Automating Your Job? The Future of AI and Exploit Development
Perri Adams
OffensiveCon 2025 · Day 1 · Main
Perri Adams, former DARPA program manager who launched the AI Cyber Challenge, presents a technically grounded assessment of frontier AI models' (GPT-4o, o3, Claude) actual capabilities in exploit engineering, using the regreSSHion double-free in OpenSSH 9.1 as a live case study. The central argument is that the gap between identifying a vulnerability and producing a working exploit — navigated through heap grooming, leak primitive development, and ASLR bypass against modern mitigations — remains far wider than current AI hype acknowledges, and that policy discourse needs to catch up with technical reality. ---
AI review
Adams makes the right argument — AI cannot yet automate exploit development against mitigated targets — and uses regreSSHion as a technically honest case study to ground it. The heap grooming analysis and custom Paramiko-derived SSH client work is competent. But for OffensiveCon specifically, this is a keynote-as-policy-briefing more than an offensive research talk, and the offensive depth maxes out at heap grooming strategy without delivering a working exploit or a genuine novel technique.