew Lilley Brinker on bluesky

  Yeah, this is directionally right, even if (as the last section discusses) the details may be messier than the clear-line prediction.  [embedded post]

• @hatr Hakan on bluesky

  “Substantial amounts of high-impact vulnerability research (maybe even most of it) will happen simply by pointing an agent at a source tree and typing “find me zero days”.  —  I think this outcome is locked in.  sockpuppet.org/blog/2026/03...

• @retr0.id David Buchanan on bluesky

  I think the recent iOS exploit kit leaks are a hint of what's to come.  I'm less worried about 0-days (since LLMs benefit attackers and defenders roughly symmetrically) and more worried about ubiquitous exploits for n-days.

• r/netsec r on reddit

  Vulnerability Research Is Cooked

• @matthewdgreen Matthew Green on bluesky

  This is a great article on vulnerability research in the (coming) age of AI, by Thomas Ptacek.  It mostly focuses on the fact that machines will soon supplant human vulnerability researchers.  That's sad!  But my question is: do we get safer, or do we get less safe? sockpuppet.or…