AI is changing how vulnerability research gets done, but most of the conversation is still theoretical: what a model might eventually be capable of, rather than what it can actually find today.
We wanted to answer a more practical question: using the models already available to us right now, how far can AI take us in finding real, exploitable vulnerabilities in production software?
This piece details how the team at Intruder is using LLMs to find novel vulnerabilities using code scanning frameworks alongside current, pre-Mythos models.
We walk through a remote, multi-stage SQL injection zero-day we discovered in a WordPress plugin with over 300,000 users — fully automated from discovery through exploitation, with no human in the loop.
The focus problem: why pointing AI at a whole codebase doesn't work
The big problem when pairing AI with a code scanner is focus. LLMs are excellent at taking small segments of code, or a description of a specific problem, and finding an interesting solution. But point one at a large codebase and ask it to find security issues, and it will try to ingest every file in the repo.
That's expensive in tokens, and worse for accuracy: by the time the model is halfway through, its context is full of irrelevant code, and the bug you actually want is buried in noise.
For more complex bugs that require chaining several steps together, you're then relying on the framework to keep the right context in memory, or retrieve it intelligently when needed. In our experience, that produces poor output rather than real and interesting bugs.
Traditional code scanning frameworks already solve this. We use a technique we're calling a program slice, which is similar to when an IDE or LSP tool uses features like "find implementation" or a call graph to find all functions called by the current function. These are mature, well-tested tools, and they sidestep the diluted-context problem entirely.
Pentest with every major release. Security that keeps up with engineering. Intruder's AI pentesting agents deliver the depth of a manual engagement on-demand: no lead time, no scoping calls, a fraction of the cost. Test with every release, close your window of exposure, and get an audit-ready report in hours. Book a Demo
... continue reading