A few weeks Previously, I watched a small group of AI agents spend about 10 minutes trying to get into my brand new Vibe coded website.
AI agents developed by startup Runsybil jointly explored my bad website to identify weaknesses. A orchestration agent called Sybil oversees several more professional agents powered by custom language models and ready-made API combinations.
Although conventional vulnerability scanners detect detectors for specific known problems, Sybil can use artificial intuition to figure out weaknesses. For example, it might be figuring out that the guest user has privileged access (things that a regular scanner might miss) and use it to build the attack.
Ariel Herbert-Voss, CEO and co-founder of Runsybil, said that an increasingly capable AI model could revolutionize offensive and defensive cybersecurity. “I think we’re definitely on the cusp of a technological explosion, in terms of the ability that bad and good actors can take advantage of,” Herbert-Voss told me. “Our mission is to build next-generation offensive safety tests to help everyone keep up.”
The website Sybil targets is a website I recently created using Claude Code to help me categorize through new AI research papers. The website I call arxiv slurper consists of backend servers that visit Arxiv (most AI research), along with a few other resources, combed through paper summary “novel”, “first”, “surprising”, “surprising” and some technical terms that I’m interested in progressive work. But I have limited some issues and some issues that attract some issues, and some issues that bother some issues, even if I have troubled some issues, I can even use some issues. hand.
However, a key problem with a website with this kind of atmosphere is that it is difficult to know what security vulnerabilities you may have introduced. So when I talked to Herbert-Voss about Sybil, I decided to ask if it could test if my new website had weaknesses. Thankfully, Sybil has not found any vulnerabilities just because my website is very basic.
Herbert-Voss says most vulnerabilities tend to be the result of more complex features such as forms, plugins, and encryption capabilities. We watched the same agency try to explore a virtual e-commerce website with known vulnerabilities owned by Herbert-Voss. Sybil builds a map of the application and how it accesses it, detects weaknesses by manipulating parameters and testing edge cases, then links discoveries together, tests hypotheses and upgrades until it breaks something meaningful. In this case, it does determine how a hacker hacks the website. Unlike humans, Herbert-Voss says Sybil runs thousands of such processes in parallel, without missing out on details and not stopping. “The result is to behave like an experienced attacker, but operate with the precision and proportion of the machine,” he said.
“AI-driven pen testing is a promising direction that can bring significant benefits to defense systems,” said Lujo Bauer, a computer scientist at Carnegie Mellon University (CMU). Bauer recently co-authored a study with others at CMU and researchers at AI Company Anthropic to explore the hopes of AI penetration testing. The researchers found that state-of-the-art business models could not perform cyber attacks, but developed a system that sets advanced goals, such as scanning the network or infecting the host, which allowed them to perform penetration testing.
