vuln·telToolsField notesGet a key

The bottleneck for AI security agents isn't reasoning

Every week there's another demo of an AI agent "autonomously finding critical vulnerabilities." Having spent real time pointing agents at real bug-bounty targets, I want to offer a less exciting but more useful picture of what actually happens. The leverage is not where the hype points.

Start with the honest ceiling, because it reframes everything. Point a capable agent at a mature target and it does something genuinely impressive: it reasons by analogy, transfers a known attack mechanism, and aims at a precise, non-obvious seam faster than most people would. And then, on a live target, it hands off. The paying vulnerabilities (account takeover, payment logic, broken access control) live behind an authenticated session, a real phone, a WAF, a browser the sandbox doesn't have. The agent sharpens the strike to one concrete action; a human still pulls the trigger. Anyone claiming their agent autonomously lands criticals on hardened production is either hitting soft targets or not looking closely at the last mile.

That ceiling is not a model-quality problem. Bigger models don't cross it; it's an environment boundary. Which is the first clue that "make the model smarter" aims at the wrong thing.

When we watched where agents actually lose, two failures showed up repeatedly, and neither is reasoning.

First, they have no memory of their own hunt. A fresh session re-walks dead ends the last one already cleared, re-tries the vector already proven impossible, loses the one thread that mattered under a pile of things that didn't. Every session starts from zero, so the work never compounds.

Second, they drift, and they overclaim. Left alone, an agent wanders off the highest-value thread onto whatever is shiny. Worse, it declares victory on things that aren't real. A generative system rewarded for finding bugs will hallucinate bugs. We caught our own agent writing "CONFIRMED" on a finding the very next verification step refuted.

Neither is fixed by a smarter model. They're fixed by memory and discipline.

So we built a persistent, per-target memory the agent reads before each move. The obvious thing to store is what worked. The valuable thing, it turned out, is what didn't.

No public vulnerability database contains failures. Every disclosed report, every CVE, is a success someone chose to publish. But the most expensive knowledge in a real hunt is the negative space: this vector is dead, here is the exact check that proves it, here is what would reopen it. A wall, recorded with its decisive check, is worth as much as a lead, because it tells you where not to spend a scarce testing budget. Store the walls and a fresh session stops re-walking them. That one change, remembering failure, moved the needle more than any prompt tweak.

The second thing a memory surfaces is the chokepoint. Lay a target's findings out as a graph and a pattern falls out: often every high-value bug depends on one thing, a single credential, a single trust assumption. Draw that dependency explicitly and a pile of "parked, needs more access" leads collapses into one node: crack this, and the whole backlog opens. People find this too, eventually. A memory that draws the dependency graph finds it on purpose.

Memory handles "don't re-walk." Discipline handles "don't hallucinate." The rule we ended up living by: a claim of success is a hypothesis to falsify, not a result. Attach every confident claim to the cheapest check that would kill it if it's wrong, and run that check before the claim counts, ideally with something that has no stake in the answer being yes.

The subtle part is that the phantom judgment relocates. Secure the finding and it moves to "is this bug class even valid here." Secure that and it moves to the decisive gate. Secure that and it hides in your own confidence number. We once scored our own go/no-go metric at 85%, because we had a stake in building the thing; a disinterested rater with a strict rubric scored the same evidence at 60% and flipped the decision. You don't eliminate that bias. You keep attaching the next-cheapest check, one layer deeper, each time.

And you run one unit of work at a time and evaluate it before the next. Not because parallelism is impossible, but because the evaluate-and-verify step is the whole point. A swarm loses the gate that keeps errors from compounding.

We didn't set out to build any of this. We started convinced the edge was a big corpus of attack knowledge, the "brain." It wasn't; the model already reasons fine. The edge turned out to be the two unglamorous things around the reasoning: a memory that remembers your dead ends, and a discipline that refuses to let a clever idea become a fabricated result. The corpus still matters, but as a library you borrow proven techniques from, not as the intelligence.

So here's the framing I think is actually useful: this is a force-multiplier for a disciplined operator, not an autonomous finder. It aims the strike, remembers the ground, and keeps the operator honest. It does not grant the bug, and it hands off at the exploitation boundary, on purpose.

That's a less thrilling story than "the AI hacks by itself." It's also the true one, and the one that compounds.


The memory-and-discipline loop in this piece is operationalized in the bug-hunting skill and the MCP playbook (both MIT-licensed and public), which drive the vulntel MCP. Related field notes: why you can't turn a pull-based MCP into a push model, the same conclusion from the protocol side; how to catch AI-hallucinated CVEs, the verification discipline as a tool; and eight experiments on whether a corpus can make an LLM a better bug hunter, the corpus-as-brain thesis tested.