How are LLMs reshaping Bug Bounty hunting? We spoke to Rhynorater, a hunter and co-host of Critical Thinking, a popular Bug Bounty podcast. The podcast has become a go-to resource for the bug-hunting community, breaking down the latest hacking techniques, tooling and industry shifts – with AI inevitably to the fore in recent weeks and months.
In this interview, Rhynorater shares how one LLM in particular has transformed his workflow, accelerated vulnerability discovery and removing friction from exploitation.
AI toolkit for Bug Bounty
Which AI coding agents or CLI tools are part of your bug bounty workflow, and how do you connect them to recon, code review, PoC building or report writing?
I make heavy, heavy use of Claude Code. I have a command line alias set up for four panes of tmux'ed Claude Code, which accompany me while I’m doing manual hacking. I also have an autonomous automation environment where Claude Code is constantly trying to attack targets that I've predefined for it. I also use Gemini for quick questions and Cursor as my IDE of choice for its AI integration.
Custom AI skills, agents and workflows
Do you use custom AI skills, prompts, slash commands, agents, or reusable workflows for bug bounty hunting? Which one gives you the biggest advantage?
I use --rc a lot in Claude Code. I have custom skills for hacking, caido-mode, JS analysis, infrastructure as code, that sort of thing. I also have implemented a validator agent, which reduces false positives.
Best LLM for Bug Bounty
Q: Which LLM do you trust most for bug bounty work today, and what does it do better than the others?
Claude by a long shot. It is just way better than everything else. I have heard positive things about Codex models recently.
Best LLM-assisted bug find
What is the most interesting vulnerability or valid lead an LLM helped you find, and how did you go from AI suggestion to confirmed impact?
Using Claude Code, I was able to get XSS on www.redacted.com (one of the most well-known domains). It's one of the crowning jewels of my career, and I was so hype when I found it. In this scenario, AI really helped me with the nuts and bolts of exploiting a pretty complex protobuf binary format.
AI impact on Bug Bounty performance
How has AI changed your bug bounty results: speed, signal quality, duplicates, report quality, and accepted findings?
Having a strong conceptual knowledge of Bug Bounty really helps at this point because AI can just remove all friction to implementing attack vectors. For me, it's really increased my speed. The volume of reports has gone up, and I haven't seen a large effect on quality or duplicates.
What we can learn from Rhynorater's approach to using AI for Bug Bounty hunting
Rhynorater has built a highly personalised AI workflow around his own hunting methodology. This comprises four Claude Code panes supporting his manual hacking, autonomous attacks running in the background, custom skills and a validator agent to keep false positives in check.
The result is a setup that reflects his methodology, not a generic AI stack. The XSS find on one of the most recognised domains on the web illustrates the point: unique techniques and methodologies are what expose hidden vulnerabilities. LLMs allow Rhynorater to work faster and at greater volume, but his expertise ensures there is no apparent drop in quality or increase in duplicates.
This balance between automation and human judgement only works because he understands Bug Bounty at a deep level, drawing on years of experience as a hunter. If you’re looking to bring LLMs into your own workflow, Rhynorater is on the right track: leveraging AI to remove friction, and your own expertise to decide where to point it.
