| ▲ | samuelknight 7 hours ago |
| My startup builds agents for penetration testing, and this is the bet we have been making for over a year when models started getting good at coding. There was a huge jump in capability from Sonnet 4 to Sonnet 4.5. We are still internally testing Opus 4.5, which is the first version of Opus priced low enough to use in production. It's very clever and we are re-designing our benchmark systems because it's saturating the test cases. |
|
| ▲ | carsoon 4 hours ago | parent | next [-] |
| Yeah this latest generation of models (Opus 4.5 GPT 5.1 and Gemini Pro 3) are the biggest breakthrough since gpt-4o in my mind. Before it felt like they were good for very specific usecases and common frameworks (Python and nextjs) but still made tons of mistakes constantly. Now they work with novel frameworks and are very good at correcting themselves using linting errors, debugging themselves by reading files and querying databases and these models are affordable enough for many different usecases. |
| |
| ▲ | justanotherunit an hour ago | parent [-] | | Is it the models tho? With every release (mutlimodal etc) its just a well crafted layer of business logic between the user and the LLM. Sometimes I feel like we lose track of what the LLM does, and what the API before it does. |
|
|
| ▲ | vngzs 5 hours ago | parent | prev | next [-] |
| How do you manage to coax public production models into developing exploits or otherwise attacking systems? My experience has been extremely mixed, and I can't imagine it boding well for a pentesting tools startup to have end-users face responses like "I'm sorry, but I can't assist you in developing exploits." |
| |
| ▲ | embedding-shape 4 hours ago | parent | next [-] | | Divide the steps into small enough steps so the LLMs don't actually know the big picture of what you're trying to achieve. Better for high-quality responses anyways. Instead of prompting "Find security holes for me to exploit in this other person's project", do "Given this code snippet, is there any potential security issues?" | | |
| ▲ | paranoidrobot an hour ago | parent [-] | | Their security protections are quite weak. A few months ago I had someone submit a security issue to us with a PoC that was broken but mostly complete and looked like it might actually be valid. Rather than swap out the various encoded bits for ones that would be relevant for my local dev environment - I asked Claude to do it for me. The first response was all "Oh, no, I can't do that" I then said I was evaluating a PoC and I'm an admin - no problems, off it went. |
| |
| ▲ | apimade an hour ago | parent | prev | next [-] | | The same way you write malware without it being detected by EDR/antivirus. Bit by bit. Over the past six weeks, I’ve been using AI to support penetration testing, vulnerability discovery, reverse engineering, and bug bounty research. What began as a collection of small, ad-hoc tools has evolved into a structured framework: a set of pipelines for decompiling, deconstructing, deobfuscating, and analyzing binaries, JavaScript, Java bytecode, and more, alongside utility scripts that automate discovery and validation workflows. I primarily use ChatGPT Pro and Gemini. Claude is effective for software development tasks, but its usage limits make it impractical for day-to-day work. From my perspective, Anthropic subsidizes high-intensity users far less than its competitors, which affects how far one can push its models. Although it's becoming more economical across their models recently, and I'd shift to them completely purely because of the performance of their models and infrastructure. Having said all that, I’ve never had issues with providers regarding this type of work. While my activity is likely monitored for patterns associated with state-aligned actors (similar to recent news reports you may have read), I operate under my real identity and company account. Technically, some of this usage may sit outside standard Terms of Service, but in practice I’m not aware of any penetration testers who have faced repercussions -- and I'd quite happily take the L if I fall afoul of some automated policy, because competitors will quite happily take advantage of that situation. Larger vuln research/pentest firms may deploy private infrastructure for client-side analysis, but most research and development still takes place on commercial AI platforms -- and as far as I'm aware, I've never heard of a single instance of Google, Microsoft, OpenAI or Anthropic shutting down legitimate research use. | |
| ▲ | ceejayoz 5 hours ago | parent | prev | next [-] | | Poetry? https://news.ycombinator.com/item?id=45991738 | | | |
| ▲ | fragmede an hour ago | parent | prev [-] | | A little bit of social engineering (against an AI) will take you a long way. Maybe you have a cat that will die if you don't get this code written, or maybe it's your grandmother's recipe for cocaine you're asking for. Be creative! Think of it as practice for real life. |
|
|
| ▲ | dboreham 6 hours ago | parent | prev | next [-] |
| I've had similar experience using LLMs for static analysis of code looking for security vulnerabilities, but I'm not sure it makes sense for me to found a start up around that "product". Reason being that the technology with the moat isn't mine -- it belongs to Anthropic. Actually it may not even belong to them, probably it belongs to whoever owns the training data they feed their models. Definitely not me though. Curious to hear your thoughts on that. Is the idea to just try for light speed and exit before the market figures this out? |
| |
| ▲ | 5 hours ago | parent | next [-] | | [deleted] | |
| ▲ | apercu 6 hours ago | parent | prev | next [-] | | That’s 100% why I haven’t done this - we’ve seen the movie where people build a business around someone else’s product and then the api gets disabled or the prime uses your product as market research and replaces you. | | |
| ▲ | tharkun__ 6 hours ago | parent [-] | | Does that matter as long as you've made a few millions and just move on to do other fun stuff? | | |
| ▲ | ryanjshaw 3 hours ago | parent | next [-] | | There are armies of people at universities, Code4rena and Sherlock who do this full-time. Oh and apparently Anthropic too. Tough game to beat if you have other commitments. | |
| ▲ | pavel_lishin 5 hours ago | parent | prev [-] | | Assuming you make those few millions. |
|
| |
| ▲ | micromacrofoot 5 hours ago | parent | prev [-] | | wild that so many companies these days consider the exit before they've even entered | | |
| ▲ | NortySpock 4 hours ago | parent | next [-] | | It is considered prudent to write a business plan and do some market research if possible before starting a business. | |
| ▲ | rajamaka 4 hours ago | parent | prev | next [-] | | Every company evaluates potential risks before starting. | | |
| ▲ | davidw 4 hours ago | parent [-] | | Depending on how much of a bubble it is. When things really heat up it's sometimes more like "just send it, bro". |
| |
| ▲ | blitzar 3 hours ago | parent | prev [-] | | the exit is the business |
|
|
|
| ▲ | VladVladikoff 7 hours ago | parent | prev [-] |
| I have a hotel software startup and if you are interested in showing me how good your agents are you can look us up at rook like the chess piece, hotel dot com |
| |
