I feel quite apprehensive writing this post. Recently, while browsing the internet and Twitter, I've been seeing numerous discussions about AI agents. I'd like to share my perspective here. I'm uncertain whether my views are accurate or not, but I've been genuinely interested in exploring AI agents and understanding their potential utility for bug bounty programs — specifically in the current context, rather than speculating about future developments.
Initially, I assumed that everyone could run AI agents locally on their own computers or alternatively use company APIs. However, both approaches present significant challenges, particularly for beginners. Running AI agents locally requires substantial computational resources and high-end hardware. Moreover, current models cannot fully automate tasks and require considerable fine-tuning and oversight. On the other hand, utilizing company APIs raises concerns about result reliability and involves substantial costs.
I recently attempted to use Claude Code, only to discover that the model cannot be downloaded for local use. Instead, users must access it through their API, which requires a minimum upfront payment start with 5$.
First I specified a target like this *.obsidianlabs.cloud required some configuration modifications. I did it like this video
You can also download it here https://code.cloud.com/docs/en/cli-reference
Then he started scanning as shown in the picture. It took about an hour and I fell asleep. I waited so long
Apparently he used more than 47 tools to scan. I was very happy. I thought I could make $10,000 by spending $5 When I woke up, I saw that the scan was over and all the money was gone
As the picture says, it found 7 bugs
I then requested that he show me the results of the bugs he had discovered, but he responded that I did not have a balance credit and therefore could not access that feature. I spent over 30 minutes searching my computer for the output files, which I eventually located. Subsequently, I sent these files to obsidianlabs.cloud for analysis. Despite working on the proof-of-concept exploits for more than three hours, none of them proved successful.
Then I thought maybe I didn't know about Bug Bounty so I couldn't reproduce it
So I came and added another $6 as a balance. He started scanning again. I asked him to check it 100% and show me the results. I waited for more than an hour and the scan was complete. $11 when it was finished
I worked on the POCs again for a few hours but nothing worked and it was all lies I started using bad words with ai. I said you stole $11 from me. Why doesn't the result work?
I think the AI was angry and said I scanned like this. As shown, it is better to use Burp Suite HAHAHAHAH
My Assessment of the Overall Process
In my view, security researchers should prioritize developing their own automation strategies and methodologies rather than relying heavily on AI-driven tools. While AI can assist in bug detection and vulnerability assessment, it presents notable limitations: operational costs can be significant at scale, and its findings require careful manual validation due to false positives and contextual inaccuracies.
Organizations, especially large enterprises, would likely achieve greater security maturity by investing in comprehensive source code reviews and structured security testing frameworks. AI can serve as a supportive tool in vulnerability assessment workflows, but it remains insufficient for generating reliable, fully functional proof-of-concept exploits — a critical requirement in bug bounty programs.
Ultimately, AI should augment human expertise, not replace it.
I suggest you try this AI
Discover Obsidian Labs: A high-performance AI platform tailored for bug bounty and CTF workflows. Featuring fewer restrictions and greater technical freedom, it enables you to:
- 🚀 Brainstorm creative testing strategies.
- 💀 Generate sophisticated payload ideas.
- 🔍 Explore deep concepts in security research.
- 🤖 Automate complex, repetitive tasks.