AI has changed offensive security; that part is obvious. LLMs are getting better at writing code, finding bugs, testing systems, and accelerating real security work. Anyone pretending otherwise is not paying attention. That is exactly why Bugcrowd’s mission matters more now, not less.
What has not changed is businesses need operational context and judgment. They want to know how a vulnerability report translates into a real business risk assessment. AI helps drive finding more and drives increase frequency. The challenge is, and always has been, identifying the signal from the data. A VDP without operations is not a program. It is an inbox. And in an AI world, that inbox gets noisy fast.
Security leaders need to know what is likely to be exploited, what similar organizations are seeing, and what could disrupt the business. Bugcrowd exists to make that system work. For customers, that system shows up in two critical ways: responsible disclosure that operates at scale, and independent testing that challenges assumptions.
That is the part I want to make sure people do not miss.
Security has never been only about finding vulnerabilities. But security is more than that; security is a real system comprising technology, people, and process. When the technology takes a leap forward, the people and process side has to evolve too.
Bugcrowd makes the system work by performing triage, researcher communication, duplicate handling, severity calibration, fair rejection, escalation, payments, taxes, legal coordination, and all the operational work that makes responsible disclosure function in the real world.
For customers running pentests and red teams, the need is different but just as important: independent assessment. AI-enabled testing can find real issues, but it can also reinforce assumptions an organization already had. Security teams do not need a rubber stamp.
Security requires a credible outside view: experts who can test assumptions, prove impact, and explain what actually matters. Independence matters more now, not less. That is where Bugcrowd has a durable role as AI reshapes offensive security. We are not just producing more reports. We are building the trusted layer where human expertise, AI acceleration, researcher activity, pentesting, red teaming, VDP, bug bounty, and customer workflow come together.
Mythos, and for that matter the latest models from OpenAI, Google, Anthropic, and others, are not AI as theater. They are part of a much larger shift toward making offensive security more intelligent, repeatable, accessible, and connected to real-world evidence. We are already seeing real security improvements across the Bugcrowd researcher community, where 82% of researchers report using AI to move faster.
The mistake I see the market making is treating AI-discovered vulnerabilities as the whole story. Yes, Mythos has found significant new vulnerabilities, and that matters. Anthropic reports that 271 security vulnerabilities were responsibly disclosed in Firefox 150, and we are all safer because of that. But discovery is only one part of the system customers need. Industry veterans know how quickly today’s breakthrough becomes tomorrow’s baseline. Soon enough, we will all be asking what today’s models still missed.
What leaders actually need is context that stands up to scrutiny. Was the test scoped correctly? How did we determine whether meaningful attack paths were missed? Will an accountable expert stand behind the result when an auditor, insurer, board member, or customer asks hard questions?
Bugcrowd’s role has always been to turn security findings into validated, prioritized action. Our goal is to help customers move from reactive security to preemptive security.
This starts by helping customers manage the growing volume of security signals. When so many organizations are shutting down their offensive testing programs due to “AI slop” submissions (cURL is a great example of this), we’re making strategic, actionable changes to our processes to continue to make bug bounty programs a key part of a resilient security strategy.
Customers need a way to sort through that volume without overwhelming their teams or damaging trust with the researcher community. We’ve implemented changes including bans of accounts engaging in submission farming, mandatory identity verification, and submission throttling. These reinforce accountability in submissions, protect triage capacity, and maintain trust and a high-signal Platform for customers.
Customers also need independent validation through pentests and red teams. Generated reports are not enough. Businesses need a credible outside view that can stand up to scrutiny from executives, boards, customers, regulators, and their own engineering teams. Bugcrowd offers these in flexible, scalable models to meet customers where they are at in their offensive security testing journey.
AI can accelerate repeatable work. Humans bring creativity and context. Trust comes from combining both. That is the future Bugcrowd is building.