Ethical hacker Chompie won $70K at Pwn2Own but warns AI like Claude Mythos may make human hackers obsolete. What it means for IBM, Nvidia, and the bug bounty market.
Valentina Palmiotti–better known as Chompie–walked away from the annual Pwn2Own hacking competition in Berlin with $20,000 for hacking an Nvidia system and $50,000 for a Linux exploit. She was the most successful individual at the event. Her victory carried a warning: AI tools like Claude Mythos could soon make even champion human hackers obsolete.
Chompie told the BBC that she entered this year's competition believing it might be her last chance to compete. The rise of AI-powered vulnerability discovery, she argued, will eliminate the "lower-hanging fruit" that most bug bounty hunters rely on. Only the very best human researchers–those with the creativity and intuition to find extremely complex flaws–will remain relevant.
Chompie's performance at Pwn2Own Berlin illustrates the current state of human-led security research. After winning the first prize, she entered what she called "zombie hacker mode": working from 6 p.m. to 6 a.m. without sleep, fueled by energy drinks and adrenaline. She described the practice as unhealthy but necessary for competition.
Claude Mythos, developed by Anthropic, has already found 1,600 vulnerabilities across hundreds of software programs. Anthropic claims the model is so powerful that it can only be released to a select few governments and cybersecurity institutions. Chompie used AI tools like Claude Code during the competition to accelerate her work. She told the BBC that Mythos is a step change that will shift the balance from human to machine.
Orange Tsai, another big winner in Berlin, offered a more positive view. "For me, AI feels more like a really awesome assistant that helps accelerate my research workflow," he said. "During research I usually come up with many interesting ideas, unfortunately I still need to sleep, so I can't test everything one by one. AI can finally help free my hands." He agreed AI was already forcing the bar higher, though he hoped human creativity and intuition would always find vulnerabilities that AI misses.
Exposure: IBM X-Force and Nvidia at the Center
Chompie works as a security researcher for IBM X-Force, the cybersecurity arm of IBM (NYSE: IBM). Her employer relies on human talent to find vulnerabilities for clients. If AI reduces the need for human researchers, IBM's security services business could face margin pressure or a need to pivot to AI-driven offerings. Nvidia (NASDAQ: NVDA) was the target of one of Chompie's exploits. While Nvidia benefits from having vulnerabilities reported and fixed, the broader implication is that companies relying on human-led bug bounties may need to invest in AI tools to keep pace.
AlphaScala's proprietary model rates NVDA at 72/100 (Moderate) and IBM at 56/100 (Moderate). This reflects the mixed risk-reward for companies exposed to AI-driven security disruption. IBM's lower score partly reflects the potential disruption to its human-dependent security services. For more on each stock, see the NVDA stock page and the IBM stock page.
Companies like CrowdStrike, Palo Alto Networks, and Fortinet could see their defensive products become more valuable if AI tools make offensive hacking harder. The same AI tools could also be used by criminals, raising the bar for defense. The net effect depends on who gets access first. For a broader market perspective, visit stock market analysis.
Chompie's warning suggests a timeline of one to three years before AI tools like Claude Mythos become widely available to defenders and attackers. She competed this year because she thought it might be her last chance. Orange Tsai was more optimistic, hoping human creativity would always find vulnerabilities that AI misses. The divergence between these two views highlights the uncertainty.
If Anthropic and other AI developers release powerful vulnerability-finding tools exclusively to security researchers and government agencies, the defensive advantage could outweigh the offensive risk. Chompie argued that "the good guys need to have access to the most powerful tools first" to find and fix holes before criminals do. A controlled rollout would preserve the bug bounty ecosystem while making it more efficient.
Orange Tsai's approach–using AI to test ideas while he sleeps–suggests a hybrid model where humans focus on creative hypothesis generation and AI handles brute-force testing. If this model scales, the best researchers could become more productive, not obsolete.
The source notes that criminals are already using AI to speed up attacks and create new pathways for data breaches and ransomware. If Claude Mythos or similar tools leak or are sold on the dark web, the offensive capability gap could widen dramatically. The vast majority of cyberattacks currently use simple methods like phishing. AI-powered vulnerability discovery could enable more sophisticated, targeted attacks.
If companies rush to replace human researchers with AI tools, they may miss the nuanced, context-dependent vulnerabilities that only human intuition can find. Chompie's warning implies that the "very best" humans will still be needed. A premature shift could leave systems exposed.
The bug bounty market could shrink as AI automates vulnerability discovery. This affects platforms like HackerOne and the security services divisions of IBM and Accenture. Conversely, companies that develop or deploy defensive AI tools–Anthropic (private), CrowdStrike, Palo Alto Networks–could see increased demand.
The cybersecurity sector faces a structural shift. The current reliance on human researchers is a competitive advantage for firms with deep talent pools. That advantage may erode. Monitor Anthropic's release decisions, Pwn2Own results, and bug bounty payout trends as leading indicators.
Risk to watch: The market is pricing defensive AI as a tailwind for cybersecurity stocks. The factor least priced is the potential disruption to human-led bug bounty models, which could compress margins for service-heavy security firms.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.