On the Coming Industrialisation of Exploit Generation with LLMs (sean.heelan.io)

A recent experiment utilizing Opus 4.5 and GPT-5.2 demonstrated LLMs' capabilities in generating over 40 distinct exploits for a zero-day vulnerability in QuickJS, a JavaScript interpreter. The agents tackled various security challenges—including modern exploit mitigations—successfully completing most tasks in under an hour, with GPT-5.2 solving all scenarios and Opus 4.5 nearly as successful. This experiment suggests a shift toward the industrialization of offensive cybersecurity, where the generation of exploits will likely be limited by token throughput rather than the number of human hackers employed. The implications of this research are profound for the AI/ML community, indicating that LLMs could automate parts of cybersecurity with significant efficiency. Unlike traditional methods relying predominantly on human intuition and creativity, these models demonstrate the capacity to search solution spaces autonomously and verify results without human intervention. Key findings also highlight that while the exploits generated take advantage of known flaws in security mechanisms, the models' approach to building exploit chains offers a novel perspective on automated offensive tactics. As LLMs improve, the automation of exploit development may redefine security paradigms, urging stakeholders to prepare for a future where token expenditure becomes central to cybersecurity operations.