Finding Zero Days with any model? (www.provos.org)

Recent research challenges the narrative that only advanced AI models like Anthropic's Mythos Preview can uncover novel vulnerabilities, showing that these capabilities also exist in commercial models when harnessed effectively. Using the open-source IronCurtain framework, the researcher developed a specialized workflow that enabled the detection of new zero-day vulnerabilities in foundational software with models such as Opus 4.6 and Z.AI's GLM 5.1. The workflow's orchestration is managed by a central agent, which strategizes vulnerability discovery without directly analyzing source code, relying instead on an execution journal. This allows the framework to maintain context while performing tests and shifting gears between different analysis methods, showcasing a significant leap in automated security research. This innovation is crucial for the AI/ML community as it demonstrates how open-source orchestration can empower defenders to autonomously find vulnerabilities, even in environments previously deemed challenging. By replicating a 27-year-old vulnerability in the OpenBSD TCP SACK implementation, the research highlights the potential of commodity models to perform complex vulnerability assessments at scale. The findings suggest that the economics now favor frequent and broad audits of codebases, and emphasize the importance of generating proof-of-concept exploits to reduce false positives in security assessments. Overall, this work not only enhances automated security research but also calls on the community to contribute to the development of tools that enable effective defenses against malicious actors.