- This Week on Absolute AppSec
- Posts
- Episode #305
Episode #305
How GenAI is changing the game for career newcomers, and the exploitative nature of Generative AI Engine Optimization.
Seth Law
December 12, 2025
This week on episode 305 of Absolute AppSec, Ken Johnson (@cktricky) and Seth Law (@sethlaw) are hopping on during the busy Q4 holiday season to share some of their insights on the evolving landscape of security and technology. There is no map for the industry to follow, so instead we have to speculate: How will the rise of generative AI impact career paths for newcomers, especially since LLMs fundamentally rely on the contributions of experts? (Psst— if you’re wondering how to keep up with rapidly changing AI tech, be sure to check training.absoluteappsec.com for a chance to attend Seth and Ken’s ever-evolving “Harnessing LLMs for Application Security” course.) Then, they dive into a discussion of the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), in which marketers exploit AI search results. To watch this episode or explore another, go to https://www.youtube.com/@AbsoluteAppSec/streams, or you can find us wherever you get your podcasts.
“The more that I utilize AI, and the more that I watch some of the newer employees that are coming into the field, […] the way that they can manipulate [AI] is on par with how you and I made our careers doing Google searches. […] This is how technology moves forward, but older generations that aren’t doing Google searches or aren’t dealing with AI on a daily basis get somewhat left behind.”
Ken and Seth discussed the changes AI is engendering in the security job market, with Ken noting industry influencers saying that new entrants may not find the same path to success due to AI. Seth, however, feels less pessimistic, highlighting these young people who demonstrate an innate ability to manipulate LLMs, comparing their skill to how older generations mastered Google search for career advancement. He believes this proficiency allows them to overcome technical hurdles faster. Seth warned that older professionals not adapting to daily LLM use might get left behind, but sees this new efficiency as promising for the industry. Ken countered that the foundation of success—contributing open-source knowledge and building community—won’t disappear, as LLMs rely on this expert-provided data. Both agreed that while technology and pathways change, the hacker mindset will remain, giving an advantage to those who manipulate systems and push boundaries, especially as the industry continues to grow.
“It’s money and exploitation-based, and we treat [GEO] as if it’s a completely valid industry… when it really is taking advantage of weaknesses in search engines and now [uses] generative AI systems in order to increase your profile and make more money.”
The discussion shifted to the exploitation of search algorithms, exemplified by a supply chain attack-like incident where the popularity of an open-source project, gRPCurl, was hijacked to create a fake domain. The attack’s aim was not a direct malicious compromise but rather Search Engine Optimization (SEO) gamification, showing that exploiting search remains a major problem. Ken introduced Generative AI Engine Optimization (GEO) as the next evolution of this exploitation, in which marketers optimize content to be prioritized by AI-driven search results. Tactics include uploading text files with thousands of keywords to give AI systems. Seth observed that the AI response at the top of search pages is often “good enough,” leading him to stop clicking lower links, validating marketers’ focus on rankers. Both hosts concluded that SEO and GEO are industries fundamentally built on exploiting technological processes—finding flaws in search crawlers or generative AI systems—to increase profile and profit, a trend that is not merit-based but money-based and exploitative.
This episode is sponsored by DryRun Security. As they’ve developed a security sidekick that doesn’t send AppSec teams and developers down blind alleys. Their latest whitepaper contains a lot of sage advice on “Building Secure AI Applications.” Visit the link here to read more: https://www.dryrun.security/resources/owasp-top-10-llm-building-secure-applications
I just saw some snow outside my window, and it made me reach for a beanie. But, alas, it wasn’t an Absolute AppSec branded one. Then I discovered I could wrap my ears in gauze and wear my Absolute AppSec dad hat to cover all my bases in a pinch. You, dear reader, have another option. The Absolute AppSec merch store right now has beanie for winter that looks super cool!
You’ve made it to beanie season! Get the appropriate weather-wear in the Absolute AppSec store!
If you have thoughts or predictions for how AI will change the security industry, join the discussion on our Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover, as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=fnm3mz01kFQ - Episode #165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs – This episode involves some good discussion on the types of attacks npm attracted by the rapid growth of the number of packages being developed for the massive third-party package repository. The SEO-inspired spam attacks of a couple years ago presage what we may expect from GEO developments.
https://www.youtube.com/watch?v=l9HcKeLXVjw - Episode #179 - Starting in AppSec, Threat Modeling - Seth and Ken discuss what could help early career AppSec professionals and provide some hopefully evergreen advice for those new to the industry.
https://www.youtube.com/live/IPCdTWXT5uQ - Episode #205 - Decline of AppSec, Death of Code Review - If we roll back a hundred episodes, you’ll find that concerns about developments leading to the end of the AppSec industry and the other nihilistic viewpoints have a perennial quality. Seth’s advice “find the niches in the industry to became an expert in”, or as Ken says, sometimes just following those things you find interesting can be all it takes to build a career.
Absolute AppSec Happenings
https://allan.reyes.sh/posts/keeping-secrets-out-of-logs/ – “Keeping Secrets Out of Logs” by Allan Reyes – There may be no silver bullets for keeping secrets out of logs, but Allan is sharing 10 lead bullets that can get the job done when fired together.
https://blog.sicuranext.com/68-of-phishing-websites-are-protected-by-cloudfare/ – A report analyzing over 42,000 malicious domains found that 68% of phishing websites use Cloudfare’s services. Threat actors abuse Cloudfare’s free tier and reverse proxy features to mask the true origin server’s IP address, gain DDoS protection, and appear more legitimate with SSL certificates. This obfuscation severely complicates takedown and detection efforts for cybersecurity defenders.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components - A critical security vulnerability was found in React Server Components (RSC). The bug, present since the initial RSC release, allows a malicious client to induce arbitrary server file reads. Developers are urged to immediately upgrade to React 19.01 or later to patch this vulnerability.
Upcoming Events
Where in the world are Seth and Ken?
March 21-22, 2026 - BSidesSF - Watch this space for the details regarding a panel with Seth and Ken taking place in San Francisco in March.
April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!