Typically when you use coding agents like Claude or Codex you manually prompt and guide the agent to the goal, repeatedly (unless the task can be one-shotted). Loops are essentially workflows designed to take the human out of the loop and guide the agent to the goal autonomously without repeated manual prompting. The most primitive loop is the Ralph loop https://t.co/tSK8xoLk4u or /goal.
It looks like the new meta for Security Researchers is to also excel at Agentic AI research, you must do both in parallel to stay relevant. In fact, this applies to most, if not all, white collar jobs currently.
The field is rapidly merging with AI. It’s not as simple as only using codex or claude, you have to find ways to create tools (or use existing ones) that tailor AI to a specific codebase with specialized harnesses, scans, fuzz suites, etc.
If you don’t do this, someone with little knowledge of web3 security but high knowledge of utilizing agentic AI will outcompete you. But you need both to succeed because AI isn’t enough, and it never will be.
And more importantly, if we don’t adapt to this, just remember that black hats have already adapted.
My autonomous AI agent found 1 High and 1 Medium severity finding that could lead to remote crash of Zebra nodes in @zcash. Fixed in 4.5.0 upgrade.
No code was manually read during the discovery process. Code was manually read to validate and verify the finding and report are correct.
https://t.co/7TmhBHK45t
https://t.co/GtUp1WTBwT
Future of web3sec: Arms Race - Defensive AIs vs Offensive AIs, with teams of elite humans continually improving them.
Protocols that aren't monthly scanning their existing code using continually improving Defensive AIs will fall behind the curve & more likely to be exploited.
Thank you for the comment. I will make sure there is no room for misinterpretation next time. And I think everyone agrees that LLM psychosis has become a huge problem in the industry. But also the barrier to finding valid bugs in bug bounties has never been lower. In the end, it all comes down to being responsible with the usage of AI as a tool.
To be crystal clear here: I do not condone flooding programs with AI slop which ruins bug bounty experience for everyone. Here, observing their response to the finding means finding out whether the project ghosts you or underpays you terms and you can calibrate whether you should spend more time / tokens on the project
A good thing about fully autonomous AI audit agents is you can generate submissions (validate them first!) send them to the bug bounties and observe their response to the finding to determine whether you wanna spend more tokens there lol
@adrianhetman => But using BBP as final check for your AI? Not cool bro 😅
Also, nowhere in the original post or my reply to this did I mention this. And I in fact stated in my original post to validate submissions first. So I am not sure how you got to this conclusion.
@adrianhetman => With AI agents researchers only need to send clear cut validated high/critical findings from their agents and observe response, instead of spending weeks digging into the code and getting rugged in the end.