Can Agentic AI Really Find Zero-Days? Ask the Hacker Who Won Pwn2Own Berlin 2026
Chompie: So, it was able to-I kind of just let it go and autonomously verify itself and I said, "Only show me the bugs that you were able to prove are real bugs." And it came back with, with a few and that was my like holy sh [beep] moment. [ Music ]
Johnny Hand: Welcome to "AI Security Brief," where we're unpacking emerging AI threats, vulnerability research, and the strategic decisions security leaders are making right now. I'm Johnny Hand.
Dustin Childs: And I'm Dustin Childs. I was recently at Pwn2Own Berlin where we awarded nearly 1.3 million dollars for 47 unique zero-days, and it was great to see all of the researchers there and who was using AI and who wasn't. So, I was able to record this podcast with one of the researchers who did use AI to win a couple of the entries and I had found it just a fascinating conversation.
Johnny Hand: Yeah. Pwn2Own sounded like a blast and I was certainly following all of the social media posts especially from the winners. So, you got to sit down with Chompie, who is a vulnerability researcher and exploit developer who walked away from this competition with two successful entries and over 70,000 dollars, is that right? So, what did you talk about?
Dustin Childs: Yeah, that's correct. So, everyone's arguing whether or not Agentic AI is about to unleash a Vulnpocalypse on us. So, I went straight to someone who's actually using Agentic AI to at Pwn2Own. Chompie used Claude Code to help land a NVIDIA Container Toolkit exploit on day one. And this wasn't a, you know, a prompt to me a zero-day and she walked away. She goes through how she had to train the AI based on her own skills and experience and how it needed to learn what success actually looked like.
Johnny Hand: Wow. That's incredible. I can't wait to hear how she pulled it off. [ Music ]
Dustin Childs: But you've been at this for a while. I know you career goes back a little bit. When did you first get started in vulnerability research?
Chompie: So, I've been doing like security research I would call it, I guess since-well, I started like learning it in 2017.
Dustin Childs: Okay.
Chompie: And then I shifted to like VR, exploit development like officially around in 2020 during COVID lockdown actually, nothing to do except stay home and learn how to hack.
Dustin Childs: That's awesome. So, obviously we're here at Pwn2Own Berlin 2026 record. As we record this, you've had two successful entries winning 70,000 dollars. So, congratulations for that. I want to start by talking about your entry in the NV Container Toolkit, because that was-first of all it was day one, so it was great to see and it was the first one that we saw, but then you Tweeted later that you had a subscription for a month of Claude Code Max and that was a pretty good investment. Talk to me about how you used Agentic AI to help you find this bug or what you did with Claude Code Max, how did it help?
Chompie: Yeah. Yeah. That Tweet got some people up in arms, but it wasn't just that I had like typed into Claude like find, like "Claude find me 0-day, make no mistake."
Dustin Childs: Right.
Chompie: But it also wasn't that complex either. So, I had-I had been playing around with AI for a little bit, but not Claude Code in particular and not like Opus 4.6 that came out I think at the end of February, kind of marked a big shift in at least public frontier model capability.
Dustin Childs: Right.
Chompie: And so, I was kind of curious about that. And as kind of an experiment, I decided to point it to a code base that I knew pretty well, I mean not-it's a huge code base.
Dustin Childs: Right.
Chompie: There's a lot of attack surface there.
Dustin Childs: Yeah.
Chompie: I had looked at it before and I knew that it certainly had some problems, so I kind of had that Spidey sense about it. And I had seen like some of my peers and have some success with Claude Code, so I said "Why not?" Actually, I started out with testing its exploitation skills.
Dustin Childs: Okay.
Chompie: Because there was a lot of discourse on, you know, whether AI could, you know, autonomously generate exploits.
Dustin Childs: Right.
Chompie: So, I put it to the test. I tried to have it write an exploit for a bug that I had an exploit for, but not, not anything public. And it was kind of a tough, tough bug to exploit, a race condition, your favorite.
Dustin Childs: Yes, my favorite race conditions.
Chompie: Yeah. And I thought, like well if we're really cooked then it will be able to do that.
Dustin Childs: Okay.
Chompie: So, I kind of just unleashed it on that, and it failed pretty miserably. It didn't-it didn't do well. Like, I think that if I had-I decided to not have like help it at all, just to see what it could do on its own. And I was pretty impressed on how far it got by itself, but it didn't-it didn't make it. And the next thing I decided to do was have it, you know, have it do some VR against a codebase venue probably had vulnerabilities. And so, what I did was kind of what I had seen other people say they did, which is, you know, generate skills that kind of mirror my own process and vulnerability research, so I kind of had like distinct skills for different bug classes and I said, "This is how you should look for this type of bug class and these are the patterns that you should look for," and pointed out the codebase, and just looked at what it brought back. And I had-that had kind of had mixed results, but once I started setting it up with some way to some oracle and some way for it to check itself, that's when I really saw a big.
Dustin Childs: Thing.
Chompie: A big return. So, it was able to-I kind of just let it go and autonomously verify itself. And I said, "Only show me the-the bugs that you were able to prove are real bugs." And it came back with-with a few. And that was my like holy sh*t [beep] moment.
Dustin Childs: So, there's been a lot of talk publically about Agentic AI finding vulnerabilities in the Vulnpocalypse. You clearly used Agentic AI to assist in finding a vulnerability, but do you think we are on the edge of a Vulnpocalypse?
Chompie: I don't know. I mean, what would you classify as Vulnpocalypse? Certainly, I think it's outpacing the ability for vendors to patch.
Dustin Childs: Okay.
Chompie: I think that we'll probably see some issues with patch-gapping, so.
Dustin Childs: Yeah.
Chompie: That's kind of an area where I like to thrive, you know, our team supports our adversary Simulation Team.
Dustin Childs: Okay.
Chompie: And so, some times what we like to do is patch gap and data exploits. So, using the taking advantage of the time when a vulnerability is like known or publically disclosed and a company will patch their-actually apply those patches. And so, I would expect that time to get a little larger.
Dustin Childs: Yes.
Chompie: Because of that backlog. That can be bad if your security posture is.
Dustin Childs: Right.
Chompie: Not good. So, yes, I would expect to see some-some companies get burnt. But I mean, just because, like that's not going to generate new vulnerabilities.
Dustin Childs: Right.
Chompie: In itself.
Dustin Childs: Okay. Well, let's get back to Pwn2Own for a minute because you had a second success in Red Hat using a privilege escalation and again I'm going to go to your Twitter, because you said "Claude tried to gaslight you," so he was unexploitable. So, walk us through that.
Chompie: Yes, Claude did tell me that it was not exploitable. Or, sorry the term was "not exploitable in practice."
Dustin Childs: Umm-hmm.
Chompie: And you know what, Claude did kind of have a point. It was-it was a tricky one to exploit. I'm going to defend myself here, because I did take-I did-a need the second attempt, but in my defense, so the reason why Claude said that was because it was a very, very small race window.
Dustin Childs: Okay.
Chompie: So, about like 13 instructions [multiple speakers] between, yeah. And so, in within those 13 instructions, you have to like it's a use-after-free. So, you have to reallocate the vulnerable objects and also do a spray, and the spray also had to be cross-cache. So, that needs more than 13-instructions worth of CPU time to-to do. But Claude didn't really know all of the tricks for race window widening. I think that's why Claude said that, but it did seem pretty tricky and I kind of set that bug aside for a little bit and tried to find a better one that was like probably the smart thing to do. But there was something that just kept nagging me and I was like, you know what, "I bet I can pull this off." And, and I did!
Dustin Childs: Yes, you did. So, back to the question on research.
Chompie: Yeah.
Dustin Childs: Is how do you approach something and is it different if you're using Agentic AI versus not?
Chompie: Yeah no, I think the-the process is still like for-I at least my process is still similar. Like, I've always liked to look at multiple targets, multiple attack surfaces. I guess like there's people that specialize in one type of target and they know, and it's a really complex target and they know that target really well. I like to kind of jump around and look at different types of things. And when I'm deciding on what to research, I kind of have, I use what I call like "Spidey sense" in attack surface selection. So, types of things that I'll look for is like complexity.
Dustin Childs: Umm-hmm.
Chompie: And a codebase. It might also be, you know, I'll look at previous vulnerabilities that have been reported in that codebase to try to get a sense of like what could go wrong here?
Dustin Childs: Umm-hmm.
Chompie: And then maybe look for similar attack surfaces that might have those properties, or look for variance of those same things, or look for like variants in of that type of bug class, but in maybe a separate like analogous attack surface or like a different class or something. But usually like they'll have, you know, those properties of like, you know, complex-yeah, like a lot of like assessable attack surface.
Dustin Childs: So, I've heard a lot of people say that there is a big difference between someone like you who's obviously a skilled experienced researcher using Agentic AI versus a complete newbie who just says, "Find me 0-day."
Chompie: Umm-hmm.
Dustin Childs: Is that something you agree with? Is that something you've witnessed?
Chompie: Not yet.
Dustin Childs: Okay.
Chompie: But I do think that it is lowering the bar.
Dustin Childs: Umm-humm.
Chompie: For sure. For sure.
Dustin Childs: Yeah, I think we've seen that as well and I think our first podcast talked about that with Bob McArdle and vibe crime. I still consider this to be the beginning of the AI security time period and I go back and my experience, is a little bit longer than yours, which just means I'm older, but I've looked back at certain things and kind of laugh at how we were in that time period. Do you see anything right now that we're going to look back years from now and kind of laugh at that we thought it was important or that we totally missed that? In other words, what are missing in AI security right now or where do you think that we might kind of laugh at ourselves in the future?
Chompie: Yeah, I think-I think the worry about Agentic AI in terms of security, I think the way that people talk about it is almost if-as if like AI is going to generate like 0-days that don't exist. I do think that there is like, you know, the amount of vulnerabilities that are uncovered with AI is asymptotic. So, like-I of course it depends on the target. There's also, you know, a lot of focus now on harnessing.
Dustin Childs: Umm-hmm.
Chompie: And there is a debate on whether harnessing is going to matter once an AI is powerful enough. And then I think that, you know, some startups and some people have gotten burned by investing so much in like harnessing only to kind of get obsoleted by, you know, Anthropic's new product.
Dustin Childs: Right.
Chompie: I don't know. I mean, I think it's hard to distinguish like what is hype in marketing and what's reality. I do definitely think that we are in like at the precipice of a totally new era.
Dustin Childs: Okay.
Chompie: It's going to be different. I mean like, I realize this during that, you know, first month of Claude Code Max where I was like, you know, it would have taken me much longer from start to finish.
Dustin Childs: Okay.
Chompie: You know, had I not had it. And so, I do think that is going to have a lot of implications. Somebody like made a joke to me today about like, if I had-if I would consider a career in like AI-AI goal coach or something.
Dustin Childs: Yeah.
Chompie: And I laughed at that, but also I think like my job is becoming more and more kind of that, right?
Dustin Childs: Okay.
Chompie: I think that most people will, you know, will have to use some sort of like AI assistance to keep up. And I think that's like right now, it's a really kind of a sweet spot.
Dustin Childs: Okay.
Chompie: Where if you have security research experience your productivity can, you know, multiply itself many times.
Dustin Childs: Right.
Chompie: And I've been having a lot of fun. Like it's almost like, like when I first started hacking.
Dustin Childs: Yes.
Chompie: And I hope that it continues feeling that way. But I know everybody is a little bit nervous.
Dustin Childs: Yes.
Chompie: I think we're all a little on edge, because nobody knows what the capabilities are going to be 2 or 3 years from now. I think I got quoted on the record when I spoke at Ekoparty last year in October 2025. And Federico who runs Ekoparty asked me also on a podcast, if you know on like "AGI exploitation, was it on the horizon?" And I said, "Not for at least 5 years."
Dustin Childs: Okay.
Chompie: And then obviously since then a lot has changed and he kind of joked and he said like, "Do you still think we have 5 years?" I said, "Well, we're still not there yet, but maybe I don't know, maybe it's like 2." I don't think anybody really knows, but certainly the capabil-like the progression of the models definitely has outpaced way more than anyone.
Dustin Childs: Okay.
Chompie: Expected.
Dustin Childs: Right. So, one final question, because we're kind of pushing on time here and I want to be conscious of your time too, but this one is a really open-ended one and really big picture. So, you're in charge of the world and you can get one commitment from every developer, so every AI developer industry-wide, what would that commitment be?
Chompie: Oh, gosh that's a-that's a hard question. What's your answer? Do you have one?
Dustin Childs: Do no evil. I go back to that.
Chompie: Yeah.
Dustin Childs: It's kind of, you know, that would be my answer is, make sure you're using this for the good of mankind, because I can't them to commit on anything else.
Chompie: On that note, yeah. I mean, I-I'll maybe just copy your answer and edit it a little bit. And say, like yeah, I mean you know focus the progress on improving humanity and life for humans, yeah, like overall. Like I think when people react or people's negative reaction about AI, I think, is rooted in fear.
Dustin Childs: Umm-hmm.
Chompie: Fear that it's going to eventually just make life worse for them.
Dustin Childs: Right.
Chompie: And I think that we could all evolve as a human race if we collectively decide that, you know, this huge like innovation in technology we can use it to improve all of our lives.
Dustin Childs: Right. Well, Chompie thank you so much for your time. It was great seeing you again. You always bring great research of Pwn2Own and I wish you the best of luck in the future.
Chompie: Thank you. Thanks for having me. [ Music ]
Johnny Hand: Wow. That was a phenomenal interview and I love that a skilled researcher plus Agentic AI can be an actual force multiplier, and there was nuance to the way that she showed AI failed badly when it was asked to autonomously exploit a hard race condition on its own, but then it excelled once it had the right skills to check itself. Yeah, and that's the thing. Agentic AI isn't conjuring vulnerabilities out of thin air, and Chompie really showed that you take a skilled researcher with this and it really lowers the bar and it multiplies productivity. Researchers who already know what they're doing, but if you're an unskilled researcher, we used to call you a "script kiddie." These days we just call you a Claude cadet [assumed spelling].
Dustin Childs: I love that. We're going to have to coin the Claude cadet for all of our listeners. One of the key takeaways I want for our security leaders to think about is, you know, often times most of our negative reactions to AI are actually rooted in fear of AI replacing humans. And as Chompie showed, the model didn't replace her, it multiplied her output. It allowed her to move faster. It allowed her to train the skills needed so that it wouldn't take as long to find the exploits, and that was something that really helped her win those two conditions.
Johnny Hand: Yeah, and thanks to Chompie for sharing her research with us and her honest takes from the disclosure room. So, you can see our show notes on links of how to connect to Chompie. You can also find the links to Pwn2Own results and other resources to help you navigate the vulnerability exposure in the AI era.
Dustin Childs: And that does it for another episode of "AI Security Brief." We want to thank you for joining us. Our goal is to host conversations that get you thinking differently about security. And if it does, please consider subscribing so you don't miss what's next.
Johnny Hand: "AI Security Brief" is mixed and produced by Elliott Peltzman with original music by Amneajynx. Our executive producer is Jennifer Eiben with content strategy by Ma'ayan Plaut and Melanie Galant. Additional production help by Liz Stokes. Video editing by Sarelle Joppy and Bridgitte Criqui Wild.
Dustin Childs: Thanks so much for listening and we'll see you next time on the "AI Security Brief." [ Music ]
