Aaron Portnoy on Pwn2Own, the End of Easy Bugs, and AI-Fueled Offense

May 27th, 2026  |  40 mins 9 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem x Ekoparty Miami: Aaron Portnoy (Zero Day Initiative alum, early Pwn2Own organizer, and now at Mindgard) joins us at Ekoparty Miami to reminisce on the early days of the hacking contest, where vulnerabilities actually live (the boundaries between systems, not inside them), why LLMs will take out the trash but can't dream up the next speculative-execution-class bug, and the coming patching apocalypse when discovery 10x's overnight.

Plus, why your SOC is a forensic historian, the promise of hijacking an attacker's reward loop with deception tech, and the legendary story of carrying a Walmart "fat stack" of cash to bootstrap Ekoparty in Buenos Aires.

Cast: Ryan Naraine, Juan Andres Guerrero-Saade, Aaron Portnoy.

Timestamps:
0:00 — Introductory banter
1:17 — Dropping out, iDefense, and getting good at reversing everything
2:19 — How Pwn2Own got started
4:15 — The most impressive Pwn2Own ever: Nils, VUPEN, and exploit "art"
5:59 — "iPhone hacked in 30 seconds" — and the 18 months behind it
6:41 — Does Pwn2Own still have a place in the AI era?
9:16 — Why LLMs take out the trash but can't invent the next bug class
12:48 — Will LLMs deliver new mitigation classes? Aaron's skeptical
18:34 — The place of the human when the easy bugs run dry
21:08 — Cognitive offloading, Halvar's warning, and skill rot
22:39 — Decompiling 800k functions: Aaron's LLM "holy shit" moment
25:26 — The patching apocalypse and why "assume breach" breaks
28:15 — Compounding asymmetries: why offense just transcended defense

Perri Adams on Proof Engines, LLMs, and the New Era of Verifiable Code

May 26th, 2026  |  40 mins 27 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem x Ekoparty Miami: Perri Adams of DARPA AIxCC fame joins the show to chat about proof engines, formal methods, and why LLMs just made a once-niche corner of computer science suddenly essential.

We get into why verifiers and proof engines are the key to effective AI, why vulnerability research is so far ahead of threat intel, and the case for baking security checks directly into code generation tools like Claude Code and Codex.

Plus, designing a multi-million dollar challenge that's allowed to fail, the Mythos "too dangerous to release" debate, and musings on every LLM-discovered bug being a public bug by default.

Cast: Ryan Naraine, Juan Andres Guerrero-Saade, Gabriel Bernadette-Shapiro.

Timestamps:
0:00 — Introductory banter
1:09 — Why LLMs just made formal methods relevant again
4:03 — Proof engines, explained
8:43 — Can a layman grab this fire? The calculus problem
11:58 — Vuln researchers are scrappy kids with a trust fund
14:55 — Pitching AIxCC inside DARPA: hard sell or easy sell?
18:00 — Designing a challenge that's allowed to fail
22:06 — Inside Team Atlanta's 150-page winning system
24:00 — Why this is bigger for defense than for offense
31:49 — Mythos, safeguards, and "every LLM bug is a public bug"

Find 50,000 Bugs, Fix Zero: Gabriel Bernadett-Shapiro on the AI Vuln Trap

May 26th, 2026  |  49 mins 37 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem x Ekoparty Miami: SentinelLabs researcher Gabriel Bernadett-Shapiro hops on the mic to unpack who gets to define what "security" even means in the age of AI, why venture capital keeps funding the wrong things, and how the frontier labs quietly ate everyone's coding harness.

Plus, how AI actually contributed to cracking the FAST 16 research, overcoming the guardrails, and why your domain expertise is the only thing keeping you out of full-blown rabbit-hole psychosis.

Cast: Ryan Naraine, Juan Andres Guerrero-Saade, Gabriel Bernadett-Shapiro.

Timestamps:
0:00 Introductory banter
4:55 Gabe returns: how the models got scary-good at code
8:45 Bay Area short-termism and the "10x in 18 months" trap
11:35 VCs as tastemakers, and why that's broken
13:00 The unpaid-labor pipeline into the AI labs
18:00 The real misunderstanding about security's moat
20:18 Bug bounties: a net negative for the industry?
22:20 The great vuln fire sale — find 50,000, fix zero
27:28 Who will maintain vetted open-source libraries?
29:29 FAST 16: how AI actually broke the case open
35:05 The rabbit-holing machine and the path to "AI psychosis"
41:05 Stuxnet, Kim Zetter, and the story we'll never be told

Federico Kirschbaum on XBOW, AI Hackers, and the Future of Pen Testing

May 25th, 2026  |  58 mins 2 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem x Ekoparty Miami: Federico Kirschbaum, founder of Ekoparty and now head of Security Lab at XBOW, talks about what happens to offensive security when an autonomous AI hacker can find and exploit real vulnerabilities. Fede walks through XBOW's "Tales from the Trace," the surreal experience of watching a non-human adversary reason its way to an ASLR bypass, and why he believes pen-testing isn't dying but finally becoming accessible to far more than the world's biggest companies.

Plus, where humans still matter in the loop, whether an LLM-discovered bug is public by definition, the looming reckoning over software liability, and Halvar Flake's very honest fear of getting lazy.

Cast: Ryan Naraine, Juan Andres Guerrero-Saade, Federico Kirschbaum

Timestamps:
0:00 Fede's move to XBOW
2:20 What's XBOW building? An AI hacker for real vulnerabilities
5:53 Where the human stays in the loop
6:35 The Exim bug: a craftsman races the LLM to an ASLR bypass
10:49 Does bug discovery still need a human asking the right question?
16:24 A short history: Satan, CORE, Metasploit, bug bounties
18:48 An LLM-discovered bug is public by definition
24:12 Halvar Flake's laziness worry & the assembly-to-C parallel
29:47 Rising tides: script kiddies get the full gamut
41:02 The economics: does pentesting get cheap?
43:18 Argentina, Ekoparty, and an untapped talent pipeline

Jordan Wiens on AI, Offense vs. Defense, and the Dying CTF Pipeline

May 24th, 2026  |  44 mins 17 secs

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem x Ekoparty Miami: Jordan Wiens, co-founder of Vector 35 and creator of Binary Ninja, talks about a decade spent building a decompiler in a market everyone told him not to enter. He walks through why accessibility drove the whole project, how Binja's intermediate-language system stacks up against IDA, Ghidra, and Radare, and why language-specific decompilation for Rust, C++, and Go is the next real frontier.

Plus, thoughts on AI disruption and why "the model can do it" misses the point that the model is just driving the tool, what verifiability really means, whether AI tilts the field toward offense or defense, and questions around subsidized tokens, the collapse of the CTF talent pipeline, and what happens to a craft when the shortcut is always one prompt away.

Cast: Ryan Naraine, Juan Andres Guerrero-Saade, Jordan Wiens.

Timestamps:
0:00 Introductory banter
1:22 Vector 35 and the origin of Binary Ninja
2:32 From CTFs and SCIFs to building a decompiler
3:27 Before Ghidra: when an IDA license was out of reach
9:47 Language-specific decompilation: Rust, C++, and Go
12:47 Running a 17-person bootstrapped shop with no org chart
13:50 DARPA money, In-Q-Tel, and staying independent
15:23 AI as disruptor: the model drives the tool
18:06 Verifiability and the Fast16 reversing story
25:10 How AI actually gets used inside the company
28:52 Frontier models and guardrails
33:30 Will AI favor offense or defense?
40:51 Shrinking CTF talent pipelines

The AI-powered 10x patch tsunami has arrived. Now what?

May 15th, 2026  |  1 hr 50 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 98: We dive back into the fast16 malware discovery with fresh speculation that it's targeting spherical implosion simulations for Iran's nuclear program, and wonder who on earth is qualified to confirm this.

Plus, thoughts on OpenAI's new three-tier cyber access program, Microsoft's MDASH harness, the 10x Patch Tuesday tsunami, Cloudflare's 1,100 layoffs blamed on AI, and why frontier-lab guardrails may just be elaborate security theater.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 - Introductory banter
3:19 - fast16 update: spherical implosion simulations?
9:01 - Manhattan Project precedent — why this matches Iran
12:28 - Who can actually reproduce the FAST 16 attack?
19:32 - Google GTIG's "AI-written" zero-day
22:13 - The rise of AI-backend "silent detections"
25:54 - Guardrails as security theater
38:47 - Are the 10x patch numbers real defense?
43:48 - OpenAI's Trusted Access tiers + Microsoft MDASH
53:35 - End of the ‘patch-and-pray’ model
57:50 - Sean Heelan: strict harnesses can make models worse
1:03:51 - Pwn2Own Berlin overflow and bug-density debate
1:12:24 - Cloudflare's 1,100 layoffs and AI as scapegoat
1:27:42 - RCS encryption, Android Intrusion Logging, Seedworm & Kazuar

The disappointing death of big-game APT reporting

May 10th, 2026  |  2 hrs 2 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 97: We discuss the disappearing art of Windows APT paleontology, the absence of complex malware documentation, and why so much threat-intel research has slipped behind paywalls and into private rooms.

Plus, a surge in AI-discovered bugs in Firefox and Chrome, a rough week for Linux security flaw disclosures, and the usual Ivanti and Palo Alto zero-day bulletins that ship without a single IOC.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 - Introductory banter
1:17 - Inside TLP-Red: writing hashes by hand
3:57- fast16 fallout and the threat intel trust collapse
9:17 - The death of cyber paleontology on Windows
14:49 - Mobile is the new paleontology frontier
15:48 - When threat intel went private: the CrowdStrike effect
23:29 - Falling sideways into intelligence brokerage
36:05 -- AI, Easter eggs, and the loss of malware artistry
47:22 -- Will the Frontier Labs publish threat intel?
51:43 -- fast16 follow-up reports coming
1:09:38 - Mythos, Aardvark, and the patch tsunami
1:15:33 - CopyFail and the Linux reboot crisis
1:51:05 - UAPs, Pulitzers, last-ever LabsCon, and shoutouts

Cracking the Fast16 sabotage malware mystery

May 1st, 2026  |  1 hr 47 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 96: We're joined by WIRED writer Andy Greenberg to dig into SentinelLabs' bombshell FAST16 research, a newly deciphered piece of sabotage malware that predates Stuxnet by five years and quietly tampered with physics modeling software likely tied to Iran's nuclear program.

We discuss the attribution rabbit hole (NSA? Israel? someone else?), the eerie "spiritual warfare" implications of corrupting scientific calculations, and Antiy Labs' very dialectical Chinese rebuttal. Plus, what AI reverse-engineering means for the next decade of cyber paleontology.

Cast: Andy Greenberg (WIRED), Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 - WIRED’s Andy Greenberg joins the show
1:53 - How the FAST16 scoop landed in Andy's lap
6:45 - JAGS sat on this sample for 7 years
10:33 - How Costin and the Kaspersky team missed the sabotage routine
15:20 - The "holy moly" moment: what FAST16 actually does
18:26 - Territorial Dispute, Shadow Brokers, and the driver list
24:11 - The targets: MOHID, PKPM, and LS-DYNA's link to Iran
28:13 - No C&C, no victims: a worm built for air-gapped networks
34:45 - Was this part of a larger anti-Iran toolkit?
37:55 - Attribution: NSA, Israel, or someone else entirely?
51:39 - What was the actual sabotage? Unanswered questions
55:48 - "Spiritual warfare": the psychological angle and trust in computers
1:20:05 - Equities, going public, and the case for AI-powered reversing
1:32:19 - Antiy Labs' Chinese rebuttal and the apparatchik tone
1:43:04 - Shoutouts: Sergey Mineev, LabsCon CFP, PivotCon, and Ekoparty

Mark Dowd on AI hacking, exploit chains, zero-day sales

April 24th, 2026  |  2 hrs 2 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 95: Vigilant Labs director Mark Dowd joins the show to shed light on the state of offensive research, the economics of the exploit market, and why "Mark Dowd in a box" isn't quite the threat the AI hype machine suggests. He talks through the daily stresses of running an offensive shop, how AI is reshaping vulnerability discovery, exploit development, and the pricing of full exploit chains.

Plus, thoughts on Lockdown Mode and Apple's MIE, whether mitigations actually work or just push attackers toward less access, the rise of HarmonyOS and the Balkanization of device security, persistence, baseband attacks, GrapheneOS, and Samsung Knox.

We discuss customer vetting and OpSec fears, policymakers who've never written an exploit, and the strange afterlife of The Art of Software Security Assessment, the 20-year-old book now possibly training data for the very tools coming for his job.

Cast: Mark Dowd, Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 Introductions
4:28 The origin story of Azimuth: why go offensive?
6:26 Stresses of running an offensive research business
12:10 "Mark Dowd in a box" — is AI an existential threat to vuln research?
16:13 Using AI in workflow: frontier models vs. local models
22:05 AI in bug-finding vs. exploit implementation
30:30 Watching AI tear through a firmware backdoor
38:23 Artificial guardrails and the "POC" wall
43:25 Will AI commoditize 0days? The high-end vs. low-end vendor split
57:30 How AI disrupts exploit chain pricing
1:05:18 Does persistence still matter? Should you reboot your phone?
1:09:33 Lockdown Mode, MIE, and Apple's "never been compromised" claim
1:14:25 Do mitigations really work, or are we stuck in an endless loop?
1:23:25 Android vs. iOS vs. Huawei's HarmonyOS Next
1:34:44 Exploit leaks, customer vetting, and OpSec fears
1:41:37 GrapheneOS, Samsung Knox and baseband attacks
1:53:56 Did the exploit market save us from encryption backdoors?
1:55:11 What does the threat-intel community get wrong about vuln research?

The Angry Spark APT Mystery: A Year-Long Backdoor, One Victim, Zero Attribution

April 18th, 2026  |  2 hrs 35 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage.

Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft’s massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

Timestamps:
0:00 – Intros + AI news whiplash
5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever
7:32 – AI accelerating vulnerability discovery at record pace
10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC
12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns
14:26 – Anthropic's infrastructure strain: Is Opus being nerfed?
21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal
28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax
34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild
41:36 – VirusTotal mining: The golden age of threat intel hunting
50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure
55:04 – Paleontology of threat research: When do you publish? Who do you trust?
1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows
1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips
2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question

The Claude Mythos, Project Glasswing Shockwave

April 10th, 2026  |  2 hrs 34 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals).

Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing.

Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

0:00 — Opening banter
1:36 — Claude Mythos Preview, Project Glasswing Announcement
7:22 — Parsing the Hype: Is Mythos Really a Step Change?
11:31 — Costin's Take: Is This All a PR Stunt?
17:10 — The Patching Problem: What Happens After the Zero Days?
28:11 — Bug Bounty Programs Under Threat from AI
33:37 — What Will Companies Actually Do With Mythos?
45:09 — Geopolitics: Where Is the US Government? Nationalization Talk
53:01 — Source Code vs. Binary: The Real Limits of Mythos
1:00:01 — Model Recklessness, Guardrails and the Psychiatrist
1:06:17 — Fortinet: Another Zero Day, No Patch, No IOCs
1:09:08 — North Korean Drift Protocol Heist: $285 Million Stolen
1:24:39 — SOHO Router DNS Hijacking: APT28 and FBI Disruption
1:32:34 — Microsoft Suspensions Hit WireGuard, VeraCrypt, OSR
1:38:49 — Shout-Outs, Conferences & Closing

LLMs writing exploits, engineers losing skills, and a case for the generative OS

April 3rd, 2026  |  2 hrs 19 mins

ai, apt research, cyberespionage, nation-state, ransomware, zero-day

(Presented by TLPBLACK - High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.)

Three Buddy Problem - Episode 92: Costin walks through real-world ransomware incident response while Juanito makes the case for AI-generated operating systems that never run anyone else's code. Plus, debates on whether vulnerability research is cooked, why nobody should pay ransoms, and what the security industry looks like after the massive AI flood.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

0:00 – Introductory banter
2:00 – Costin's ransomware incident response work
3:30 – How attackers break in: Fortinet vulnerabilities everywhere
6:30 – Hunting for ransomware decryption keys
9:00 – Breaking into ransomware C2s and monitoring leak sites
12:00 – The ransom payment debate: should you ever pay?
16:00 – Why "don't pay the ransom" is overgeneralized
21:00 – How ransomware gangs price their demands
24:00 – The AI-pilling of the security industry
28:30 – Nicholas Carlini, Ptacek, and "vulnerability research is cooked"
35:00 – Towards a generative-first operating system
41:00 – Code factories, trusted computing, and killing dependencies
48:00 – Microsoft and Apple's AI positioning
56:00 – Chris St. Myers' "Cognitive Rust Belt" essay
1:18:00 – Choice, The Matrix, and the illusion of control
1:38:00 – Supply chain attacks, North Korea, and dependency sprawl