This talk starts from a failure. As a long time blue team practitioner with no vulnerability research background, I tried to use OpenAI Codex to find a real-world RCE that had just dropped—and got absolutely nowhere. What followed was confusion, false positives, and confidently wrong model output. But once I stopped treating Codex like a one-shot bug oracle and started using it as a deeply opinionated debugging assistant, things began to click.

The session walks through how I used “vibes” to find vulnerabilities: from being the annoying kid in the back seat asking “why?” a hundred times, to forcing the model to reason more deeply about code paths, assumptions, and edge cases until something real fell out. I'll walk through the pain and the pleasure of using LLMs for vulnerability discovery, including how this approach led to real findings across projects like React, Node, Ollama, Tethers Password manager, wordpress, supabase, etc.

We'll talk candidly about where models get stuck, how to work around refusals, why the dumbest ideas sometimes work best, and just how creative—and unhinged—you can get when you stop trusting the model and start interrogating it. I'll also show how this fundamentally changes offensive capability and why it feels like red teams are about to get a serious advantage.

The talk closes with a sober look at the current limitations, the risks, and the broader impact on the security community. The goal isn't to teach exploit development, but to show that with basic debugging skills and the right guardrails, AI can meaningfully assist in finding real vulnerabilities—and dramatically lower the barrier to entry for vulnerability research.