Teaching AI to Hunt What Humans Miss: Building a Bug Bounty Brain That Thinks in Chains

Published on October 19, 2025

Teaching AI to Hunt What Humans Miss: Building a Bug Bounty Brain That Thinks in Chains

The ADHD Hunter’s Dilemma

In my last article, I talked about how AI limitations became superpowers—how Claude’s 200k token limit forced me into better testing practices, and how AI bridged the gap between my ADHD brain and rigid corporate tools.

But there’s another invisible barrier I’ve been hitting in bug bounty hunting, and it’s one that’s cost me actual money.

You find a vulnerability. You’re excited. You write it up, submit it, and then… REJECTED.

“Low impact - the data returned is not sensitive.”

The frustration is real. You spent hours finding an IDOR that lets you access other users’ data, but because it’s just usernames and avatar URLs, it gets rejected. Meanwhile, that same IDOR pattern could have led you to /api/users/{id}/permissions where you could escalate to admin—a $5,000 critical finding instead of a rejection.

The pattern I kept seeing: I was finding the breadcrumbs but missing the trail.

The 10% Problem

Here’s what I realized: Most bug hunters find the same 90% of vulnerabilities. The obvious SQL injection in a search box. The reflected XSS in a URL parameter. The standard stuff that automated scanners catch.

But there’s a 10% of vulnerabilities that are different:

IDOR chains - Low-impact finding → Related endpoint → Privilege escalation
WebSocket vulnerabilities - Because most tools don’t capture WebSocket traffic well
Client-side routing XSS - Fragment-based XSS that never reaches the server
postMessage vulnerabilities - Cross-origin messaging most hunters never monitor
Business logic flaws - Negative quantities, race conditions, state machine bypasses
Mass assignment - Hidden parameters like isAdmin that documentation doesn’t mention
Complex payload formats - ASP.NET ViewState, JWT tokens, SAML assertions that are tedious to decode manually

These vulnerabilities require:

Systematic enumeration most hunters skip
Understanding of chains that AI scanners can’t see
Patience to decode complex formats
Real-time monitoring of client-side behavior

Sound tedious? It is. And that’s exactly where my ADHD brain hits another wall.

The Hypothesis: What If AI Could Think in Vulnerability Chains?

I had this thought: What if instead of using massive language models that try to do everything, I trained small, specialized AI models that think like an experienced bug hunter?

Not just “find XSS” but “see a low-impact IDOR and predict which related endpoints to test next.”

Enter Tiny Recursive Model (TRM) models—and this is where I have to give massive credit to some brilliant research.

The TRM Discovery

I first saw this on LinkedIn from Kalyan KS, an NLP researcher who posted about a paper that made me stop scrolling:

“Tiny 7M parameter model beats LLMs Deepseek R1, o3-mini and Gemini 2.5”

Wait, what? A 7 million parameter model beating massive LLMs?

The paper, “Less is More: Recursive Reasoning with Tiny Networks” by a research at Samsung SAIL Montreal, introduces something revolutionary: small neural networks (just 7-10M parameters) that use recursive reasoning to solve complex problems.

Here’s the key insight that made my ADHD brain light up:

Instead of one massive model trying to do everything, use a tiny model that thinks recursively—going deeper into reasoning by calling itself multiple times.

Think of it like this:

Big LLM approach: One giant brain trying to solve everything in one pass
TRM approach: Small specialized brain that says “let me think about this… and think about it again… and again…” recursing 4-10 times to reach a conclusion

The Samsung researcher showed that TRM with just 0.1% of the parameters outperforms Gemini 2.5 on complex puzzle tasks.

Why This Matters for Bug Hunting

The moment I read that paper, I realized: This is EXACTLY what bug hunting needs.

Finding vulnerability chains isn’t about having a massive knowledge base. It’s about:

Looking at a finding
Reasoning: “I’ve seen this pattern before…”
Reasoning deeper: “If this endpoint exists, then…”
Reasoning even deeper: “Which means I should test…”
Conclusion: “High chain potential at these 5 endpoints”

That’s recursive reasoning!

A 7-10M parameter TRM can:

Train in minutes on my 8GB GPU (not hours/days)
Run in ~100ms per analysis (not seconds)
Focus on ONE vulnerability type (deep expertise)
Use recursive steps to think through chains

The key insight: 20+ specialized TRMs running in parallel (2GB+ VRAM total) can analyze requests faster and more systematically than my ADHD brain manually testing.

Standing on the Shoulders of Giants

Full credit to the researchers at Samsung SAIL Montreal:

Paper: Less is More: Recursive Reasoning with Tiny Networks
HuggingFace: Paper discussion
GitHub: TinyRecursiveModels (which I’m using as the foundation)

And massive thanks to Kalyan KS for sharing this research on LinkedIn—otherwise I might have missed it entirely.

This is what I love about the AI research community: Someone publishes breakthrough research on reasoning models, and within weeks, people are adapting it to solve completely different problems (like bug hunting!).

Their innovation: Small models can outperform large ones through recursive reasoning My adaptation: Apply this to vulnerability detection and chain prediction

The Architecture: A Cascade of AI Hunters

I’m building a three-tier system:

Tier 1: Individual Vulnerability Specialists (20 models)

Each specialist hunts ONE thing:

SQLi Specialist - Detects SQL injection
XSS Specialist - Detects cross-site scripting
IDOR Specialist - Detects insecure direct object references
IDOR Chain Predictor - This is the secret sauce (see below)
Business Logic Specialist - Negative numbers, race conditions
Mass Assignment Specialist - Hidden parameters
OAuth Flow Specialist - Complex authentication chains
JWT Analyzer - Decodes and finds alg: none, privilege claims
ViewState Analyzer - ASP.NET deserialization attacks
WebSocket Specialist - Real-time injection vulnerabilities
postMessage Specialist - Cross-origin messaging issues
… and 9 more

All run in parallel. 100ms per request. Each one looking for its specialty.

Tier 2: Chain Detectors (10 models)

These look for COMBINATIONS:

IDOR → Privilege Escalation chain
Info Disclosure → Account Takeover chain
XSS → CSRF → Account Takeover chain
SSRF → Internal Access → RCE chain
Open Redirect → OAuth Token Theft chain

This is where rejections become critical findings.

Tier 3: Sequence Analyzers (5 models)

These look for complex 3+ step attacks:

Reconnaissance → Exploit development
Lateral movement patterns
Data exfiltration sequences

The IDOR Chain Predictor: Turning Rejections into Criticals

This is my competitive edge. The IDOR Chain Predictor doesn’t just find IDORs—it potentially predicts what to test NEXT when you find a low-impact one.

Example training data:

{
  "initial_finding": {
    "endpoint": "/api/users/123/avatar",
    "impact_alone": "LOW",
    "would_reject": true,
    "data_leaked": ["username", "avatar_url"]
  },
  "chain_signals": {
    "restful_api": true,
    "predictable_ids": true,
    "related_endpoints_likely": [
      "/api/users/123/permissions",  // High value!
      "/api/users/123/api-keys",     // Critical!
      "/api/users/123/sessions"      // Account takeover!
    ]
  },
  "recommended_next_steps": [
    "Enumerate admin user IDs (1, 2, 5)",
    "Test write methods (PUT/PATCH)",
    "Check permission modification endpoints"
  ]
}

The model learns: “This IDOR alone = rejected. But these signals = high chain potential. Test these 5 endpoints. Expected outcome: Critical privilege escalation.”

Translation for my ADHD brain: Instead of getting discouraged by rejections, the AI tells me exactly what to test next. No more analysis paralysis. No more missing the obvious chain.

The Client-Side Monitoring Stack

Here’s where it gets interesting. Traditional bug bounty tools (Burp Suite, OWASP ZAP) miss client-side activity. So I built a Tampermonkey script that captures EVERYTHING:

WebSocket connections - Every sent/received message
postMessage events - Cross-origin communication
DOM mutations - Suspicious innerHTML changes
URL fragments - #payload that never reaches the server
Complex payloads - Auto-detects ViewState, JWT, SAML, GraphQL
Storage events - localStorage/sessionStorage changes

All streaming via WebSocket to my TRM analysis system in real-time.

The result? I browse a site normally, and my AI specialists analyze:

Every request (Tier 1)
Every pair of requests for chains (Tier 2)
Every sequence for complex attacks (Tier 3)

When something hits high confidence: 🔥 ALERT!

Where I’m At: The Foundation is Built

What’s working:

✅ Tier 1 architecture designed (20 specialists defined)
✅ Training data format established
✅ Tampermonkey script capturing everything
✅ WebSocket backend built and tested
✅ Complex payload decoders (ViewState, JWT, SAML, GraphQL)
✅ Real-world vulnerable examples documented

What I’m training:

IDOR Chain Predictor (Priority #1)
Business Logic Specialist
Mass Assignment Specialist
OAuth Flow Specialist
API Key Exposure Specialist

Current status: Collecting and labeling training data from past bug bounty findings. Each rejected IDOR becomes training data with “what I should have tested next” annotations.

The Beautiful Irony of Constraints (Again)

Remember in my last article how Claude’s 200k token limit forced better testing discipline?

Here’s another constraint becoming a superpower: Small models force specialization.

I could try to train one massive model to find everything. But that would:

Require 50GB+ VRAM
Take forever to train
Miss nuanced patterns in specific vulnerability types

Instead, 20 tiny specialists (100MB each):

Train in minutes on my 8GB GPU
Each becomes an expert in ONE thing
Run in parallel faster than one big model
Can be updated independently as I learn

The ADHD brain loves this: Instead of one overwhelming task (“train a bug bounty AI”), I have 20 manageable tasks (“train the SQLi specialist today”).

What’s Next: The Training Montage

Phase 1 (Current): Train Priority 1 specialists

IDOR Chain Predictor
Business Logic
Mass Assignment
OAuth Flow
API Key Exposure

Phase 2: Deploy and hunt

Run all 20 Tier 1 specialists
Browse bug bounty targets normally
Let TRMs alert me to high-value findings
Collect real-world data

Phase 3: Train Tier 2 (Chain Detection)

Learn from successful chains I find
Automate the “what to test next” process
Turn low-impact findings into critical chains

Phase 4: Full cascade

Tier 1 finds individual vulns
Tier 2 spots chains
Tier 3 tracks complex sequences
Background analysis mines patterns
Full target reports when idle

The Meta-Layer: Assistive Technology for Bug Hunting

Just like The Shadow Cortex (TSC) helped my ADHD brain process complex security data, this TRM system is assistive technology for bug hunting.

The problem: My brain sees patterns but gets overwhelmed by systematic enumeration.

The solution: AI specialists handle the systematic part while I focus on creative exploitation.

It’s the same cognitive bridge concept from my last article:

Before: ADHD brain → Forced into tedious enumeration → Analysis paralysis → Miss findings
After: ADHD brain → Conversational hunting with AI → Systematic coverage → More criticals found

Why This Might Work (Or Might Fail Spectacularly)

Why it might work:

Specialization beats generalization for specific tasks
Small models train fast on my limited hardware
Chain detection is pattern recognition (AI’s strength)
Real-time analysis catches things manual testing misses
Systematic enumeration is what ADHD brains struggle with

Why it might fail:

Training data quality - Garbage in, garbage out
False positives - If too noisy, I’ll ignore alerts
Overfitting - Models might memorize instead of generalize
Edge cases - Every target is different
The 200k context limit - Can’t fit entire targets in context

But here’s the thing: Even if it only catches 30% of the chains I’m currently missing, that’s a competitive edge in bug bounties where most hunters find the same 90%.

The Bigger Picture: AI Assistive Technology for Neurodivergent Professionals

This isn’t just about bug bounties. It’s about building AI systems that work WITH neurodivergent minds:

TSC - Helps me process security data without overwhelm
Claude + Jira - Translates my thoughts into corporate formats
TRM Bug Hunting - Handles systematic enumeration while I focus on creative exploitation

Each system bridges a gap between how my ADHD brain naturally works and what the task demands.

The future isn’t about making neurodivergent brains “normal.” It’s about building tools that amplify our strengths (pattern recognition, creative problem-solving) while supporting our challenges (systematic tasks, attention management).

What I’m Learning Along the Way

Technical lessons:

Small models can be incredibly powerful when specialized
Training data quality matters more than quantity
Real-time streaming analysis is feasible on consumer hardware
Chains are patterns that can be learned

Meta lessons:

Constraints force creativity (again!)
ADHD adaptability + AI = powerful combination
Building assistive tech teaches you about your own cognition
Sometimes the best tool is one you build yourself

Bug bounty lessons:

The 10% others miss is where the money is
Systematic enumeration beats random testing
Chain detection turns rejections into criticals
Client-side monitoring catches what proxies miss

The Uncomfortable Truth About AI in Security

Here’s what I’m finding controversial: Some security professionals hate the idea of AI in bug hunting. “It’s cheating!” “It devalues human expertise!”

But here’s my take: AI that helps neurodivergent professionals compete isn’t cheating—it’s accessibility.

If you have perfect attention and can systematically enumerate 200 endpoints without getting bored, great! You don’t need this.

But if your brain works like mine—brilliant at spotting patterns but terrible at sustained systematic tasks—then AI assistive technology is the bridge that lets you compete.

It’s not replacing human expertise. It’s amplifying it.

Where This Goes

I’ll be documenting this journey:

Training progress and lessons learned
Real-world hunting results (sanitized, of course)
Model architectures and training techniques
Failures, pivots, and breakthroughs

Because whether this works spectacularly or fails miserably, the process of building AI assistive technology for bug hunting will teach us something valuable about both AI and neurodivergent cognition.

And who knows? Maybe this cascade of specialized TRMs becomes the blueprint for other assistive technologies. Small, focused, running in parallel, each handling one cognitive load while we focus on creative problem-solving.

The Invitation

If you’re:

A neurodivergent bug hunter who struggles with systematic enumeration
An AI researcher interested in specialized small models
Building assistive technology for different cognitive styles
Just curious about this whole experiment

I’d love to connect. This is uncharted territory, and I’m learning as I go.

Follow along at j0n-harr150n.com or find me on LinkedIn.

Because the best innovations often come from working around our limitations rather than trying to eliminate them.

And sometimes, the tools we build for ourselves end up helping others we never expected.

Building AI tools for neurodivergent minds? Let’s talk.