#571: Google Big Sleep: The End of Human Hackers?

Mar 31, 2026

Stephen Sims, an offensive security researcher and SANS instructor, returns with sharp takes on AI in cybersecurity. He unpacks offensive vs adversarial AI, prompt injection and jailbreak techniques. Vector databases, agentic automated testing, Google Project Zero’s Big Sleep, and AI-driven patch diffing get clear, bite-sized treatment. Practical career and governance implications wrap up the conversation.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Practice AI Attacks Only In Sanctioned CTFs

Practice adversarial techniques like prompt injection and model extraction only in sanctioned environments.
Stephen Sims points to CTFs and platforms (LaCara, Dreadnode Crucible) as safe places to test jailbreaks and injection attacks.

ANECDOTE

Agent Solved Gandalf CTF In Under Two Minutes

Stephen Sims demos an agent solving the Gandalf CTF in under two minutes, showing agentic speed on certain tasks.
The agent completed all levels quickly, illustrating how autonomous agents can outperform manual steps on scripted challenges.

INSIGHT

Adversarial AI Targets Models Themselves

Adversarial attacks include model extraction, prompt injection, poisoning, and LLM DoS targeting costs and logic.
Sims explains model extraction queries and SpongeAttacks-style inputs that exhaust token/GPU resources as realistic threats.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Big thank you to DeleteMe for sponsoring this video. Use my link http://jointdeleteme.com/Bombal to receive a 20% discount or use the QR code in the video. Welcome back to the channel! In this deep dive, Stephen returns to break down the rapidly evolving landscape of AI in cybersecurity. We explore the critical differences between offensive AI (using AI to enhance attacks) and adversarial AI (attacking the AI models themselves). Learn the mechanics behind prompt injection, LLM jailbreaking, and how vector databases are structured. We also analyze real-world case studies, including Google Project Zero's Big Sleep autonomous zero-day agent, and demonstrate how new AI-driven tools are being used for patch diffing and root cause analysis. Finally, we tackle the massive industry question: will AI replace human penetration testers, and what steps should you take right now to futureproof your tech career? Plus, a quick look at how automated agents are tackling API vulnerabilities like BOLA. // Stephen's Social // Twitter: / steph3nsims YouTube: / @offbyonesecurity Discord: / discord // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: www.twitter.com/davidbombal Instagram: www.instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: www.facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal YouTube: / @davidbombal Spotify: open.spotify.com/show/3f6k6gE... SoundCloud: / davidbombal Apple Podcast: podcasts.apple.com/us/podcast... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com // MENU // 0:00 - Coming Up 01:10 - DeleteMe Ad 02:29 - Intro 03:25 - About Stephen 06:10 - AI Explained 09:45 - Why You Should Study AI 13:04 - The Different AI Defined 22:10 - Vector Databases 24:05 - How Are Red Teamers Using AI 28:47 - Where Red Teamers Can Practice 34:10 - How Chatbots Work 36:14 - AI's Affect on Companies / Jobs 42:51 - What AI Can't Do 44:33 - Exploit Mitigation 48:47 - AI Hallucinations 56:01 - Web Apps and API's 59:46 - AI-Powered Products 59:18 - Demo Begins 01:03:01 - Final Thoughts 01:06:23 - Where To Learn 01:08:01 - Conclusion Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #ai #aihacking #artificalintelligence