Episode #320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

This week on episode #320 of the Absolute AppSec podcast, host Seth Law (@sethlaw) is joined by frequent guest and security expert Stefan Edwards (@lojikil), who fills in for regular co-host Ken Johnson (@kenjohnson). This episode features an exploration of the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from AI slop to more relevant bug reports. However, Stefan is skeptical of LLMs’ ability to produce secure, large scale systems, noting rigid or inconsistent code structures. 

The episode begins by addressing the increasing visibility of sophisticated threat actor groups like ShinyHunters and Team PCP, which are becoming household names even among non-technical audiences. Seth shares a poignant anecdote about his thirteen-year-old son asking about ShinyHunters, highlighting how major security incidents such as the massive Instructure (Canvas) breach has brought cybersecurity into the “normie space”. Stefan notes that groups like Team PCP are successfully targeting prominent platforms like Minecraft and GitHub, making their operations much more impactful to the average Joe. From an economic perspective, Seth says that these groups are now targeting “bigger whales” because the potential for financial gain increases as their actions affect larger, more essential business ecosystems. 

Once again, Absolute AppSec talks all things AI. Today, specifically, it’s on the impact of LLMs on the speed and efficiency of security exploits. Stefan explains that LLMs now act as an artificial intern, capable of automating simple but tedious tasks. This technology has dramatically decreased the timeline between a patch being released and a functional exploit being developed. Seth points out that while the industry has always had fuzzing tools, LLMs provide a new layer of automation that requires significantly less upfront know-how to identify complex vulnerabilities. Both Seth and Stefan agree that the democratization of skill allows lower-skilled actors to accelerate their capabilities while enabling high-skilled actors to automate previously non-trivial, annoying tasks.

The hosts also analyze the recent news surrounding Anthropic's "Mythos" model, which was hyped as a revolutionary tool for vulnerability research. They reference Daniel Stenberg’s (the creator of curl) experience with the model, noting that while it did identify one confirmed low-severity CVE in curl, the initial results were marred by AI slop and hallucinated vulnerabilities. Seth argues that while Mythos is adept at identifying edge cases, high-value bug hunting still requires significant engineering effort and domain expertise to orchestrate the pipeline and validate results. Stefan adds that LLMs excel at “lateral thinking"—connecting disparate pieces of research that humans may have overlooked—but cautions that they require rigorous human oversight to be useful.

While AI is massively useful for identifying vulnerabilities in the long tail of neglected legacy applications, Seth and Stefan are concerned about the implications for defenders. Stefan, in particular, feels like a nihilist regarding the defensive side of the house, arguing that while AI makes breaking things easier, it is not yet effective at large-scale secure building. He warns that organizations are using AI to build faster things even faster without addressing the fundamental security flaws inherent in their existing frameworks. Seth emphasizes that the blast radius of a compromise is now much larger, as automated agents can attack an entire attack surface 24/7. Both of them conclude that the only path forward is through a return to security basics: adhering to the principle of least authority, implementing robust defense-in-depth strategies, and engineering better incident responses rather than just focusing on detection. 

Sprouts are coming up, so now’s the time to display your solidarity along with your support for the Podcast. Check out the selection of green tees in our merch store. (There are other colors as well). Tee-shirts are great gifts for yourself or your friends:

Whether you are an AI optimist or an AI pessimist, there’s a place for you in our Slack. Sit down, relax, and stay a while.

Stay Secure,

Seth & Ken Stefan

Related Episodes

https://www.youtube.com/watch?v=VreqmGPAK7I – Episode #189 - Security Bypasses, AppMap, Dastardly - Seth and Ken discuss the way users work around security constraints when it gets in the way of usability, in the case in the health care industry where screen lockouts can undermine speed of care in serious situations.

https://www.youtube.com/live/jALpBoAKiB8 – Episode #236 - Memory Safe Languages, LLM Supply Chain Security - An early instance of LLM supply-chain risks is discussed in this episode with Hugging Face models repository being used for watering-hole attacks.

https://www.youtube.com/watch?v=hjnSfZLyKM0 – Episode #257 - In-Person vs. Virtual Training, Compliance Violations - The podcast duo discuss the experience of delivering trainings in-person vs virtually (shoutout to everyone who came to DEFCON Singapore for Harnessing LLMs). Also, the compliance violations leading to the government bringing a lawsuit against Georgia Tech brings up similar discussion points regarding what compliance is versus what security is.

Absolute AppSec Happenings

Mythos ‘Discovered’ a CVE Already in Its Training Data - And That’s Still Worrying – Jake Feiglin from Rival Security Research argues that Anthropic’s Mythos model didn’t autonomously discover a new zero-day in FreeBSD; instead, it identified a vulnerability identical to a 2007 Kerberos CVE already in its training data. Despite this, the finding is worrying because it highlights a massive code reuse problem. LLMs make duplicating vulnerable code easier, making it difficult for defenders to track and patch these “hidden” flaws across various software forks. 

What works against Mythos today is what worked against ransomware 5 years ago, and malware 10-15 years ago – Ross Haleliuk argues that despite the disruptive potential of Anthropic’s Mythos, the fundamental principles of defense remain unchanged. Over 90% of breaches still stem from a lack of operational discipline rather than novel attacks. Consequently, the most effective defenses against AI-driven exploitation are the same basics that worked years ago: patching, misconfiguration management, segmentation, and identity oversight. Success depends on consistent, large-scale implementation. 

We get paid to break into buildings for a living. Ask us anything! - Michael Pollan argues that algorithms and AI erode our consciousness by colonizing what he calls “generative boredom,” the first step in genuine creativity. By replacing spontaneous thought and real human connection with digital distraction, a neurological highway away from displeasurable thoughts, our mental muscle weakens. To defend our interiority, we must embrace idle moments and practice "consciousness hygiene" to reclaim our minds.

Upcoming Events

Where in the world are Seth and Ken?

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - BlackHat USA, Las Vegas - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

August 10-11, 2026 - Agentic AppSec: Harnessing LLMs - DEF CON Training, Las Vegas - Comprehensive course designed for developers and cybersecurity professionals seeking to harness the power of Agentic AI and Large Language Models (LLMs) to enhance software security and development practices.