For much of my computer science career, I viewed software vulnerability detection as a craft. The best researchers combine technical skill with intuition: the ability to know whether a software bug was a minor bug or a sign of a more serious vulnerability. For decades, machines found bugs and humans decided which ones mattered. Now,
For much of my computer science career, I viewed software vulnerability detection as a craft. The best researchers combine technical skill with intuition: the ability to know whether a software bug was a minor bug or a sign of a more serious vulnerability. For decades, machines found bugs and humans decided which ones mattered. Now, with the advancement of artificial intelligence, that will change dramatically.
My research has primarily focused on creating better fuzzers: automated tools that bombard software with millions of unexpected inputs to discover bugs. Generating crash reports (detailed files recording crashes) was rarely the hard part. The real challenge came later. Someone still had to investigate each bug, determine if it was exploitable, decide if it warranted disclosure, and figure out how to fix it.

The uncritical adoption of AI in science is alarming: we urgently need guardrails
But AI is causing a radical change in the way cybersecurity operates, turning vulnerability research into a scalable process driven by models, training data and computing power.
There are immense challenges as we travel this path. Here, I sketch the contours of the emerging landscape and pose the open challenges.
AI systems can now do much more than generate code. Models that can reason, use tools, and run experiments are increasingly capable of evaluating software failures, identifying root causes, evaluating exploitability, and even proposing solutions.
AI can review code that would otherwise go unexamined and shorten the path from bug discovery to a tested solution. Earlier this year, Mozilla, a technology company based in San Francisco, California, used a cutting-edge artificial intelligence model to discover and patch 271 vulnerabilities in its Firefox browser for the release of a single version, many more than its existing tools and reviewers had found each month for the previous year.

AI is transforming the economy: understanding its impact requires data and imagination
The sheer volume of vulnerability reporting enabled by AI is testing the review capabilities of even experienced developers. The Linux kernel, the core open source software that underpins many computer systems, relies on people to report bugs. But in May 2026, the team that maintains the Linux kernel responded to a wave of AI-assisted duplicate reports by clarifying how those findings should be presented. The lesson is not that software maintainers are failing, but that machine-generated reports can easily overwhelm processes built for a world where vulnerabilities are discovered at human speed.
For more tech updates, stay tuned to our blog.















