AI Agents for Exploiting Auth-by-One Errors
Brendan Dolan-Gavitt, Vincent Olesen
[un]prompted 2026 — AI Security Practitioner Conference · Day 1 · 1
XBOW researchers Brendan Dolan-Gavitt and Vincent Olesen have built an AI-driven offensive security system that finds and validates authentication and authorization bypasses in web applications — without hallucinating results. The key innovation is "auth transmogrification": an agent-generated script that replays high-privilege requests under a low-privilege context, enabling automated discovery of broken access controls at scale. ---
AI review
Auth transmogrification is a novel primitive and the validator-based false-positive elimination is the right architecture for offensive AI agents. Dolan-Gavitt and Olesen built a real offensive system that finds real auth bypasses and authorization flaws with zero hallucinated results. This is how you do it.