The Boring AppSec Podcast Ep 37: The Future of Security Testing in an AI-Driven World with Jason Haddix
Mar 11, 2026
Jason Haddix, CEO of Arcanum Information Security and creator of the Bug Hunter’s Methodology, blends pen-testing chops with AI tooling. He talks about AI automating recon and code analysis. He explores embedding personal methodology into agents. He covers prompt-injection defenses, agent orchestration, and why evaluation benchmarks matter.
AI Snips
Chapters
Transcript
Episode notes
Human Methodology Beats Generic Recon Automation
- Human expertise still drives the value of AI pen testing beyond basic automation.
- Jason Haddix explains agents do the 'bare minimum' for recon (subfinder, outdated tools) while his 18-step recon methodology and tweaks like chaos/shodan keys outperform generic agents.
Use Deep Research Then Encode Findings Into Skills
- Do develop deep research skills because AI won't reliably surface niche, under-documented techniques.
- Haddix used a Claude Code Ralph loop to find forced-array IDORs that generic skills missed and then encoded that into a Cloud Code skill.
Publish Experiments Publicly To Build A Security Voice
- Build your personal brand and publish failures and experiments publicly.
- Haddix advises new entrants to write blogs about labs and experiments in their own voice rather than over-relying on AI to craft their narrative.