Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. We Built a Vulnerability Vending Machine: AI Tokens In, Zero-Days Out
We Built a Vulnerability Vending Machine: AI Tokens In, Zero-Days Out
NEWS

We Built a Vulnerability Vending Machine: AI Tokens In, Zero-Days Out

Security firm Intruder built an AI-powered system that combines code slicing with large language models to automatically discover complex software vulnerabilities — including a previously unknown WordPress plugin zero-day.

Dylan H.

News Desk

July 15, 2026
5 min read

AI Meets Vulnerability Discovery: The Vending Machine That Finds Zero-Days

Security firm Intruder has published a detailed breakdown of how it built what it calls a "vulnerability vending machine" — an AI-powered system that feeds code into large language models (LLMs) and receives zero-day vulnerabilities in return.

The system combines code slicing (breaking code into semantically relevant chunks) with targeted LLM prompting to automatically identify complex security flaws. The approach is notable not just for what it found — a previously unknown WordPress plugin zero-day — but for what it suggests about the future trajectory of automated vulnerability research.


How the Vulnerability Vending Machine Works

The core insight behind Intruder's system is that LLMs are poor at analyzing large, complex codebases holistically but excel at identifying vulnerabilities in focused, well-scoped code segments.

Traditional manual vuln research:
  Researcher reads entire codebase → identifies suspicious patterns → develops PoC
  Time: Days to weeks per target
 
AI-assisted approach:
  1. Code Ingestion — parse target application's source
  2. Code Slicing — extract semantically relevant code sections
     (e.g., input handling, database queries, file operations, auth checks)
  3. LLM Analysis — submit each slice with targeted security prompts
     ("Does this code safely handle user input?" / "Can this path be traversed?")
  4. Candidate Triage — LLM flags suspicious patterns with explanations
  5. Human Validation — researcher confirms and develops PoC for flagged candidates
  6. Exploit Development — confirmed findings weaponized or responsibly disclosed

Code Slicing: The Key Enabler

The breakthrough that makes the approach viable is code slicing — rather than dumping an entire application into an LLM (which exceeds context windows and dilutes focus), the system extracts targeted code paths:

  • Data flow slices — tracing user-controlled input from entry point to sensitive operation
  • Semantic slices — grouping code by functionality (authentication, file handling, SQL queries)
  • Call graph slices — extracting function call chains that interact with security-sensitive APIs

This dramatically improves signal-to-noise ratio, enabling LLMs to focus analysis on the code segments most likely to harbor vulnerabilities.


The WordPress Zero-Day Discovery

Intruder's system identified a previously unknown zero-day vulnerability in a WordPress plugin using this approach. While specific plugin details are subject to coordinated disclosure timelines, the discovery demonstrates the practical efficacy of the automated pipeline.

Discovery AspectDetail
TargetWordPress plugin (undisclosed pending patch)
Vulnerability TypeSecurity flaw identified by LLM code analysis
Discovery MethodAutomated code slicing + LLM analysis
Prior Knowledge RequiredNone — fully automated initial discovery
Additional DiscoveriesMultiple additional findings reported as in progress

The finding represents a shift: zero-day discovery no longer requires years of specialized experience alone — AI can surface candidate vulnerabilities that researchers then validate and weaponize.


Implications for the Security Ecosystem

For Defenders

The democratization of vulnerability research cuts both ways:

  • Faster patch cycles needed — if defenders can find bugs with AI, so can attackers
  • Increased vulnerability surface awareness — AI-assisted scanning can surface long-standing bugs
  • Broader attack surface coverage — LLMs can analyze code in languages and frameworks where human expertise is scarce

For Attackers

The same tooling accessible to security researchers is accessible to threat actors:

Nation-state actors — already applying AI to vulnerability research at scale
Ransomware groups — purchasing AI-discovered zero-days from brokers
Script kiddies — lower barrier to finding exploitable bugs in popular software
Supply chain attackers — AI-assisted analysis of OSS dependencies for hidden flaws

For the Vulnerability Ecosystem

StakeholderImpact
Bug bounty huntersAI-assisted triage dramatically increases throughput
Vulnerability brokersSupply of zero-days may increase, potentially affecting pricing
Patch teamsFaster disclosure cycles require faster patch development
CISOsAI-discovered vulns require AI-assisted patch prioritization

Technical Limitations and Caveats

Intruder's system is not a "fire and forget" zero-day generator — several caveats apply:

  1. False positives — LLMs flag patterns that look suspicious but are not exploitable; human validation is essential
  2. Context gaps — code slices lose surrounding context that may neutralize apparent vulnerabilities
  3. Novel vuln classes — LLMs perform best on known vulnerability patterns; truly novel classes may be missed
  4. Compiled/obfuscated targets — the approach requires source code or decompiled output
  5. Rate limits and cost — large-scale analysis of complex applications consumes significant API tokens

Despite these limitations, the approach represents a genuine leap in the accessibility and scale of automated vulnerability discovery.


What Security Teams Should Do

The vulnerability vending machine concept is a wake-up call for software security practices:

  1. Apply AI to your own code — use LLM-assisted code review in your SDLC before attackers use it against you
  2. Prioritize WordPress and plugin patching — widely deployed CMS plugins are high-value AI-assisted targets
  3. Subscribe to vendor security advisories — AI-discovered disclosures will accelerate as tooling matures
  4. Bug bounty programs — incentivize external researchers to find and responsibly disclose AI-discovered bugs
  5. Threat model AI-assisted attacks — assume motivated attackers are applying similar tooling against your software

References

  • BleepingComputer — We Built a Vulnerability Vending Machine: AI Tokens In, Zero-Days Out
  • Intruder Security Research

Related Reading

  • Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
  • AI Agent Uncovers 21 Zero-Days in FFmpeg
#AI Security#Zero-Day#Vulnerability Research#LLM#WordPress#Automated Vulnerability Discovery#Intruder

Related Articles

Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws

Anthropic's new Project Glasswing initiative uses a preview of its frontier model Claude Mythos to autonomously discover thousands of previously unknown...

6 min read

'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents and Steal Secrets

Security researchers have demonstrated 'Ghostcommit,' a technique that embeds prompt injection payloads inside PNG images to bypass AI code review tools...

4 min read

JadePuffer: The First Fully Autonomous LLM-Driven Ransomware Attack

Security researchers at Sysdig have documented JadePuffer — an agentic threat actor powered entirely by a large language model that independently...

4 min read
Back to all News