Introduction to AI and Bug Bounty
AI has been widely adopted by both cybersecurity attackers and defenders, with models like Anthropic's Claude Mythos promising to be even more disruptive to the existing bug bounty and in-house offensive security industries.
AI has proven to be a force multiplier rather than a position replacement, but Mythos threatens to alter this balance, with the potential to find thousands of zero-day vulnerabilities.
The Evolution of Bug Bounty Programs
Bug bounties and pentesting are in a state of flux, with the concept of bug bounties expanding from the 1990s, and the introduction of bug-bounty platforms like HackerOne and Bugcrowd in 2012.
The history of bug bounties shows a consistent combination of expansion with an increasing use of automation and artificial intelligence, which brings us to today.
Bug Bounty Today
Cassim Khouani, a top 30 hacker on YesWeHack, wrote about the state of bug bounty in 2026, describing the use of AI to aid discovery, but also the side effects of AI-assisted submissions, including triaging and payments taking longer.
Companies paying bounties are also suffering from poor quality bug reports, and some are stepping back from bug bounty programs, while others are increasing their rewards or changing their policies.
Mythos Discovering Vulnerabilities
Anthropic's Claude Mythos reportedly performs better than any other AI model in finding zero-day bugs, with the potential to identify thousands of vulnerabilities in major operating systems and web browsers.
Anthropic has released Mythos Preview to major software providers, allowing them to find and fix their own vulnerabilities before the model becomes generally available.
The Future of Bug Bounty and Offensive Security
Bug bounty and offensive security are not going away, but both must adapt to a new reality, with AI changing the speed of delivery and accuracy, but still requiring human involvement.
Experts counsel that Mythos should be viewed in the historical context of an industry barely 30 years old, and that any advance will seem huge and disruptive while it's happening.
Adaptation, Not Replacement
Chris Payne, VP of forward deployed cyber engineers at Sevii, says that discovery accelerates for everyone, but the real bottleneck has always been investigation and remediation, and that defenders who win will pair agentic AI with strong governance.
Jon David, co-founder and MD at NR Labs, agrees that the power of Mythos and future AI will allow attackers to find and exploit vulnerabilities faster, but also allows defenders to find and patch them before they're public.
The Need for Adaptation
Evolving AI increases the speed of discovery and decreases the time to exploitation, and Kara Sprague, CEO at HackerOne, points out that the gap between discovery and remediation is the key constraint.
Bounty platforms are already strained by the number of bugs being discovered, and corporations are unable to keep pace with existing patch levels, requiring the ability to prioritize high severity bugs over low value bugs.
The Longer View
Corporate options for vulnerability management will need to adapt to the new reality of AI-driven bug discovery, with a focus on prioritizing high severity bugs and incentivizing remediation.
As AI models like Mythos continue to evolve, the bug bounty and in-house offensive security industries will need to adapt to stay relevant, with a focus on human expertise and governance to pair with agentic AI.
Source: SecurityWeek