Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout

Ken is away, so Stefan Edwards (lojikil) joins Seth to talk all things AppSec. This episode starts by exploring the acceleration of AI on the offensive side of security, enabling threat actors to automate complex tasks like patch diffing, gadget discovery, and reverse engineering binaries. The conversation highlights a recent milestone where an AI-driven tool, Mythos, successfully identified a vulnerability in curl, signaling a shift from "AI slop" to more relevant bug reports. However, Stefan remains skeptical of LLMs' ability to build secure, large-scale systems, noting their tendency to produce rigid or inconsistent code structures. This imbalance creates a "bad time for defenders," as blue team burnout increases due to the sheer volume of automated agents scanning attack surfaces near-instantaneously. The hosts conclude that while AI provides a "godsend" for testing neglected legacy applications, organizations must return to security basics—such as the principle of least authority and robust disaster recovery—to manage the expanding blast radius of modern breaches. Ultimately, they view AI as a fast, knowledgeable "junior" that requires human expertise to validate and orchestrate effectively.

You can listen to Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout online on Radio and Podcast. Open the player on this page to stream the available audio.

Episode 320 - Return of @lojikil - LLM Bug Hunting, AI OffSec, Defender Burnout is an episode from Absolute AppSec by Ken Johnson and Seth Law.

The episode duration depends on the source podcast feed and may not always be available.

This episode was published on May 12, 2026.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from Absolute AppSec when more episodes are available from the podcast feed.