Finding Large Bounties with Large Language Models – Nico Waisman – ASW #351
Software has forever had flaws and humans have forever been finding and fixing them. With LLMs generating code, appsec has also been trying to determine how well LLMs can find flaws. Nico Waisman talks about XBOW's LLM-based pentesting, how it climbed a bug bounty leaderboard, how it uses feedback loops for better pentests, and how they handle (and even welcome!) hallucinations.
In the news, using LLMs to find flaws, directory traversal in an MCP, another resource for learning cloud and AI security, spreadsheets and appsec, and more!
Nicolas Waisman is currently the Chief Security Officer at XBOW, leading the development of offensive capabilities to the first autonomous AI autonomous penetration tester product. Before joining XBOW, Nico served as Chief Information Security Officer at Lyft, where he led the information security and privacy programs responsible for the company’s cybersecurity posture and the protection of customers’ personal information.
Nico has more than 20 years in the security industry, previously held security leadership roles at GitHub, Semmle, Cyxtera, and Immunity. Nico is a recognized security expert and has taught governments and commercial sector students from all over the world in both private and public classroom settings, presenting some of his research at conferences such as Black Hat, Pacsec, Syscan, Ekoparty, and many others.
He had been involved in all the different aspects of his past successful business, from recruiting and team building, to product conception, design and engineering along with running and managing a successful consulting team. Nicolas was one of the driving forces involved in the acquisition of Immunity by Cyxtera Technologies in 2018.
Don't miss InfoSec World 2025 — October 27 to 29 at Disney’s Coronado Springs Resort! Cybersecurity pros, workshops before and after, and endless networking. Save 25% with code ISW25-SW at securityweekly.com/ISW2025!
Mike Shema
- Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams | Joshua.Hu
- A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server
- oss-security – Re: Linux kernel: eBPF vulnerabilities
- How I maintain release notes for curl | daniel.haxx.se
- Introducing zeroday.cloud: Cloud and AI Hacking Event | Wiz Blog
- FUN: The Microsoft Excel superstars throw down in Vegas
There's the famous business observation of, "This meeting could have been an email."
For a SaaS vendor, one of the biggest challenges to making inroads to a company is trying to replace the spreadsheet that solves the same problem you do. The last thing you want is for someone to say, "This vendor could have been a spreadsheet."
And lots of appsec relies on spreadsheets! From asset inventories to checklists to compliance crosswalks and more.
So here's how to find where the truly expert spreadsheet engineers are. There's also a college division. And all of this is building towards the Excel World Championship in December.
