Skip to content
Back to Blog
November 6, 2025 By Artiphishell Team

What Does Infosec Really Need from AI?

Undoubtedly, AI is a game changer for security — one of, if not the MOST important technologies of the last decade.

But what does infosec really need from AI?

You’ve surely heard of it already: every day new founders, big companies, and hobbyists announce “AI-powered security tools” that promise to find all the bugs in your code… I mean, ALL THE BUGS!

However, beyond the usual frenzy of capital rushing into the field and the founders’ hysteria racing to capture it by being the first to announce a newly discovered bug in some obscure corner of a major project, we believe it’s crucial to take a step back and ask how to best harness this new technology for the collective good.

AI has scaled bug hunting much like (and likely even more than) fuzzing had ten years ago. Vulnerability discovery is becoming more accessible as more people can deploy an agent, prompt it somehow (e.g., “You are the best hacker in the world…”), and get some seemingly valid results. This inevitably increases the number of reported vulnerabilities, but, also the number of false positives (which spiked quite a discussion on social media)

Clearly, false positives are not a new problem in security. Every security engineer at any medium or large company has already experienced “false positive fatigue,” even before AI entered the scene.

The issue now is that AI exacerbates this old problem: top-tier engineers spend hours triaging an impossible integer overflow, or an authentication bypass that’s untriggerable.

XKCD comic about false positives

Infosec clearly needs a new way to filter noise and focus on real issues.

After this realization, we wanted to avoid building yet another shiny product that just adds more noise to the problem. Instead, we focused on the root of the issue and asked: can AI help security engineers triage vulnerabilities faster and more effectively?

For the past month, we’ve been testing how far we can push this idea by combining state-of-the-art research (CVE Genie from Saad Ullah) and our AIxCC CRS to shape the vision of fully automated and trustworthy agentic triaging (i.e., we do not simply copy-paste the issues and ask AI “yes/no”).

The results are actually quite interesting. After an initial collaboration with the cURL team, we proved that our system could be used practically to validate issues found by other SAST systems (included AI ones!) and help the team triage them faster, focusing their efforts only on issues that have a high probability of real impact.

We didn’t stop with cURL, we put our system at tests with multiple other OSS projects such as nginx, libpng, sqlparse, jsoup, rplay etc…by fetching unstructured open issues on Github that, many of which that lack enough details to be reproduced immediately by the maintainers. Our system was able to figure out a way to reproduce the issues, validate them, and providing a way to fix them!

This is something we are excited about because it can make a real difference. Thus, we decided to go all-in and see if we can build an actual product that can help the community at large, finally alleviating a problem everybody talks about but nobody really wants to tackle because it is undoubtedly less sexy than finding new 0days (no sarcasm here!).

So, what does infosec really need from AI?
We believe it urgently needs a way to remove the noise.

We think there is a tremendous opportunity here: hundreds, if not thousands, of security issues accumulate every day, waiting to be triaged.

The real question is: Are companies willing to invest in solving this problem? Are they ready to free their developers and security engineers from backlog hell? Or is this an issue that everyone complains about but few are actually willing to pay to fix?

We’ll find out soon ;D

- The Artiphishell Team

All posts Meet the team