AI Bug-Hunting Tools Are Raising the Pressure on Ethical Hackers

Artificial intelligence is starting to change one of cybersecurity’s most specialized jobs: finding software flaws before criminals do.

Valentina Palmiotti, widely known online as Chompie, is one of the world’s leading ethical hackers. She recently became the top individual competitor at the Pwn2Own hacking contest in Berlin, where she won $70,000 for finding two serious software bugs. But even after that success, she believes AI systems such as Claude Mythos could make the future of human bug hunting much harder.

Her warning is not that ethical hackers will vanish overnight. It is that AI is beginning to automate parts of the work that once gave elite researchers their edge.

The Chompie Warning

Chompie’s work is built around vulnerability research. Ethical hackers like her look for weaknesses in software, browsers, devices, operating systems, and online systems so those flaws can be fixed before attackers exploit them.

At events like Pwn2Own, researchers compete to break into major products under controlled conditions. These contests are closely watched because they reveal how quickly skilled hackers can find and exploit serious vulnerabilities.

Chompie’s Berlin win showed that top human researchers are still highly valuable. But she also said AI tools are already helping her work faster. That creates a strange tension. The same technology that can support ethical hackers may also reduce the space in which they can compete.

Her concern is that AI systems will become strong enough to find many of the easier and mid-level flaws before independent researchers do. That would leave fewer opportunities for humans who rely on bug bounties, contests, and vulnerability research as a business.

Why Claude Mythos Is Getting Attention

The tool at the center of the debate is Anthropic’s Mythos Preview, an AI system built for cybersecurity research.

According to Anthropic, Mythos Preview has already identified around 1,600 vulnerabilities across hundreds of software programs. The company has also said the system found thousands of high-severity flaws, including vulnerabilities affecting major operating systems and web browsers.

Mozilla has said Mythos Preview helped identify 271 bugs in Firefox. That alone shows why the technology matters. Browser bugs are valuable, difficult to find, and important to fix because browsers sit at the center of everyday internet use.

Anthropic has not made Mythos widely available. The company is limiting access to selected governments and cybersecurity institutions because a tool that can find serious flaws at scale could be dangerous in the wrong hands.

The Business of Bug Hunting Could Change

Bug hunting has always depended on scarcity. A small number of skilled researchers can find vulnerabilities that companies, automated scanners, and standard security teams miss.

AI challenges that model.

If a system like Mythos can search through large amounts of code and find vulnerabilities quickly, the value of certain types of manual research may fall. Companies may use AI to catch more bugs earlier. Security teams may run automated vulnerability discovery before outside researchers get a chance to report the same issues.

That does not mean human experts become irrelevant. It means the market may change. Lower-hanging vulnerabilities could disappear faster, and researchers may have to focus on more complex problems that require creativity, intuition, and deep technical judgment.

For bug bounty hunters, that shift matters. Many earn money by reporting flaws to companies or competing in hacking contests. If AI finds more of those flaws first, the available reward pool could shrink or move toward harder targets.

Human Skill Still Has a Place

The strongest argument against an AI-only future is that real hacking is not just pattern matching.

Security researchers still need to understand systems, chain weaknesses together, test assumptions, and prove that a flaw can be turned into a working exploit. AI can accelerate the process, but it does not remove the need for expert judgment.

A cybersecurity startup called Calif recently used a preview version of Mythos to help build a working exploit against protections in Apple’s new M5 chip in less than a week. The AI played a major role by identifying vulnerabilities that matched known exploit categories. But the researchers still needed human expertise to bypass newer protection systems.

That example shows the likely near-term future. AI may become an extremely powerful assistant, but advanced exploitation still depends on people who understand what the tool is finding and how to turn that into real security research.

Orange Tsai, another major Pwn2Own winner, has also said AI is pushing the bar higher for hackers. His view is that AI will change the field, but human creativity and instinct will still matter when the target is unfamiliar or technically unusual.

The Access Problem

The biggest question is not only what AI can do, but who gets to use it first.

Chompie’s position is that powerful vulnerability-finding tools should reach defenders and ethical researchers before criminals. If responsible security teams can use these systems early, they can fix weaknesses before attackers exploit them.

That matters because the same capability can cut both ways. In the hands of defenders, AI can help secure browsers, operating systems, cloud software, and enterprise networks. In the hands of attackers, it could speed up the discovery of exploitable flaws.

This is why Anthropic’s limited release strategy matters. By restricting access to selected governments and cybersecurity groups, the company is trying to prevent broad misuse while still allowing trusted defenders to test and improve software security.

A New Standard for Cybersecurity Work

The rise of AI bug-hunting systems points to a broader shift in cybersecurity. The field is moving from manual discovery toward AI-assisted research, where speed and scale become just as important as individual skill.

That could make software safer if companies use these tools responsibly. More bugs could be found before products ship. Security teams could test more code, more often, and with less dependence on small groups of elite researchers.

But the transition will not be painless. Independent researchers may face tougher competition. Bug bounty programs may need to adjust how they reward discoveries. Companies may have to rethink disclosure rules, AI-assisted submissions, and how to verify machine-generated findings.

The Bottom Line

Chompie’s warning is not a simple prediction that AI will replace ethical hackers. It is a signal that the economics of vulnerability research are changing.

AI tools like Claude Mythos can already find serious software flaws at scale. That makes them valuable for defenders, risky in the wrong hands, and disruptive for the people who built careers around finding bugs manually.

For now, the most likely future is not AI instead of human hackers. It is AI beside human hackers. The best researchers will use these systems to move faster, while companies will use them to harden software earlier.

But the old bug-hunting world is unlikely to stay the same. As AI gets better at finding vulnerabilities, human hackers will need to move higher up the difficulty curve, where creativity, context, and judgment still separate the expert from the machine.