Aaron Portnoy on Pwn2Own, the End of Easy Bugs, and AI-Fueled Offense

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.)

Three Buddy Problem x Ekoparty Miami: Aaron Portnoy (Zero Day Initiative alum, early Pwn2Own organizer, and now at Mindgard) joins us at Ekoparty Miami to reminisce on the early days of the hacking contest, where vulnerabilities actually live (the boundaries between systems, not inside them), why LLMs will take out the trash but can't dream up the next speculative-execution-class bug, and the coming patching apocalypse when discovery 10x's overnight.

Plus, why your SOC is a forensic historian, the promise of hijacking an attacker's reward loop with deception tech, and the legendary story of carrying a Walmart "fat stack" of cash to bootstrap Ekoparty in Buenos Aires.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Aaron Portnoy.

Timestamps:
0:00 — Introductory banter
1:17 — Dropping out, iDefense, and getting good at reversing everything
2:19 — How Pwn2Own got started
4:15 — The most impressive Pwn2Own ever: Nils, VUPEN, and exploit "art"
5:59 — "iPhone hacked in 30 seconds" — and the 18 months behind it
6:41 — Does Pwn2Own still have a place in the AI era?
9:16 — Why LLMs take out the trash but can't invent the next bug class
12:48 — Will LLMs deliver new mitigation classes? Aaron's skeptical
18:34 — The place of the human when the easy bugs run dry
21:08 — Cognitive offloading, Halvar's warning, and skill rot
22:39 — Decompiling 800k functions: Aaron's LLM "holy shit" moment
25:26 — The patching apocalypse and why "assume breach" breaks
28:15 — Compounding asymmetries: why offense just transcended defense

• Transcript
• Aaron Portnoy | LinkedIn
• Mindgard - Automated AI Red Teaming
• Pwn2Own
• Ekoparty Miami
• Nils2Own: 'I want to see security flaws fixed'
• VUPEN
• Charlie Miller on hacking iPhones, Macbooks, Cars
• LABScon 2026
• TLPBLACK