Hackers Say Generative AI Unlikely to Replace Human Cybersecurity Skills—Bugcrowd Survey
July 2023 by Bugcrowd
Bugcrowd released its annual Inside the Mind of a Hacker report for 2023, which found that 72% of hackers believe artificial intelligence (AI) will not replace the creativity of humans in security research and vulnerability management.
The report delves into a wide range of topics, including the impact of AI on security, a peek at what professional hackers look like, and the state of hacking.
The Impact of AI and the Rise of Generative AI Hacking
Generative AI was a major theme in the 2023 report, with more than half of respondents (55%) saying that it can already outperform hackers or will be able to do so within the next five years. However, hackers aren’t worried about being replaced, with nearly three out of four respondents (72%) saying that generative AI will not be able to replicate the creativity of hackers.
When asked how generative AI is being used, the top functions that hackers mentioned were automating tasks (50%), analyzing data (48%), identifying vulnerabilities (36%), validating findings (35%), and conducting reconnaissance (33%). Nearly two out of three respondents (64%) believed that generative AI technologies have increased the value of ethical hacking and security research.
The uptick in AI usage among hackers aligns with guidance from the U.S. Department of Defense in 2022 and President Biden’s Cybersecurity executive order, EO 14028 where he noted “The value of harnessing AI in cybersecurity applications is becoming increasingly clear...The methods show great promise for swiftly analyzing and correlating patterns across billions of data points to track down a wide variety of cyber threats in the order of seconds."
Challenging and Confirming Hacker Stereotypes
Most hackers were Gen Z aged 18–24 (57%) or Millennials 25–34 (28%). Nevertheless, the stereotype of the teenage hacker proved to be more accurate than its counterpoint in Gen X phreakers, with 5% being under 18 and only 2% being over 45. Additionally, the trope of hackers being disproportionately male proved true, based on this research, with 96% of respondents identifying as male and just 4% as female, with another 0.2% identifying as non-binary or genderqueer.
Most hackers (82%) do not hack full time, treating it either as a part-time job, side hustle, or something they are in the process of making a full-time occupation. Only 29% described hacking as their full-time profession. The motivations for ethical hacking were varied, but the top incentives included personal development (28%), financial gain (24%), excitement (14%), and the challenge (12%). Another 6% of respondents said they hack for the greater good, and 87% said that reporting a vulnerability is more important than making money from it.
While more than half of the respondents have graduated from college (54%) and 14% completed grad school, only 24% learned to hack through academic or professional coursework. The majority of hackers (71%) were self-taught, with most learning to hack through online resources (84%), while others learned through trial-and-error (40%) or friends and mentors (34%).
The State of Hacking and Vulnerability Management
Views varied on how many companies understand their true risk of being breached, with 27% of respondents saying that less than 10% of companies really understand their risk. Another third of respondents (33%) said that 10–25% of companies understand their risk, but only 16% said that more than half of companies understand their true risk of being breached.
The respondents painted a mixed picture of the global threat landscape, with 84% saying there have been more vulnerabilities since the start of the COVID-19 pandemic and 88% saying point-in-time security testing is not enough to keep companies secure. Nevertheless, 78% of respondents said that most companies’ attack surfaces are getting harder to compromise, and 89% said that companies increasingly view ethical hackers in a favorable light.
Nearly two-thirds of respondents (63%) reported finding a new vulnerability in the past 12 months that they had not encountered before. In addition, more than half of the respondents (54%) said they did not disclose a vulnerability because a company lacked a clear pathway to report it without risking legal consequences.
Hacking is increasingly leveraged for career development, as 42% of respondents said that building long-term relationships with security decision-makers and brands was one of their top goals when hacking on Bugcrowd. In addition, over half of the respondents (53%) said hacking has helped them get a job working remotely.
“With this report, more hackers are stepping out from the shadows of their stereotypes to tell real stories and redefine what hacking looks like as a career path,” said Dave Gerry, CEO of Bugcrowd. “As global enterprise AI adoption reaches critical mass, Bugcrowd is proud to stand at the coal face of security research, and we are thrilled that more organizations are tapping the diverse skills and expertise of hackers—at just the right time—through our platform.”
The survey included 1,000 respondents from 85 countries, including the United States, Australia, Brazil, Canada, Ethiopia, India, France, Jordan, Singapore, and the United Kingdom.
Readers of this report will better understand how ethical hackers reduce risks for organizations, provide one of the most significant security returns on investment, and accelerate digital transformations.