Three Buddy Problem

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Aaron Portnoy (Zero Day Initiative alum, early Pwn2Own organizer, and now at Mindgard) joins us at Ekoparty Miami to reminisce on the early days of the hacking contest, where vulnerabilities actually live (the boundaries between systems, not inside them), why LLMs will take out the trash but can't dream up the next speculative-execution-class bug, and the coming patching apocalypse when discovery 10x's overnight.

Plus, why your SOC is a forensic historian, the promise of hijacking an attacker's reward loop with deception tech, and the legendary story of carrying a Walmart "fat stack" of cash to bootstrap Ekoparty in Buenos Aires.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Aaron Portnoy.

Timestamps:

0:00 — Introductory banter

1:17 — Dropping out, iDefense, and getting good at reversing everything

2:19 — How Pwn2Own got started

4:15 — The most impressive Pwn2Own ever: Nils, VUPEN, and exploit "art"

5:59 — "iPhone hacked in 30 seconds" — and the 18 months behind it

6:41 — Does Pwn2Own still have a place in the AI era?

9:16 — Why LLMs take out the trash but can't invent the next bug class

12:48 — Will LLMs deliver new mitigation classes? Aaron's skeptical

18:34 — The place of the human when the easy bugs run dry

21:08 — Cognitive offloading, Halvar's warning, and skill rot

22:39 — Decompiling 800k functions: Aaron's LLM "holy shit" moment

25:26 — The patching apocalypse and why "assume breach" breaks

28:15 — Compounding asymmetries: why offense just transcended defense

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Perri Adams of DARPA AIxCC fame joins the show to chat about proof engines, formal methods, and why LLMs just made a once-niche corner of computer science suddenly essential.

We get into why verifiers and proof engines are the key to effective AI, why vulnerability research is so far ahead of threat intel, and the case for baking security checks directly into code generation tools like Claude Code and Codex.

Plus, designing a multi-million dollar challenge that's allowed to fail, the Mythos "too dangerous to release" debate, and musings on every LLM-discovered bug being a public bug by default.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Perri Adams.

Timestamps:

0:00 — Introductory banter

1:09 — Why LLMs just made formal methods relevant again

4:03 — Proof engines, explained

8:43 — Can a layman grab this fire? The calculus problem

11:58 — Vuln researchers are scrappy kids with a trust fund

14:55 — Pitching AIxCC inside DARPA: hard sell or easy sell?

18:00 — Designing a challenge that's allowed to fail

22:06 — Inside Team Atlanta's 150-page winning system

24:00 — Why this is bigger for defense than for offense

31:49 — Mythos, safeguards, and "every LLM bug is a public bug"

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: SentinelLabs researcher Gabriel Bernadett-Shapiro hops on the mic to unpack who gets to define what "security" even means in the age of AI, why venture capital keeps funding the wrong things, and how the frontier labs quietly ate everyone's coding harness.

Plus, how AI actually contributed to cracking the FAST 16 research, overcoming the guardrails, and why your domain expertise is the only thing keeping you out of full-blown rabbit-hole psychosis.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Gabriel Bernadett-Shapiro.

Timestamps:

0:00 Introductory banter

4:55 Gabe returns: how the models got scary-good at code

8:45 Bay Area short-termism and the "10x in 18 months" trap

11:35 VCs as tastemakers, and why that's broken

13:00 The unpaid-labor pipeline into the AI labs

18:00 The real misunderstanding about security's moat

20:18 Bug bounties: a net negative for the industry?

22:20 The great vuln fire sale — find 50,000, fix zero

27:28 Who will maintain vetted open-source libraries?

29:29 FAST 16: how AI actually broke the case open

35:05 The rabbit-holing machine and the path to "AI psychosis"

41:05 Stuxnet, Kim Zetter, and the story we'll never be told

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Federico Kirschbaum, founder of Ekoparty and now head of Security Lab at XBOW, talks about what happens to offensive security when an autonomous AI hacker can find and exploit real vulnerabilities. Fede walks through XBOW's "Tales from the Trace," the surreal experience of watching a non-human adversary reason its way to an ASLR bypass, and why he believes pen-testing isn't dying but finally becoming accessible to far more than the world's biggest companies.

Plus, where humans still matter in the loop, whether an LLM-discovered bug is public by definition, the looming reckoning over software liability, and Halvar Flake's very honest fear of getting lazy.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Federico Kirschbaum.

Timestamps:

0:00 Fede's move to XBOW

2:20 What's XBOW building? An AI hacker for real vulnerabilities

5:53 Where the human stays in the loop

6:35 The Exim bug: a craftsman races the LLM to an ASLR bypass

10:49 Does bug discovery still need a human asking the right question?

16:24 A short history: Satan, CORE, Metasploit, bug bounties

18:48 An LLM-discovered bug is public by definition

24:12 Halvar Flake's laziness worry & the assembly-to-C parallel

29:47 Rising tides: script kiddies get the full gamut

41:02 The economics: does pentesting get cheap?

43:18 Argentina, Ekoparty, and an untapped talent pipeline

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Jordan Wiens, co-founder of Vector 35 and creator of Binary Ninja, talks about a decade spent building a decompiler in a market everyone told him not to enter. He walks through why accessibility drove the whole project, how Binja's intermediate-language system stacks up against IDA, Ghidra, and Radare, and why language-specific decompilation for Rust, C++, and Go is the next real frontier.

Plus, thoughts on AI disruption and why "the model can do it" misses the point that the model is just driving the tool, what verifiability really means, whether AI tilts the field toward offense or defense, and questions around subsidized tokens, the collapse of the CTF talent pipeline, and what happens to a craft when the shortcut is always one prompt away.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Jordan Wiens.

Timestamps:

0:00 Introductory banter

1:22 Vector 35 and the origin of Binary Ninja

2:32 From CTFs and SCIFs to building a decompiler

3:27 Before Ghidra: when an IDA license was out of reach

9:47 Language-specific decompilation: Rust, C++, and Go

12:47 Running a 17-person bootstrapped shop with no org chart

13:50 DARPA money, In-Q-Tel, and staying independent

15:23 AI as disruptor: the model drives the tool

18:06 Verifiability and the Fast16 reversing story

25:10 How AI actually gets used inside the company

28:52 Frontier models and guardrails

33:30 Will AI favor offense or defense?

40:51 Shrinking CTF talent pipelines