# The Bug Bounty Roadmap I'd Follow If I Started Over (With AI) ## Метаданные - **Канал:** NahamSec - **YouTube:** https://www.youtube.com/watch?v=kujCmXELWqo - **Дата:** 11.05.2026 - **Длительность:** 20:00 - **Просмотры:** 17,275 - **Источник:** https://ekstraktznaniy.ru/video/51729 ## Описание LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍 Last week my buddy Douglas pulled $40K from one bug bounty program using Claude. Everyone wanted the AI workflow. Almost nobody wanted to hear *why it actually worked*: he already knew his bug classes cold. So here's the exact roadmap I'd follow if I had to start bug bounty hunting from scratch today — five pillars, in order, with AI plugged in at every stage as an accelerator, not a crutch. **What's in this video:** - 0:00 — Intro - 3:07 — Pillar 1 - 4:57 — Pillar 2 - 7:17 — Pillar 3 - 11:04 — Pillar 4 - 14:07 — Pillar 5 - 17:44 — The Accelerator vs Crutch test - 19:09 — Recap & final thoughts Comment **"Claude hacking"** if you want the next video — me hunting a target end-to-end with Claude Code + Caido, building custom skills out of my own reports. Resources: - Web Security Academy (free): https://portswigger.net/web-security - My Bug Bounty Course: https://hhub.io/aibounty2026 - Bug Bounty Bundle: https:// ## Транскрипт ### Intro [] Last week I put out a video about my buddy Douglas who pulled $40,000 on a single program using Claude. The comments were split. Half of you said things like, "Okay, I need to learn this. " And the other half said, "Great, AI is taking bug bounties, too. I am out. " Both groups missed the point. Douglas didn't make 40 grand because of Claude code. He made $40,000 because he already knew his bug classes, he'd been hunting for them for years, and he used AI to compress weeks of work into days. The AI was a multiplier on a scale he already had. Take that same setup, give it to a beginner with no fundamentals, and it produces zero. I've watched it happen over and over, and it's exactly why triage teams are drowning in AI slop right now. So, today, if I were to start bug bounty hunting from scratch in 2026, knowing what I do know now, here is the exact road map I'll follow. Five pillars: what to learn, in what order, and where AI plugs in at every stage. So, this way, you become the person pulling $40,000, and not the person watching from the sidelines. If you want to see exactly how I do this in practice with Claude code, Kaido, and me building skills out of my own bug bounty reports, the same way Douglas did, and you want to see me hunt on a target end-to-end, drop Claude hacking in the comments. That's it, just two words. If enough of you do it, that will be our next video, and it's going to be an absolute banger. Cool? All right, let's go. Quick context. Because I think the conversation around AI and bug bounties getting hijacked by two camps who are both wrong. Camp one says, "AI is taking over, you should just learn to vibe hack with Claude code and skip all the boring stuff. " And then you have camp two that says, "AI is useless, learn the fundamentals like the rest of us did, and ignore the hype. " Both of them are wrong, and here's what's actually happening. AI doesn't fully replace hunters, at least not just yet. But AI does replace the gap between you and a hunter, the mentor you didn't have, the write-up you can't find, the code review you need a senior engineer to do for you. The gap is what keeps beginners stuck for years. Now, if you use AI right, you can close that in months. That's what Douglas did in reality. And here's the part of his story I want you to really hear. He didn't just throw cloud code at a target and hope it finds bugs. He took his own HackerOne reports, bugs he has found with his own methodology in his own words, and he turned them into custom skills that the AI could execute. He weaponized his own experience in a way. That is the actual unlock. AI isn't valuable because it knows things. AI is valuable because it can run your playbook a thousand times faster than you can. And if you don't have a playbook yet, the fundamentals, the bug classes, the methodology, you've got nothing for AI to amplify. So, the deal for the rest of this video is simple. Five pillars, the roadmap, and the AI workflow. Every single pillar comes with one rule. You learn it, then you let AI accelerate it, not the other way around. Cool? Let's now jump into the pillar number one. ### Pillar 1 [3:07] Pillar one is foundations. This is the part everybody wants to skip and the part you actually cannot skip. If you don't understand how the web works, HTTP requests, cookies, sessions, and how a browser talks to a server, what happens when you log in, no LLM in the world is going to save you. You'll ask Claude or ChatGPT a question, it will give you a great answer, and you won't know what any of it actually means. Here's what you actually need to do at this stage. One, how the web works. Requests, responses, status codes, headers, cookies, sessions, the basics of how to authenticate and how authentication is handled. Two, the OWASP top 10. Not memorized, but understood. What is an IDOR? What is XSS? What is an SQL injection? And why do they exist? Three, you want to pick Burp Suite or Caido, pick one, learn to intercept, modify, and replay requests. That's it. You don't need every single extension just yet. And if you still don't know where to learn, there are two paths that you can take. Obviously, we have the free path. You have Web Security Academy by Burp Suite. It is free and honestly, it's a good enough place for you to get started for your first bug if you grind it out. Top to bottom, no skipping. Or if you want to do a paid path, and this is what I'll be straight with you about my own stuff, if you want my full methodology and the way I hunt, actually look for bugs, our Bug Bounty course has 15 hours or more of content with videos, hundreds of labs, and more. Or if you want to go down deeper, I have a bundle for bug bounties, which comes with a broken access control lab, XSS, blind XSS, nuclei, and there is like 3 hours of content in there as well. I'll link them all down below in the description and in the pinned comments if you want to go purchase. Either path works, you don't have to spend your money, but you have both options just in case. But just note, the courses don't matter. Doing the labs is what actually matters. Now, where does AI come into this whole foundation stage? Well, it comes in as a tutor, not as a substitute, which ### Pillar 2 [4:57] actually brings us to pillar number two, and that is the learning loop. This is where AI changes everything for beginners, and nobody is really talking about it in the right way, at least in my opinion. Here's what learning bug bounty used to look like 5 years ago. You would read a write-up, you would hit a term you didn't understand, let's just say server-side template injection, for example. Then you would go to Google, you'd look for it. You'd land on some random Stack Overflow post from years ago that assumed you already knew six other things. Then you have to go back, and you'll Google those again. 3 hours later, you'd close the tab and feel dumb. That entire loop is dead now. Dead. Here's the new loop that I recommend. You read a write-up, you learn SSTI, you paste the entire write-up into Cloud or ChatGPT and say, "Explain this write-up to me like I'm a beginner. I understand HTTP basics, and I understand SS. Walk me through SSTI. Why does this bug actually work? And what the attacker was thinking at every single step. And it does it for you. Then you ask it follow-up questions. Then you can ask it to quiz you. give you similar challenges to try out for yourself. That is the loop. Read, ask, quiz, apply. This is honestly the single best online for beginners, and the mentor gap is fully gone. You have a tutor that knows every bug class, every CVE, every write-up that's ever been published, which is available to you 24/7, that will not get tired of your dumb questions, even though by the way, there are no such things as dumb questions. But, and listen to me here, this only works if you have the foundations from pillar number one. If you don't know HTTP, if you don't understand how HTTP requests work, asking Cloud to explain SSTI will just generate more confusions for you. You will not learn two words that you don't actually understand. So, foundations first, then the AI tutor loop, always in that order. And one more thing, AI is an incredible tutor, but it's not a community. You still need humans. Get on Twitter, get on X, or whatever it's called this week. Follow other hunters, watch what they post, join a Discord in the space, or even better, go to a local meetup if there are any near you. Find people who are one step ahead of you, and one step behind you. The friends you make in the space are the people who will pull you up to the next level. AI will not introduce you to a program manager, and ### Pillar 3 [7:17] AI will for sure not vouch for you. People will. Pillar number three, recon and target selection. This is where AI starts to feel like a superpower instead of a tutor. Real talk, picking a good target, or just something that you want to hack on, is half of the game in bug bounty. Beginners pick a program, or see Google, or Apple, or some massive company on HackerOne, and then they just go straight there into hacking. Six months later, they have found nothing because they're hunting on the most hunted attack surfaces on Earth. You want to be able to pick a program where the scope is wide, the program is newer, and the attack surface is messy. That's where all those good bugs live. So, here is a workflow. For recon, you're going to use the standard stack, and these are just your tools that are non-negotiable. I stick to project discovery's tools. These are your sub-finders, httpx, alterx. I think this is everything you need, and this is your recon backbone. Learn them. Now, let's answer the question, where does AI come in? Well, use case number one, understanding what you're looking at. You run sub-finder, you get 400 subdomains back, and half of them look like internal junk. Paste that list into Claude and say, "Categorize these subdomains by likely function, authentication, admin, API, internal tooling, marketing, so on. " And you just turned a wall of text into a prioritized hit list. But then you have your other use case, payload generation. You see a weird custom authentication flow, and you bypass it. The old way was to Google for hours, find a hack tricks page, and hope that it applies. But the new way, you describe that flow to Claude, ask it for 10 payload variations or techniques to try. You will get ones you'd never have thought of in your lifetime. And if that's not enough, use case number three, and this is a big one. Claude Code or Cursor for writing custom recon scripts, or any scripts for that matter. You don't know Python? It doesn't matter anymore. Tell Claude Code to write me a script that hits every single endpoint I provide using my JWT token, and then checks whether or not those same endpoints are accessible without authentication. It will write it for you right away, and you'll have to just run it. And now, you have a tool that finds broken access control bugs that other hunters have to spend a weekend just building and testing. But now, just one second. Look, I used to tell beginners, "Always read every line of code that AI writes for you. " That used to be true two years ago, and it's not really applicable today anymore. Claude can actually debug its own output, but then most beginners can debug it manually and that's the truth now. So, telling you to become a Python expert before you can use Cloud Code is gatekeeping nonsense and I will never do that to you. So, here is what actually matters now. Two things. One, learn to describe what you want precisely. Telling it to write me a script gets you garbage, but if you actually tell it write me a Python script that takes a list of URLs from a file called targets. txt, send a request to each one of them using my JWT token using the authorization header, then send the same request without the JWT, and then output them to a CSV showing which endpoint return the same response in both cases, that could actually get you a good broken access control scanner. The skill isn't coding anymore. The skill is specification. It is to be able to communicate what is it exactly that you want to build. And two, you want to keep really good documentation. When you build a custom recon tool with Cloud Code or whatever other tool that you're using, save the prompt that you have just used. Save what the script does. Save all of the edge cases it handles. Drop it all in a readme or even just a comment block at the top of the file. Or you can just have Cloud make all of that for you because in 3 months, when it breaks, and I promise you it will break because all these websites are going to change, you can hand all of that context back to Cloud and it will fix it in a few minutes for you. No memory required on your part. That's literally the new way of doing it. Describe it well, document well, and then AI handles all of the ### Pillar 4 [11:04] syntax. All right, onto our next pillar, pillar number four, and this is where the fun begins. That is the hunt. You've got your foundation. You've got your tutor. You got your targets that you have picked. Recon is done. It's all handled. Now you're staring at a web app trying to find bugs in it. This is where most beginners freeze because they don't even know where to start. So, here's how the AI assisted hunting workflow works. Three pieces. Piece one is feature mapping. Before you start clicking around randomly, walk through the app and describe it to your LLM. Tell it this app, for example, has a user dashboard, a billing page, a team management section, and an admin panel that I cannot access. And then, you want to go and ask it, "Based on these features, what classes of bugs would you prioritize testing and where? " What you'll get back is a hit list. You'll get things like a broken access control on the team management section, maybe IDORs that you can check with the IDs for the billing page, maybe you can do some privilege escalation paths from the regular users to admin. All these good stuff that you can actually use and now know exactly where to look for. And your next piece, number two, is request analysis. When you intercept an interesting request in Burp, it does something weird. Maybe there is a base64 blob, maybe there's a JWT, maybe there's a parameter you don't recognize, or maybe you don't understand how it works. You can literally grab that, drop it to the LLM, and say, "Here is a request from an app that I'm testing. Walk me through every parameter, what it likely does, and what I should be tampering with. " And you also have one more piece, and this is my favorite thing to do, is that this is where you can ask it to do code review, especially if the app has some client-side JavaScript and any open-source components, anything that you can read or feed it into Cloud Code or Cursor. You can also do something like identify every API call this application makes, document how to call each one, the method, the headers, the parameters, expected payload, and it'll be flag any additional domains or API domains or subdomains referenced anywhere in the code. Think about what we just talked about. A complete map of the app's attack surface. You just take that and you make curl commands, or you just throw it at your Caido or Burp Suite, and you just start fuzzing all those endpoints, the parameters that you can tamper with, the subdomains you didn't know existed. These are all part of your scope now. That would take a lot of time back in the day, and you just got it done within a minute to two. And listen, the AI doesn't find the bugs for you. Not really. We're not there yet, at least not with these models that we have access to. It doesn't know business logic. It doesn't have a lot of the context. So, you still have to be the hacker that is making the calls. The AI just makes the boring 80% 70% of the work disappear, so you can spend your brain on the actual hacking, the part that actually pays. And if you're asking for some bug classes that I'll focus on as a beginner today, I would go for broken access controls, IDOR, XSS, especially blind XSS, and that's because they don't require deep technical knowledge. They require attention to detail and creativity. Both of which AI amplifies, but does not replace. And I honestly think you'll find your first bounty faster on these than something like a deserialization bug or something ### Pillar 5 [14:07] that's more complex. Of course, pillar five is about reporting and growth. So, you found the bug, congrats. Now you have to write it up, and how you write it up is the difference between a $500 bounty and a $3,000 bounty on the same finding. So, here is where I think AI is generally incredible. But, and this is really important, especially in our community, you don't have to paste your full bug into an LLM if you don't want to. A lot of bug bounty hunters, including myself, are very careful about what unreported bug data goes into models that might be used for training, and that is a legitimate and concern, and you should respect it. Big shout out to Grant me for actually showing me this a couple of days ago, so I wanted to just make sure we talk about it. The good news, you don't need to share the full bug to get the most value. And here is how I actually use AI for reports. First, describe the bug class and ask it for an impact statement. You don't have to tell Cloud what the app was, what the input was, what the payload was. Just say I found a broken access control bug where a low privilege user can access another user's billing information. Give me a good impact statement that I can put into my report. Then you will get a professional framings of that impact, and you can pick one or pick whatever you get, and put it in there. You can also have it criticize your report. You can write the draft yourself, then sanitize all the sensitive parts you want, like the payload, the endpoints, the URL, and just say, "Critic this bug report. What is unclear? What is missing? What would make a triager take it more seriously? " Or you can actually ask it if you can triage that for you, and that feedback is actual gold, and it never sees your actual finding. But, there's one more thing you can do, and this is huge, especially if English isn't your first language. A massive chunk of global bug bounty community gets paid less than they should because their findings are so rough. Not because they're not finding good bugs, because their writing is weak, and they can't really communicate with the team why this bug matters. So, drop your draft into Claude and say, "Rewrite this with clear professional English. Keep all the technical content exactly the same. Match my tone as a senior security researcher. " And honestly, that's not cheating, especially if your English isn't that well. But, you can also just give it to Claude in your native language, and have it translate it for you, and it's just the best thing that you can do because it does allow you to communicate with the other team better because your report is your only chance to make the triage team and the program team understand your submission. So, make sure you make it clear, and you include every necessary bit of details possible. And here is the growth piece. Every bug you find, every single one of them, even if they get marked as informational or duplicate, even the ones that are already known to the security team, unfortunately, you can describe the process to Claude and ask for it to give you feedback. Not the bug itself, if you'd rather not. Just say something like, "I tested an endpoint for IDOR by swapping the user ID parameter with a second user account's ID, confirmed access. What did I do well? What would a more experienced hunter have done differently? What should I look the next time on a similar target? " That would be the feedback loop that used to require a senior hunter or a senior hacker or a mentor to help you out with. Now you can run it on every single bug you find and do it for free with Cloud. That alone is one of the only habits that will compound your skill faster than anything else that I'm telling you in this video. But again, go to communities, post your wins on Twitter, share your sanitized write-ups. The relationships you build matter more than any individual bounty. So, remember AI is great. AI will give you a lot of skills but humans are what give you the career. Everything I just told you, the ### The Accelerator vs Crutch test [17:44] tutor loop, the recon assistant, the code review partner, the write-up helper, all of it is incredible and all of it will quietly turn you into a script kitty if you let it. Here is a test. Ask yourself after every single AI interaction, do I understand what's happening well enough to direct this or am I just copy pasting and paying? If you can describe the bug class, articulate why your payload should work, explain what the script you generated actually does, even if you couldn't write it from scratch, you're using AI as an accelerator. You're going to be fine. actually great. But if you can't, if you got the output and if you don't actually know what you're looking at, if you couldn't explain to another hacker, if you couldn't tell a triager why your finding matters, you are using AI as a crunch and every hacker doing it that way is also going to plateau. They're going to hit their first hard bug and bounce right off of it. They're going to be the AI slob in someone's triage queue and they're not going to understand their own finding well enough to defend them when a program owner pushes back and doesn't want to accept it. So, if there's one thing I take away from this video, fundamentals then AI, always in that order. Don't be the person who pays their way into a fake skill set. Be the person who used AI to genuinely compress five years of learning into one. Those are actually very, very different people and the market knows the difference. All ### Recap & final thoughts [19:09] right, that's a road map. Five pillars, foundations, the learning loop, recon, the hunt, and reporting, and an AI co-pilot the whole way through. All right, if you enjoyed this video, do me a favor, hit that like and subscribe button. I'm releasing content every Monday to show you guys my AR workflows, the bug assets that are still paying, the recon stocks that work, and I don't want you to miss it. Links to website academy and my courses are always in the pinned comment and the description, and I'm begging you, if you have watched this video this far, foundations first, then everything else gets faster, and you don't want to become a part of the AI stock problem. All right, I'll see you all in next week's video. Peace. Thank you. Dab on them. Ah.