Dvir Lazar
I am an RL researcher at Alkonos, where I work on training models to find logic-based vulnerabilities that no other tool can detect in blackbox APIs.
Session
Logic-based vulnerabilities remain the hardest to detect with automated application security tools. Our work examines how AI-based hackbots can be trained to discover such complex vulnerabilities. In this talk, we'll discuss our approach to training and evaluating these systems.
We demonstrate how we train a reinforcement learning agent to navigate applications, model state transitions, and identify logic flaws. These agents observe user roles, session tokens, and application responses to iteratively craft requests that reveal vulnerabilities.
Then, we evaluate this agent using Marvin, our open-source research framework that provides environments with vulnerable REST and GraphQL APIs that accurately mirror real-world application logic. By open-sourcing Marvin, we aim to set the standard for the hacker community to evaluate new hackbots.
We discuss the capabilities and limitations of these systems and point toward what we need to make AI practically useful for security research.