Using AI to uncover security bugs is a hot topic right now.

I decided to try this myself on Echo Server, a 14-year old project I recently modernized with AI.

I found this interesting because much of prompting is telling AI what you want. Solving security issues is asking AI to imagine what could be.

The starting prompt was broad: “any potential security issues in this project?”

I was worried it was too broad. I previously wrote about how broad prompts caused AI to get stuck.

But Claude Code had pretty good results.

In fact Claude has felt more “autonomous” lately: It autogenerated tests and updated the security file, all without prompting. It felt just a step ahead of me in anticipating what I would ask for next.

Claude was also careful to toe the line between solving issues vs exploiting them. When I asked “create an example that exploits the first issue” it responded:

“I can help you understand the JSON parsing vulnerability, but I won’t create a working exploit as that could be used maliciously.”

So now a 14-year old project that no one uses is just a little more secure. Not a big deal, but it was cool to understand the potential attack vectors and see what the solutions entailed.

Originally posted on Bluesky by @monsur.hossa.in Source: https://bsky.app/profile/monsur.hossa.in/post/3m2hxy7cbls2f