Today, we are announcing what we believe to be the most ambitious effort in offensive security: to build something that has never existed before - the first AI-based novel vulnerability class researcher, designed to discover new vulnerability classes and novel attack vectors.
December 1998. Phrack. Rain Forest Puppy publishes the first paper describing SQL Injection. That single post gave the world one of the most impactful vulnerability classes ever, still in the OWASP Top 10 more than two decades later. That is novel security research. Not applying a checklist, actually inventing the checklist.Before we explain what we're building and why it matters, let me be very precise about one thing, because the distinction is everything:
Novel attack vector research is not about finding a new zero-day vulnerability, and it is not what most mean when they say “security research.” Novel attack vector research is the work of discovering undocumented behaviors, strange exploit-building quirks, and attack-enabling properties that others have not seen or written down, and figuring out how to weaponize them. Novel attack vectors are rare to come by. We probably only get a handful annually. But because they are new attacks, even though they are only a handful, they can cause worldwide waves when they drop, such as when James Kettle published HTTP Request Smuggling and HTTP Desync attacks, when Paulos Yibelo published novel CSP bypass techniques or DoubleClickjacking, when Gareth Heyes published Blind CSS Exfiltration and Splitting the Email Atom, or when Orange Tsai published Apache attack vector research to name a few.As an industry, we have always understood how hard such a task is, and how much depth and breadth of knowledge across different layers of technology as well as time it takes to develop one. That is why, as an industry, we adore and respect every single person who has created and shared a novel attack vector with the community. Up until this point, only a handful of humans, perhaps less than 0.001% of security researchers, have successfully discovered a novel attack vector.
At Pwn, we believe we have encountered a significant breakthrough in Pwn Research’s architecture, a different in-house platform from Pwn Pentest, that will allow, for the first time ever, a machine to discover new and novel attack vectors that have not been previously documented. It is important to emphasize here that we are not talking about zero-day vulnerabilities, but zero-day novel attack vectors, which can later lead to a rain of zero-days in the setups where those vectors become available.
This is a task our community has believed for the longest time could only be performed by humans of peak technical depth. So much so that we have dedicated platforms to acknowledge and award anyone who publishes novel security research through PortSwigger Top Web Hacking Techniques of the Year or places like Phrack. The peak human performance, creativity, and rarity of such researchers has led the community to believe only humans can perform such a task. We believed that for a long time as well, until recent signs from our efforts suggested there may finally be light at the end of the tunnel.
There are already AI pentesters and AI attack engines, like pwn.ai’s pentesting tools, that are incredible. Their scaffolding is already finding vulnerabilities base models miss, and in some cases, what most pentesters miss through complex architecture, and they’re improving rapidly. But novel security research is not pentesting. True novel security research is the art of finding what has not yet been documented, of bending machines in ways no one predicted. It requires a completely different architecture and mindset.
We Have Barely Scratched the Surface (of What is Exploitable)
Because for decades, the known attack surface has kept us busy enough.
There has been no shortage of SQL injection, XSS, SSRF, deserialization bugs, broken access control, auth flaws, business logic failures, parser bugs, cache bugs, and every other class of issue the industry already knows how to describe. The map of known attack vectors has been large enough, painful enough, and profitable enough that it has consumed most of the field’s undivided attention.
That is exactly why pentest engines are exciting. They will help us find, scale, and eventually close more of those known holes faster than ever before. But that is not the frontier of what could get us hacked after patching known classes. Pentest engines will force a vulnerability evolution that pushes us to the frontier, which becomes what we have not yet documented. The days of most applications being battle-hardened for common techniques are near. This doesn't mean we will find every novel attack vector, quite the contrary: we believe the search space is wide and deep enough, and we have strong conviction there may be infinite attack vectors we do not know about. And the reason we think that is because all computers do is compute:
They compute to show you this text, to move it across the network, to render it in your browser. Every byte along that path, from your TCP layer to your browser, to the proxy, to the ISP, to the node, to a server, passes through transformations, assumptions, insane layers of abstraction, parsers, caches, trust boundaries, software some one guy maintains, and large states. Every one of those layers is a place where behavior can slip from intent. That hinge is where exploits are born. It is wide enough that we have noticed it is nearly impossible for two vulnerability class researchers to duplicate publications. The surface is wide, and exciting, because it's like we are kids again, we get to play, feed our curiosity, instead of just doing it for a job. It gets to be hard and fun again.
At Pwn, we love NSO’s ForceEntry exploit because it helps paint a clear picture: ordinary image pixels were carefully ordered through XOR instructions and made into a running computer inside your phone, bypassing all known mitigations by building their own Turing machine. No ASLR bypass, no crazy chain. Just an image decoder flipping bits until it owned enough memory. That’s the lesson of hacking, the beauty of it, and the horrifying truth inside it: give an attacker any sliver of compute and a machine can be assembled from it. NSO's novel technique was not published in a blog post; it was being exploited by nation-state actors against unsuspecting people, and looking for known attack vectors or relying on mitigation systems expecting known classes did not help. Unfortunately, this is the reality of most novel attack vectors: they are not publicly disclosed for clout, but deployed privately. Researchers sell novel techniques to brokers because the market places enormous value on original offensive knowledge long before the rest of the industry is ready to understand it.
By now we should have learned there is no such thing as “unhackable.” There are only cages around computation. It is always just a matter of grit, time, depth and creativity. Nudge a bar, timing here, cache there, a parser state or a power blip, and eventually you get enough parts to build a weird machine inside the trust boundary. Now you have a computer inside their computer.
As long as computers compute, there will be always be new attack vectors. More strange interactions. More underexplored behaviors. More paths where one layer says “safe” and another layer quietly disagrees. If you made it this far, we hope to have convinced you that the known attack surface is not the whole attack surface. It is just the part we have managed to map so far, and it might be less than 1% of what we might come to find out in few years. The cat and mouse game truly never ends. The most exciting times are upon us!