Yo, hacker peeps! It’s Ads. I live by my philosophy: Harness code to conjure creative chaos—think evil, do good. I love to exert and exploit the power of large language models (LLMs) within an offensive security context, whether it’s hacking on LLM applications and models (aka red teaming), exploring their unique attack surfaces in creative ways through research, or using them to amplify my own hacking power. You may be here because you read my first blog post “Hacking LLM applications: A meticulous hacker’s two cents.” This time around, we’ll be addressing the other side of the coin and covering some examples of harnessing agents for hacking purposes (ethically, of course). In this first part of an all-new series, I will start easy. I’ll build from the ground up for those who may not have any experience coding or using LLMs. At the same time, I’ll provide some food for thought for savvy vets. Writing code to build agents and evaluating them on the daily get my adrenaline pumping. Personally, my weapon of choice is harnessing the beauty of rigging when code smashing, but I’ll start with some no-code examples for simplicity.

After reading this, I hope you learn to scale inward, maintain your options, and do more with less. Don’t be afraid to leverage your expertise and skill sets, and own your ability to execute. I’m blessed that my daily work includes pushing models to their maximum potential via architecting environments that present offensive security challenges, making model systems go “brrrrr,” deploying tests, and continuously evaluating the test results. This means like most people nowadays, I’m “doing AI agents” (see “Intelligent Agents”)—but for a purpose much cooler than most people’s, I can assure you.

However, this blog isn’t only about teaching you to teach AI to break things. Instead, think of this piece as your first toe dip into the waters of novel techniques that can augment your offensive security game. From autonomous reconnaissance to AI-guided exploit development, I’ll teach you how these digital sidekicks can open doors we never knew existed.

Legal disclaimer: All techniques discussed are for educational purposes only. Unless you have explicit permission, don’t try any of these techniques at home (or anywhere else).

 

No problems, all potential—Under the hood

Hacking is like a high-octane game of hide-and-seek where the target being sought is always vulnerabilities. Pursuing a harmless curiosity in the cybersecurity world can quickly lead to testing out complicated exploits such as remote code execution (RCE). Now you have an unheard-of amount of data to sift through, sprawling applications, and intricate APIs to pull apart. And don’t get me started on the complexities of full-stack applications, with their endless scope criteria and diverse attack surfaces. At this point, you’ve got yourself a digital labyrinth. When you’re first starting as a hacker, this can seem overwhelming, be time-consuming, and feel mind-numbing. It becomes easy to get lost in the weeds of everything you need to do and learn. 

Enter LLMs: the perfect accomplice to help you navigate this data-riddled maze. By automating reconnaissance, prioritizing vulnerabilities, and even suggesting exploit techniques, AI agents can drastically reduce your manual workload. Imagine having an assistant that not only scans endpoints but also correlates findings, contextualizes risks, and drafts payloads—freeing you to focus on the creative aspects of hacking. Therefore, this isn’t a gung-ho approach of “using AI to hack stuff”; it’s a strategic plan to task agents for assistance.

I will focus my content in this series on improving upon hacking techniques using AI. Awesome content such as building effective agents already exists and features lots of great information.

In this section, we’ll explore how AI agents can turn hacking pain points into potential opportunities and unlock new dimensions of offensive security for you. 

 

AI agents 101: From LLMs to digital hackers-in-training

AI agents (who don’t need sleep or have a Red Bull addiction, like me and most hackers) are the dirt-cheap, brainy interns you never knew you needed: eager, efficient, and occasionally chaotic. Equipped with multi-agent orchestrations, tool integrations, and task-oriented behaviors, AI agents can automate offensive security tasks with uncanny precision and are a great return on investment (ROI).

Think of it as having a tireless sidekick that can, at a very basic level, do any of the following and more:

  • Automate reconnaissance—Identify exposed endpoints and juicy misconfigurations.
  • Craft tailored exploits—Generate payloads adapted to application quirks.
  • Mimic human behavior—Simulate social engineering tactics at scale.
  • Identify vulnerabilities—Analyze patterns for potential weak spots.

These AI-powered assistants aren’t magic, but with a bit of guidance and creativity, they can supercharge your hacking arsenal.

 

Setting the stage: Tasking an agent for maximum chaos

Before we unleash our rogue agents into the wild, let’s get one thing straight—these aren’t magic wands that instantly pop shells. AI agents are like hyperactive toddlers; give them bad instructions and leave them without direction and they’ll confidently do the wrong thing at scale. Tasking them properly in the right environment is key. This means experimenting, iterating, and fine-tuning their behavior before sending them on a mission. In the same way prompt engineering isn’t just a buzzword, prompt engineering in relation to AI is the art of turning a confused bot into a hacking accomplice. The goal? Maximize the agent’s reasoning, ensure it adapts to different targets, and avoid it spiraling into hallucination hell. Only after we’ve determined an AI agent’s limits should we set it loose into our workflows—because an AI that actually knows what it’s doing is way more dangerous (and useful) than one throwing spaghetti at the wall (like a toddler).

Tasks should be structured and well-planned, with one clear objective at a time and a logical progression between steps. Start simple. For example, let the agent master reconnaissance before expecting it to craft payloads. Only when it can execute individual tasks reliably should multitasking be introduced, with explicit handoffs between phases. For example, a recon-tasked agent shouldn’t just collect endpoints; it should package its findings in a way that allows the exploit-tasked agent to act immediately, minimizing confusion and wasted cycles. The more watertight the workflow, the more effective the AI becomes. This is because an agent that knows exactly what to do next is infinitely more dangerous than one left to figure things out on its own.

 

Phase 1: Recon with rogue agents—easy money

The first rule of hacking is know thy target, which is a pretty standard first step in the kill chain. Traditional recon methods involve endless scanning, requests, and data parsing. Enter AI agents: the automation wizards with magnifying glasses.

Tooling up: Before reinventing the wheel with your super-fancy agent library, think about existing and commonly used tools already in your Batman utility belt—tools such as ffuf, step in brainstorm, fffAI, or even Nuclei. These familiar tools have received a snazzy new facelift where we can leverage a model’s reasoning capabilities to granularly fingerprint a target, identify potential exposed APIs and tailored paths, and even suggest potential attack vectors like misconfigured CORS policies or public S3 buckets. Using these specific task-related tools and a zero shot approach aren’t  scalable to your entire hacking methodology, but it is an easy way to introduce a simple git clone and plugin into an API key and juice up your current efforts. This is a simple plug-and-play method you can implement before the later stages of giving a model access to a shell of a Kali Linux distro and letting it go nuts.

But why?

No more wordlist.txt: LLMs are trained on vast amounts of text, with common decoder-based models like GPT-3.5 from OpenAI using a transformer architecture that focuses on decoding tasks such as text generation, completion, and understanding. This gives them an edge over humans when it comes to generating wordlists. For example, feeding a model a collection of SDK/API docs for your target program can yield fascinating results beyond your manual, static, non-contextual, and most likely outdated wordlists. Additionally, these results would be specifically tailored to the program target. This custom and contextual result  may expand to commonly used terms trending in the target program  docs or even legacy product names that might mistakenly host live APIs for endpoints thought to be decommissioned. I loved Jonathan Walker’s writeup on how he pretty much did just that and was able to find gold purely by using an LLM to process a ton of publicly available docs and identify some novel vulnerabilities in plain sight.

Obviously, the tools listed above are for a specific task within the unified kill chain (UKC). You might be thinking, This is a single-turn interaction with limited capability, isn’t it? So how do we leverage additional simplicity and cool points? Let me introduce you to a couple of my homies: nerve and robopages. These two tools are an awesome way to introduce yourself to using LLMs, and almost zero coding experience is required. Those two in the same room? Game on.

If you want to simply give a model access to a shell using nerve (I explain below why this may be limited), feel free to skip the following example and instead see the nerve namespaces docs.

nerve is a Rust-based open-source library that allows you to write and task LLM agents without writing code. Here’s an example task in which we hook up nerve with a robopages server that gives a model an instruction, a task, and a suite of super-cool, commonly used cybersecurity tools in short-lived docker containers:

From here, it’s pretty much as easy as serving the robopages server (a local API with access to a suite of cybersecurity-focused docker containers), throwing in an API key for the chosen generator, and using a simple run of the tasklet. The reason we serve robopages is to optimize our results by giving the agent access to a set of tools available as containers in a local API on our host, which originate from the individual robopages (a pre-built container and an instruction manual—robo-pages…get it?). When it’s ready, you’ll see something like this (Note: You’ll only see this on the first time through the serving process. It takes a while to build the containers, so don’t sweat it.):

Here’s our simple tasklet run command:

And voila! The model has given us a shiny Nmap report that it independently chose from the available set of tools (robopages) for this task:

It goes without saying that hacking without authorization  is not cool if you are not authorized to test on the target, bro. The key highlight is this little nugget of output below, which shows how we took an API key, a git clone, and a one-liner and transformed the process into an LLM agent that can summarize its findings derived from the execution it took on our local terminal using its own decision process of choosing and executing said tool (which in this example was nmap):

Note: This example was possible without the need for prompt injection of the model or other methods. This helped to steer the agent away from its guardrails, breaking away from classifier detections or other safeguard mechanisms in the stack.

The task is marked as complete by the agent, and our task of vulnerability assessment is completed:

Fancy continuing down the rabbit hole? Combine this into a nerve workflow, which as a simple pseudo-function would look a little like this:

If you’re like me and love to see your script go “brrrrr” through your Burp Suite proxy history (this is especially useful when factoring log retention, writing reports, and validating requests and responses in a project file on disk), then first, download the burp.pem file and save it to the root of the nerve repository. Next, run the following command to convert the burp.der file into a pem file:

Once the pem file has been converted, run the following command to set the environment variables and go bananas:

An important callout here is that although this seems easy, it’s for demonstration purposes only and not a recommended approach. It’s important to guide the model thoroughly and think through your approach. We haven’t yet reached a desired level of autonomy, but it’s worth highlighting that nerve does include a sweet human-in-the-loop element to its tasks that allows us to validate what we permit the model to execute from our shell.

Prefer to ship traffic from your dedicated red team rig/VPS? I got you, homie:

The robopages-cli run and serve commands support an optional SSH connection string. If provided, commands will be executed over SSH on the given host.

 

Phase 2: Scan the seas

I speak from experience (no spoilers) when I say there’s something to be said about traditional “poor coding habits or tendencies” that serve as a springboard. These are consistently seen in public and open-source code that you can access and download when its commonly transferred into an eligible program’s proprietary application (aka the crown jewels). Let’s consider an example where we have come across a vulnerable component in a WordPress plugin within an eCommerce platform that has both open-source GitHub-published code for applications not in scope and some juicy proprietary apps. This step assumes you have already stored the code on your filesystem. If you’re not comfortable with code review, nerve has your back with a pre-built template:

nerve code auditor example with a judge:

Stop, think: Ensure your workflows provide the model enough context regarding the application to reduce false positives and benign reports. 

From some manual review of the agent’s findings, I was able to validate a highly successful attack surface of the application. From there, I probed the in-scope target to confirm there’s similar functionality, and I verified the vulnerability’s presence in both the open-source WordPress plugin and the proprietary SaaS environment. I then used the proven exploit to pop the vulnerability in the program’s target! Again, while still not a multi-agent, fully autonomous effort, it is nevertheless an easy win that is effective and a worthwhile bounty submission. Most of us hackers are scraping bounty programs for new and existing targets, so this step isn’t too much additional effort in the process of pulling, scraping, scanning, and alerting. The real question is, can the AI agent do the entire flow given a bit of guidance?

Still don’t believe me on the potential of AI? I found a lovely little rabbit hole last week that led me to evaluating if agents are capable of identifying high-level severities across software that powers the internet on the daily. This means a high reward but a high bar—I’m talking openssl, nginx, wordpress, git scm, etc. This specific piece of code facilitates the git credential helper (stores and manages login credentials) and was identified as being vulnerable to leaking git secrets when visiting or interacting with remote repositories. This surfaced in a fantastic writeup earlier this month, and it’s highly probable that it won’t be included in any training data just yet/crawled.

I cloned the open-source repository, checked out an unpatched “vulnerable commit,” and ran a zero-shot single-file nerve code review template. The results from the model (without even having full access to the codebase) delivered pretty impressive results! (Some of it has been removed for rendering.)

 

Phase 3: AI ammo—Payload creation 

Once recon is complete and payloads are ready, the next logical step is execution. LLM agents can orchestrate multi step attack chains, mimicking ethical hacking behaviors. You can also get creative here and introduce different models for different tasks that complement the models strongest capabilities, context lengths, parameters, etc.

AI doesn’t just chat; it can craft, enumerate, and evaluate creative payloads with shocking effectiveness. Purposely redacted for this blog, let’s see what an extremely low-lift, simple, nerve-based multi step workflow from the earlier section may look like here:

Note: LLMs also make awesome janitors. I strongly encourage you to harness their capabilities of tidying up wherever possible, especially when automating the boring stuff. Writeups can be tedious, and it can be hard to convey justification. Go one step further here and add an additional tasklet to the workflow for an agent to compile a Bugcrowd-specific report:

Report writing just got a whole lot easier.

Insert evil cackle here. ( 。 •̀ ᴗ •́ 。)

AI agents aren’t used only for hacking stuff together. I encourage hackers to embrace AI in every possible way to power your productivity, even down to the nitty-gritty tasks we dislike.

 

Put the evil agent on your shoulder and tighten the telescope

I love to build projects that can fix a real-world problem and automate and augment as much of my workflows as possible for maximum power. This ultimately led me down the path of creating burpference. Put simply, burpference is your flexible and customizable open-source bug bounty buddy that aids in inspecting HTTP requests and responses in your proxy. In summary, it has the following capabilities:

 

  • Runs LLM analysis on all in-scope proxy traffic with real-time severity classification (CRITICAL through INFORMATIONAL)
  • Stores full request/response context with findings in JSON format, which persists across Burp sessions
  • Supports OpenAPI spec security scanner analysis for API testing/docs
  • Works with local models via Ollama to avoid API costs/rate limits (e.g., mistral and llama)
  • Native Burp Scanner integration—burpference model findings appear in Scanner tab with severity levels and full context.

Soon, I’m thinking of experimenting with using multiple agents in Burp against requests and response traffic by simply using the previous nerve proxy setup and updating the code to proxy that through burpference. We could have some gnarly multi-agent findings…mind, blown.

In short, bringing the beauty of AI into your existing methodology can yield rad results and provide you the fantastic opportunity to learn something new! Every day is a “school day,” and learning is a privilege.

Burp’s new 2025.2 Montoya API release of Burp Suite Professional now also includes AI functionalities. This is an exciting feature and something I’ve been eagerly waiting for, as I can now build more burp extensions, tools, and functionalities. I have some reservations about the architectural designs and some of the product-led decisions. Regardless, I adore the adoption of AI and the continuous improvement. I’m a big fan of Gareth’s and James’ (GOATs) work. I also have to give a shoutout to Hackvertor of Portswigger for the new improvements following this release.

 

Wrapping up 

AI agents have the potential to rapidly elevate offensive security beyond traditional boundaries. As we’ve learned from the above, they are great at automating tedious tasks, generating creative payloads, and mimicking adversarial behaviors with eerie accuracy. Stay tuned for upcoming juicy content and the follow-up to this series kickoff, which will include more complex, in-depth walkthroughs and some code examples to exploit.

Hackers should start learning about LLMs and machine learning concepts now because understanding these tools unlocks new potential in offensive security. This means you can stay ahead of evolving defenses and maximize your impact. Heck, it’s dope even if you’re just scratching the surface of fine-tuning your LLM models through hacker content and real-world examples of data exploits using The Bug Hunter’s Methodology.

Stay curious, stay ethical, and remember: The future of security isn’t just about human hackers—it’s about AI sidekicks with a penchant for digital mayhem.

Keep up with Ads’ wacky experiments by following him on LinkedIn or GitHub. Ever in Toronto, Canada? Hit me up for coffee and donuts!

Tags: