HackerOne

5 Insights Attendees Gained from the Security@ World Tour

Security@ World Tour recap

Over the past 12 months, HackerOne’s flagship conference, Security@, has been on the road! We wanted to meet you where you are and share with you the latest stories from our researcher community, advice and guidance from tenured customers, and a first look at our biggest announcements. 

If you weren’t lucky enough to catch us at a roadshow event, you’ll be delighted to know you can catch us again in 2025 with the next series!

The 2024 Security@ world tour traveled to eight locations, featured 20 hackers and 19 HackerOne customers, and met with 400 attendees. 

Here are the top five things our attendees learned from this year’s series:

1. Whether you think AI is a threat or an opportunity, you are correct. 

In the rush to adopt AI and offer AI capabilities, more than one brand has ended up in an embarrassing situation with a chatbot gone rogue or an LLM creating something offensive or unsafe. Attendees heard stories from the trenches of our AI red teaming operation and told us how ready they felt for it. It was unanimous across the world: our audiences are excited about GenAI and the majority of them are using it in some capacity today, but they have minimal confidence in their own understanding of the risks and no confidence that their organization understands the risks.

2. Researchers are at the forefront of AI experimentation. 

Attendees loved having the opportunity to ask their questions directly to security researchers, and everyone wanted to know how they were using AI. Some are “10xing” their work, saving time on manual tasks, and reducing friction to augment workflows to focus on the more creative aspects of hacking. Hackers are also coming up against AI in a defensive capability, but are fighting fire with fire and using their own AI tools to try and get around the automated defenses. Read more about how hackers are using and hacking AI.

3. AI isn’t replacing researchers. 

We had a question at the London event about Google’s claims that AI had found its first zero day vulnerability: is AI going to replace hackers? Our researcher panel explained that AI is there to augment, not replace; The Google Project Zero experiment was the result of carefully training their AI model, feeding the AI all their previous research on the vulnerability, indicating the SQL libraries where the the same vulnerabilities had previously been discovered and, after a number of test cases, eventually detected another vulnerability. Rather than AI replacing the human ingenuity of researchers, AI is simply the next technology that researchers will specialize in and learn to break and exploit. 

4. Effective bug bounties need trust and breed trust. 

The top question our audiences have for the customer panels is, “These results sound amazing, but how do I get the rest of my organization on board with hackers?” We heard about the importance of fostering internal champions, having a clear owner and escalation process, motivating vulnerability remediation, and speaking the language of the board. Many organizations point to their continuous testing program as evidence that they are open to feedback and follow security best practices. Read more about what our customers said about this in our blog on the topic.

5. Londoners run up the biggest bar tab, New Yorkers ask the most questions. 

The greatest value of these in person events is the opportunity we get to hear from you, our audience. We want to hear your questions to our expert panelists and chat about your thoughts on the challenges you’re experiencing over a drink. We’ve met security leaders from governments and the world’s leading clothing brands and been able to introduce them to top security researchers. Hearing the exchange of ideas, stories, and advice is our personal highlight. 

Be part of our Security@ network and keep an eye out for an event coming to a city near you. 

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image