Race against the Machine: Can you match AI's pentesting time?
This isn't the latest American rock band but us trying to find an answer to the question everyone is asking: can humans match AI's pentesting speed?
AI pentesting is rapidly exploding everywhere, as you're likely well aware if you're reading this.
But can classic human creativity compete with it? There's only one way to find out.
Think you've got what it takes to beat the algorithm and your fellow pentesters on the leaderboard? Our first Pentester vs AI challenge is live now!
How does the challenge work?
The machine has already played. Now it's up to you to begin the race.
The AI performs a single, recorded solve, and its time becomes the benchmark you're racing to beat. But you're also racing your fellow pentesters to see who comes at the top of the leaderboard.
You have two weeks before the AI's solve is revealed. Will you be one of them?
So far, one challenge is live. Once you've solved it, see where you place on the leaderboard against the machine and your co-competitors.
Points are collected based on challenge difficulty level, with a sweet bonus points for each time you beat the AI.
Challenge 1: Inside the Cube
While in your office, you accidentally bump into a colleague’s desk in your governmental organization. His Rubik’s cube falls to the ground, revealing a hidden SD card inside. Curious, you begin investigating its contents. After performing basic forensic analysis, you uncover fragments of an authorization middleware along with network logs pointing to a website. The logs eventually lead you to a JWT (JSON Web Token).
Your challenge is to exploit the authentication middleware and find the flag in the database.
On July 3rd we'll reveal the AI's solve but until then it's up to you to try and beat its time.
Found this challenge a breeze? Keep an eye out for our more difficult changes which will be released over the course of the year.
Every two weeks?
Why are we running this challenge?
One of the biggest debates in the industry is the role AI (particularly AI pentesting) will play in changing human security inputs. We wanted to make that debate more interesting. And a little more competitive.
We didn't want to publish yet another "human vs AI" whitepaper; we wanted you to test it yourself.
In true Terminator style it's now man versus machine. The machine is waiting for you at the finish line. Want to join it there?
Put your skills to the pentest now!
Frequently Asked Questions
What model are you using for the AI?
Challenge 1 was run using Opus 4.8.
Was the target purpose-built for this challenge, or a live system?
Every challenge exists within a sandbox and the AI model has not been geared for or received any prior information surrounding the challenge for fairness. Competing against the AI is as good as any other competition where both parties begin with the same information.
Can I use AI to help me solve the challenge?
That's up to you. We're trying to question whether fully automating exploitation in a pentest is faster than a human-run or human-assisted attempt at exploitation. Whether you use AI to aid your run depends on whether you want to test your pure pentesting skill against the AI, or if you want to see if an AI-assisted human pentest is faster than a fully automated pentest. If you find anything interesting through using AI assistance during your solution, definitely let us know!
Will the AI be trained on participants' solutions?
Our AI is actually just a small agent with access to some tools and is not going to be enhanced. We have not used any loopbacks to either enhance the agent or adapt prompts so it can't be trained on participants' solutions. The AI's run is an independent solve from our agent that then sets the benchmark time for you to try and beat.
Happy pentesting!