1,600 vulnerabilities is the number that turns Chompie’s warning from a personal anxiety into a market signal: Anthropic says Claude Mythos has found that many flaws across hundreds of software programs, according to BBC Tech.
That claim sits beside a very human scene from Pwn2Own Berlin. Valentina Palmiotti, better known as Chompie, was the most successful individual at the annual hacking competition. She won $20,000 for hacking a system linked to Nvidia, then worked from 6pm til 6am before landing another $50,000 by hacking a Linux based system.
Her warning is not that AI will end ethical hacking tomorrow. It is sharper than that. The work that made elite hackers scarce — testing ideas, probing code paths, drafting exploit logic, and grinding through failure — is becoming software-assisted. MLXIO analysis: if enough of that workflow gets automated, the value of human-only speed gets repriced.
1,600 reported vulnerabilities put human speed under pressure
Chompie told the BBC that AI tools are helping her win bug bounties today. She uses tools like Claude Code to work faster in competitions and in her job as a security researcher for IBM X-Force. That detail matters because the disruption is not theoretical. The top tier is already using AI.
“I competed in Pwn2Own this year because I thought it might be my last chance,” she explained.
She framed the current moment as a “sweet spot” where AI still acts as an aid. But she expects that to change with systems like Claude Mythos and GPT 5.5 Cyber.
“That isn't to say that I think that there's going to be no room for security research or ethical hacking, but I think that a lot of the lower-hanging fruit will start to go away.”
That is the core economic shift. AI does not need to replace an entire hacker to change the market. It only needs to replace enough of the repeatable work to make more people competitive, push routine findings down in value, and force elite researchers toward harder bugs.
This also connects to a broader coding-risk theme we have tracked in Claude Code Exposes the New Coding Risk: Blind Trust: AI can accelerate expert work, but it also raises the cost of bad validation.
$1.3m in prizes shows why automation is financially attractive
Pwn2Own is run by the ZeroDay Initiative and asks ethical hackers to find vulnerabilities in specific products. This year, hackers collectively discovered 47 brand new hacking methods across programs, websites, and software. Nearly $1.3m (£970,000) was awarded.
Those numbers explain why AI-assisted vulnerability discovery is not just a lab curiosity. There is direct money attached to speed, novelty, and proof. Chompie’s own competition rhythm shows the pressure: win once, run back to the hotel, work all night, present again.
“As soon as I won the first prize I ran back to my hotel room to keep working on the other one. I worked from 6pm til 6am and didn't sleep,” she said.
She called that state “zombie hacker mode” — hours of research and testing, powered by energy drinks and adrenaline.
“It's not healthy,” she laughed.
MLXIO analysis: AI changes the math inside that exhaustion. If an assistant cuts the time spent on code review, test generation, exploit drafting, or triage, the same researcher can attempt more paths. The same also applies to less experienced researchers, which may increase competition for lower-complexity bugs.
The upside is real. The flaws found at Pwn2Own were reported to companies so they can fix them before criminals find the same holes. Faster discovery can mean faster defense. But the market effect is uneven: common bugs become less scarce, while complex exploit chains become more valuable.
From all-night hacking to AI-assisted exploit chains
Cybersecurity has seen automation before. Static analysis, fuzzing, scanners, and code-review tools already changed what counted as elite work. They did not eliminate top hackers. They pushed them toward deeper systems knowledge, exploit chaining, and the judgment to separate a real vulnerability from noise.
Mythos-style systems appear different because they combine more of the workflow into one interface. The BBC reports that Anthropic views Mythos as potentially dangerous enough that it can only be released to a select few governments and cybersecurity institutions. That is not how ordinary developer tooling is treated.
Chompie’s concern is that “good or great” hackers may not be enough in this next phase. She pointed to Orange Tsai, another major Pwn2Own winner, as the kind of researcher likely to remain at the top. His team won $375,000 (£278,000) in Berlin by finding extremely complex hacking pathways.
Orange Tsai is less pessimistic.
“For me, AI feels more like a really awesome assistant that helps accelerate my research workflow,” he said.
He added:
“During research I usually come up with many interesting ideas, but unfortunately I still need to sleep, so I can't test everything one by one. AI can finally help free my hands,” he says.
That is the split. Chompie sees a market squeeze. Orange Tsai sees a research multiplier. Both can be true.
The winners and losers will not feel Mythos-style AI equally
| Stakeholder | Near-term benefit | Pressure point |
|---|---|---|
| Elite ethical hackers | Faster testing and more research paths | Harder to stand out on easier bugs |
| Software vendors | Earlier discovery of flaws | More reports to validate |
| Security teams | AI-assisted triage and testing | Need rules for code access and proof-of-concept handling |
| Attackers | Potential acceleration if tools leak or are copied | Existing attacks still often rely on simpler methods |
The BBC notes that criminals are already using AI to speed up attacks and, in some cases, create new pathways into systems. But it also reports that the vast majority of cyber-attacks still use long-established methods, including phishing and social engineering.
That distinction matters. Mythos-style AI may raise the ceiling for advanced offensive work, but much cybercrime does not require novel zero-days. The risk is not that every attacker suddenly becomes Orange Tsai. The risk is that more actors can automate parts of a workflow that once required deep training.
Chompie’s own conclusion is more optimistic for defenders than her career warning might suggest.
“I think that the tide is turning against offensive hackers. I think defence stands to gain a lot from the from this capability,” she said.
Her condition is access. The strongest tools need to reach defenders first so they can find and patch holes before criminals do.
This is also why Anthropic’s handling of Claude matters beyond one model. The company’s broader AI race has drawn scrutiny across research and product lines, including MLXIO’s coverage of Anthropic Grabs Andrej Karpathy for Claude AI Race.
Security teams now need policies for AI-generated exploits
For CISOs and security leads, the practical issue is governance. If AI tools can produce vulnerability claims or exploit paths, teams need rules for how those outputs are tested, stored, and disclosed.
Validation becomes central. Organizations cannot blindly accept AI-generated exploit claims. False positives, incomplete proofs, unsafe proof-of-concept code, or mishandled sensitive code can create new operational risk.
Developers may also see secure coding shift from periodic audits toward continuous adversarial testing. That does not mean every AI alert deserves equal urgency. It means teams will need better filters, stronger reproduction standards, and clearer escalation paths.
Aspiring ethical hackers face a harder apprenticeship curve. Basic vulnerability hunting may become less valuable if AI can surface routine flaws quickly. Skills that should hold value include systems thinking, exploit chaining, tool supervision, AI prompt strategy, verification, and responsible disclosure.
MLXIO analysis: the human edge moves from “I can find the bug” to “I can decide which bug matters, prove impact safely, and understand the chain better than the model.”
The next Pwn2Own prize table will test Chompie’s thesis
Chompie’s warning is not really about one champion hacker losing work. It is about offensive capability becoming more abundant while judgment stays scarce.
If AI keeps improving, bug bounty markets and competitions may stratify. Routine findings could become cheaper and faster to generate. Complex chains, unusual systems, and high-impact vulnerabilities may remain premium work for the best researchers.
The evidence to watch is concrete: whether future Pwn2Own contests show more AI-assisted wins, whether prize money concentrates among researchers who can direct AI best, and whether vendors tighten rules around AI-generated submissions.
If humans keep finding the hardest paths that models miss, Orange Tsai’s view gains weight. If lower-hanging bugs disappear faster and more researchers struggle to compete, Chompie’s “last chance” warning will look less dramatic — and more like an early read on where ethical hacking is headed.
Impact Analysis
- AI tools finding 1,600 vulnerabilities signal a major shift in cybersecurity labor markets.
- Elite hackers are already using AI, showing the disruption is happening inside the profession now.
- If AI automates lower-level exploit work, bug bounty economics and security research careers could change quickly.
