.svg)
Key Points
Welcome to issue #8 of The Vulnerabulletin — your one-stop-scroll for security research, industry news and a rundown of what’s new at Intruder.
This month we're asking an uncomfortable question: if the most powerful AI hacking tools have already been pulled from public access, does it actually matter? Our security engineer Sam Pizzey built a 0-day vending machine using pre-Mythos LLMs and immediately found a SQL injection vuln sitting on 300,000+ sites. Meanwhile, the US government has ordered Anthropic to pull Mythos 5 from public access over jailbreak concerns, but as our Head of Security Dan Andrew tells Silicon UK, the capabilities already exist in previous models if you have someone who knows security telling it what to do. And if all that wasn't enough to ruin your Wednesday, our CEO Chris joined Dark Reading to explain why midmarket security teams are chronically underserved. Well, at least we've chucked in some memes and fun headlines to lighten the mood.
We built a 0-day vending machine 🤖
Tokens in, 0-days out. Our security engineer Sam Pizzey built a vending machine that pairs pre-Mythos LLMs with a code-scanning framework and runs end-to-end: find the bug, exploit it, write the proof of concept — no human in the loop.
To put it to the test, he pointed it at the top 200 WordPress plugins. First ice-cold can out of the machine: CVE-2026-3985, a multi-step SQL injection in a plugin running on 300k+ sites, one-shotted by the exploitation agent.
Read this preview of Sam's upcoming B-Sides Vegas talk below.
Mythos got pulled - the threat didn't 👀
The US government ordered Anthropic to pull Fable 5 and Mythos 5 from public access, citing concerns it could be jailbroken for sophisticated hacking. But the capabilities causing panic are already available in models you can access today — and we know, because we've been using them to find 0-days ourselves. Our Head of Security Dan Andrew spoke to Silicon UK about the reality of what's already out there.
The midmarket security gap 📊
Enterprise-focused security tools are built for teams of ten, whilst most midmarket companies have teams of two. CEO Chris Wallis sat down with Terry Sweeney at Dark Reading's News Desk to talk about why midmarket security teams are chronically underserved, and why it's your patch speed, not your CVE count, that actually moves the needle.
The Vulnerabulletin Board 📌
What our security team has been reading (and meme-ing) this month...
💀 Amazon's internal meme roast of AI (404 Media) - Why employees dedicated an entire Slack channel to 'Sloppenheimer' memes mocking the company's AI coding products.
⚽ World Cup goals replaced with Rickrolls (bobdahacker) - The unbelievable story of how one hacker exposed a security flaw that granted them access to live camera streams (with multiple angles!) for every single FIFA World Cup 2026 match.
❌ The future of CTF challenges and cheating (camel4.dev) - The sad reality of how AI is causing rampant cheating and increasing team disqualification in annual CTF challenges.
🏆 Our meme of the month:
What's new in Intruder 💡
🔎 See what's exposed with Attack Surface View - Get a clear picture of everything exposed to the internet: every port, the service behind it and the version it's running, plus screenshot evidence of any exposed web services.
🔐 Broader, faster threat coverage with AI-powered checks - In our first month of building AI-powered checks, 90% weren't available from any other major scanner — and because they're AI-built, we can ship far more of them. New flaws become tested checks fast, and our engineers sign off on every one.
Hot off the keypress 🗞️
Vulnerabulletin
