“Even Organizations Flying Under the Radar Will See Attacks”: HackerOne CEO Warns Hosts of What’s Coming

The nostalgic image of underground hackers has an undeniable cinematic appeal. Teams huddled in basements, lit by neon monitors, racing against a blinking timer — a sense of urgency and excitement unmatched to any regular old workplace.

Reality today shows it’s a lot less sexy, but just as concerning. HackerOne’s CEO, Kara Sprague, told HostingAdvice that adversaries are not slowing down at all in the way they use AI in their attacks.

AI has effectively automated the attacker, turning what used to be manual effort into something anyone can run at any scale. Everybody’s on the menu, and targets get picked in seconds.

It’s why Sprague urges providers to move away from legacy security stacks and start incorporating AI red teaming. Beginning last year, HackerOne saw 200% growth in AI red-teaming, which further suggests how quickly organizations are trying to understand their AI exposure.

HackerOne’s doing the same thing, and prompt injections are among the top methods.

“Prompt injection is by far the most prevalent, but you can also almost think about prompt injection as the AI equivalent of cross-site scripting,” Sprague said. “Some of the more interesting and malicious attacks include model poisoning, where you somehow get the model to incorporate a bunch of data that significantly alters its bias or jailbreaking models.”

This is a prime example of automated tooling. It doesn’t care how valuable a business is; it just crawls, tests, and attacks. Regional operators, boutique providers, resellers — just about everybody — are constantly getting gobsmacked with the same intensity as major companies and brands.

John Chambers, Cisco’s former CEO, once said something that has been quoted hundreds of times since. He said: “There are two types of companies: Those that have been hacked, and those who don’t yet know they have been hacked.”

That’s already obvious in HackerOne’s findings. According to Sprague, the automation available to attackers means organizations should expect “much more continuous probing on systems” than they’ve seen in previous years.

“Even those organizations that felt they were flying under the radar will start to see sophisticated attacks pointed at them,” said Sprague. “The kinds of protections and the kinds of security techniques and tooling that you need to protect your AI systems is very different from the stack that they have been using historically.”

If AT&T can have 109 million accounts exposed and Yahoo can lose nearly 3 billion user records, even “trusted” companies aren’t immune.

“We’re moving into a space now where the automation that is available to cyber criminals means that you’re going to have to have much more continuous probing on systems,” Sprague said. “You’re going to have to have much more continuous probing on systems.”

Continuous probing leads to exactly what you think it does: Instead of occasional spikes in activity, systems see a steady stream of automated checks, tests, and boundary‑pushing attempts.

These patterns aren’t surprising to her. As AI adoption rises across enterprises, the underlying systems are exposed to new classes of behavior that older testing frameworks weren’t designed to evaluate. Sprague said this is one area where many teams — even well-funded ones — are still catching up.

“CISOs are more on their back foot with AI adoption than they have been historically with other technologies,” she said. “The advice we’re giving is to incorporate security of your AI system, make it a part of your overall security program. It’s not a side thing that you should try to drive outside of your existing governance process.”

One distinction Sprague emphasized is understanding AI security versus AI safety:

• AI security: protecting confidentiality, integrity, and availability
• AI safety: ensuring the model’s outputs don’t cause harm to end users

Both need structured testing, she said, and each behaves differently from the vulnerabilities teams are used to assessing.

Sprague also noted that the tools protecting AI systems diverge significantly from the legacy stacks many providers still rely on. The shift toward AI-specific testing makes the role of external researchers more important, not less.

And because of that, “the role of the external security researcher community is definitely elevated” when evaluating AI-driven behavior.

When Sprague joined HackerOne last year as its new CEO, she came in with a background shaped by Oracle and McKinsey. Thirteen months later, she said one thing has stood out the most: how quickly both the community and the customers are embracing AI and the tooling around it.

“Most of the community are embracing AI — both because it helps them expand their ability to do more things, whether that’s helping with reconnaissance, or some of them are paying for large amounts of infrastructure to drive a bunch of automation to help with their research and vulnerability discovery,” Sprague explained.

“Generally, the community recognizes that AI is going to be necessary to help them force-multiply their own work,” she said.

One example of new said tooling is the Insight Agent, which Sprague described as “the archivist or librarian of all vulnerability reports that have ever come into a specific organization.” While it does surface old reports, it also compares any new issues against the years of historical data and patterns so it’s able to tell analysts what they did last time in a similar situation.

Customers have told her it cuts analysis time by as much as 75%, which is a pretty big deal for hosting teams that barely have enough people to keep up with ticket queues, let alone triage every odd-looking vulnerability.

It’s not dissimilar to HackerOne’s Report Assistant Agent. Specifically built for security analysts/researchers, it solves a problem that any ticketing agent understands: low-quality submissions that take way too much time to clarify.

Sprague said the agent is “meant to shift left a bunch of that back and forth,” meaning reports come in structured, complete, and easier to validate. Basically, when somebody submits a bug that says: “This doesn’t work!1!1!”, the autonomous agent can take that and actually do the work to make sense of it.

All of these tools sit under Hai, HackerOne’s broader agentic platform.

Built as the parent system to these agents, Hai was designed with strict permissioning so agents inherit the same user permissions of the person calling them, and with explicit guardrails ensuring customer data isn’t used to train or tune models.

“Many of those protections are built in place, and they’re based on the highest architectural standards from the general community,” Sprague explained to us. “We took the best page out of some of the leaders we think in terms of thinking through permissions and access controls for agentic systems.”

Instead of pitching Hai as a neatly wrapped box, HackerOne subjects its own tools to the same scrutiny it encourages customers to try.

“The other thing that we’re careful to do with Hai, of course, is that we drink our own champagne. HackerOne has always had a very active bounty program for our own technology, and we also do pentesting on our own technology,” she said. “And we invite the broader community to be pressure testing these things and participate in our programs to help improve them.”