We’re kicking things off with something that’s been making waves across the AI and cybersecurity world this week: the story behind how an AI system topped the leaderboard by detecting vulnerabilities in codebases.

This isn’t the threat people think it is

It’s tempting to look at this and say: “Wow, the machines are coming for auditor jobs.” But here’s the thing - this is actually a very offensive cybersecurity task. The AI is designed to scan many codebases fast and find issues quickly. It’s more of a broad-spectrum vulnerability scanner on steroids than a precise, deep-dive reviewer.

And they don’t mention coverage anywhere. That’s key in a real-world defensive setting where the goal is to secure one repository as tightly as possible.

Bug bounty ≠ security

This also highlights a significant limitation of bug bounty contests and similar setups. They’re a bit of a lottery. If you get lucky and attract a few skilled hackers who go deep, great, you’ll get high-quality coverage. But more often, you get a rush of junior researchers speed-running the codebase looking for common issues.

That’s where AI shines. It can outperform humans on the basics, and is a lot faster. But those nuanced, complex edge cases? You still need senior eyes on them. And platforms don’t make it easy to incentivize those folks.

It’s like saying the best lawyers should duke it out in public competitions. Doesn't make sense, right? The best work often happens behind closed doors.

What it really means

So no, AI isn’t replacing auditors. But it is making it easier to exploit insecure codebases at scale. That’s the real concern.

Just because someone built an electronic lockpick that can open 1,000 doors in two hours doesn’t mean we get rid of locks. But it does mean we need better locks.

We’ll talk more about this at our upcoming Web3 Summit Berlin talk, where we will dive into the role of AI in audits and how the ecosystem can adapt.

Until then, lock your code, not your curiosity.

Follow us on Twitter, book a slot, or request an audit on our website.