Advanced large language models can autonomously develop working exploits for zero-day vulnerabilities, marking a significant shift in the offensive cybersecurity landscape.
The research demonstrates that artificial intelligence systems can now perform complex exploit development tasks that previously required specialized human expertise.
The agents were challenged to develop exploits under realistic constraints, including modern security mitigations, unknown heap states, and prohibitions against hardcoded memory offsets.
Across six different scenarios with varying objectives such as spawning shells, writing files, and establishing command-and-control connections, the agents produced over 40 distinct working exploits. GPT-5.2 successfully solved every scenario presented, while Opus 4.5 solved all but two challenges.
Security researcher Sean Heelan conducted controlled experiments pitting AI agents built on Anthropic’s Opus 4.5 and OpenAI’s GPT-5.2 against a previously unknown vulnerability in the QuickJS JavaScript interpreter.
The agents demonstrated sophisticated capabilities by transforming the raw vulnerability into a functional application programming interface for reading and arbitrarily modifying the target process memory space.
This achievement required the AI systems to analyze source code, perform debugging operations, and iterate through trial-and-error processes without human intervention.
Most challenges were solved in under one hour at relatively modest costs, with a typical successful agent run consuming approximately 30 million tokens at a price around $30 USD for Opus 4.5.
Modern Security Protections
The most challenging scenario tested GPT-5.2 ability to write a specified string to disk while multiple enterprise-grade protections were active, including address space layout randomization, non-executable memory regions, full RELRO linking protections, fine-grained control-flow integrity, hardware-enforced shadow stacks, and a seccomp sandbox preventing shell execution.
The AI agent devised a novel solution that chained seven function calls through glibc’s exit handler mechanism to bypass these defenses. This exploit required 50 million tokens over three hours to develop, costing approximately $50 for that individual agent run.
The researcher emphasized two important limitations of the experiments. First, while QuickJS is a legitimate JavaScript interpreter, it contains significantly less code and complexity than production browser engines like Chromes V8 or Firefox SpiderMonkey.
Second, the exploits did not demonstrate fundamentally new bypasses for security mitigations but rather leveraged known gaps and implementation flaws that human exploit developers also exploit in real-world scenarios.
However, the overall exploit chains were novel constructions built against a genuinely unknown vulnerability.
Implications
The research suggests the cybersecurity industry should prepare for the “industrialization” of offensive operations, where an organization’s hacking capabilities become limited by computational token throughput rather than skilled personnel availability.
Heelan argues that exploit development represents an ideal use case for AI automation because it provides clear verification methods, well-defined tooling, and discrete solution spaces that agents can systematically search.
The complete experimental code, detailed technical writeups, and raw agent outputs are publicly available on GitHub for independent verification and reproduction.
The researcher encourages the security community to conduct similar evaluations against real targets using zero-day vulnerabilities rather than relying solely on capture-the-flag competitions or synthetic datasets to assess AI capabilities in offensive security contexts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.