Dvir Lazar
I am an RL researcher at Alkonos, where I work on training models to find logic-based vulnerabilities that no other tool can detect in blackbox APIs.
Session
Logic-based vulnerabilities remain the hardest to detect with automated application security tools, including the new LLM-based ones. We examine how AI agents can be trained to discover such complex vulnerabilities in black-box settings.
In this talk, we'll demonstrate how we train a reinforcement learning agent to navigate applications, model state transitions, and identify logic flaws. These agents observe user roles, session tokens, and application responses to iteratively craft requests that reveal vulnerabilities.
Then, we evaluate this agent using Marvin, our open-source research framework that provides environments with vulnerable REST and GraphQL APIs that accurately mirror real-world application logic. By open-sourcing Marvin, we aim to set the standard for the hacker community to evaluate new hacking agents.
We discuss the capabilities and limitations of these systems and point toward what we need to make AI practically useful for security research.