Taha Biyikli
Taha Biyikli is Co-Founder & CEO of Alkonos, developing AI solutions for complex vulnerability detection. Previously, Taha led cybersecurity assessment teams and has been acknowledged by major organizations including Apple and the U.S. Department of Defense for discovering critical vulnerabilities. A member of Carnegie Mellon's Plaid Parliament of Pwning (PPP), Taha won the MITRE Embedded CTF 2025 with his team and specializes in application security and reverse engineering.
Session
Logic-based vulnerabilities remain the hardest to detect with automated application security tools. Our work examines how AI-based hackbots can be trained to discover such complex vulnerabilities. In this talk, we'll discuss our approach to training and evaluating these systems.
We demonstrate how we train a reinforcement learning agent to navigate applications, model state transitions, and identify logic flaws. These agents observe user roles, session tokens, and application responses to iteratively craft requests that reveal vulnerabilities.
Then, we evaluate this agent using Marvin, our open-source research framework that provides environments with vulnerable REST and GraphQL APIs that accurately mirror real-world application logic. By open-sourcing Marvin, we aim to set the standard for the hacker community to evaluate new hackbots.
We discuss the capabilities and limitations of these systems and point toward what we need to make AI practically useful for security research.