Top ethical hacker Valentina Palmiotti, widely known as Chompie, has voiced concerns that the rapid advancement of artificial intelligence tools could soon make her profession largely redundant. Palmiotti, who achieved recognition as the most successful individual competitor at the recent Pwn2Own hacking competition in Berlin, shared her insights with BBC News.
For the present, Palmiotti acknowledged that AI tools are proving to be invaluable assistants, significantly aiding her in securing "bug bounties." These bounties are monetary rewards offered to hackers who successfully identify vulnerabilities in online systems before malicious actors can exploit them. She told BBC News that, for now, AI tools were helping her to win "bug bounties." She explained that these AI assistants help accelerate her research workflow, enabling her to test more potential vulnerabilities than previously possible, especially when balancing her competition efforts with her full-time role as a security researcher for IBM X-Force. She said tools like Claude Code are enabled her to work faster for competitions, and in her day job as a security researcher for for IBM X-Force.
However, Palmiotti cautioned that the power of emerging AI systems, such as Anthropic's Mythos, is escalating to a point where even highly skilled, champion-level hackers like herself may soon find it exceedingly difficult to compete. But she said systems like Mythos were so powerful that even champion hackers like her would soon struggle to compete with them. She noted that while she is currently in a "sweet spot" where AI enhances her capabilities, she anticipates a significant shift. Palmiotti predicted that new models like Claude Mythos and GPT 5.5 Cyber will soon change the landscape, potentially making many of the currently accessible vulnerabilities, often referred to as "lower-hanging fruit," much harder to find.
This potential shift led Palmiotti to state that she competed in the 2024 Pwn2Own competition with the thought that "it might be my last chance." She clarified that this does not mean an end to security research or ethical hacking entirely, but rather a significant reduction in the number of human hackers required. Chompie, who became the joint-first woman to compete in the 2024 Pwn2Own, said good or great hackers wouldn't be needed soon, and only the very best would be able to find new bugs and win prizes. In that elite category, she included individuals like Orange Tsai, another prominent winner at the Berlin event.
Anthropic, the developer of the Mythos model, claims its AI has been instrumental in discovering 1,600 vulnerabilities across hundreds of software programs. The company has stated that these flaws have been reported to the affected companies for remediation, thereby preventing exploitation by cybercriminals. Anthropic claims the model has been able to find 1,600 vulnerabilities in hundreds of software programmes. The flaws have all been reported to grateful companies which are now fixing them before criminals can find the same holes. Due to its advanced capabilities, Anthropic has indicated that Mythos is being released only to a select group of governments and cybersecurity institutions, highlighting its perceived power and potential risks.
On the first day of the contest, Palmiotti successfully demonstrated how to hack one system linked to Nvidia, winning $20,000. However, she then described entering what she called "zombie hacker mode" to prepare for the next day. "As soon as I won the first prize I ran back to my hotel room to keep working on the other one. I worked from 6pm til 6am and didn't sleep," she said. Footage from the event shows her looking happy and tired on stage as she successfully hacked into a Linux-based system to win an additional $50,000. Palmiotti described "zombie hacker mode" as being locked into intense research and testing for hours, fueled by energy drinks and adrenaline, often while wearing a black hoodie. "It's not healthy," she laughed, but insisted it was necessary for success in high-stakes competitions.
Many champions, including Palmiotti, have been using AI to assist them while in "zombie mode" this year. She believes that hackers like her are currently in a "sweet spot" where AI serves as a valuable aid. However, she predicted that the landscape would soon shift due to new models like Claude Mythos and GPT 5.5 Cyber. She stated that she competed in the 2024 Pwn2Own competition with the thought that "it might be my last chance," explaining that while security research and ethical hacking would not disappear entirely, a significant amount of the "lower-hanging fruit" would become inaccessible.
Orange Tsai, a hacker from Taiwan who led his team to win $375,000 (£278,000) at Pwn2Own by identifying complex hacking pathways, offered a more optimistic perspective. He described AI as a "really awesome assistant that helps accelerate my research workflow." Tsai elaborated that AI can help him test numerous ideas that arise during his research, overcoming the human limitation of needing sleep. "During research I usually come up with many interesting ideas, but unfortunately I still need to sleep, so I can't test everything one by one. AI can finally help free my hands," he says. Tsai expressed hope that human creativity and intuition would continue to be essential in uncovering vulnerabilities that AI tools might overlook, even as AI forces the bar higher for all hackers.
The implications of AI-driven vulnerability discovery extend to the realm of criminal hackers. While research indicates that cybercriminals are increasingly using AI to expedite attacks and develop new exploitation methods for data breaches and ransomware, the majority of current cyber-attacks still rely on established, simpler techniques like phishing and social engineering. These methods do not necessitate the discovery of novel software vulnerabilities, but rather involve tricking individuals into granting access.
Palmiotti believes that the ultimate impact of advanced AI tools will be a general increase in the difficulty of hacking for all parties, which she views as a positive development for overall internet security. "I think that the tide is turning against offensive hackers. I think defence stands to gain a lot from the from this capability," she said. However, she stressed that the benefits of AI for cybersecurity defenders can only be fully realized if these powerful AI products are developed and deployed responsibly. Palmiotti argued that it is crucial for ethical hackers, the "good guys," to have early access to the most potent AI tools to identify and fix security flaws before malicious actors can exploit them.
The Pwn2Own competition in Berlin, organized by the ZeroDay Initiative, awarded nearly $1.3 million (£970,000) to hackers this year for collectively discovering 47 novel hacking methods across various software and systems. Palmiotti herself won $20,000 for demonstrating a hack on a system linked to Nvidia and an additional $50,000 for compromising a Linux-based system. She described the intense preparation required, including working through the night fueled by energy drinks and adrenaline, a state she termed "zombie hacker mode," acknowledging its unhealthy nature but deeming it necessary for success in high-stakes competitions.
