Building Hackbots
Recon Village @ DEF CON 34 • August 6-9, 2026
Abstract
Building AI-Powered Penetration Testing Bots
In this talk, we'll walk through the core design philosophy behind AI hackbots and the architecture that makes them work: single-purpose vs. multi-stage bots, context engineering for targeted prompting, and tool integration with output parsing workflows.
Then we'll get hands-on. We'll live-build a functional hackbot for a common offensive task — demonstrating asset discovery, endpoint analysis, or mutation-focused testing (e.g., XSS/SSRF) — and show how context engineering and hallucination mitigation work in practice against real targets. You'll see where AI genuinely accelerates reconnaissance and web analysis, and where it falls flat if you aren't careful. We'll close with lessons on cost optimization, auditability, and integrating hackbots into actual engagements.
Who should attend: Pentesters and bug bounty hunters with offensive security experience who want to meaningfully integrate AI into their workflow — not as a novelty, but as reliable tooling.
What you'll walk away with: A clear mental model for when and how to build hackbots, a live demo you can replicate, and a path into the full course where you'll build seven production-ready bots from asset discovery through mutation testing.
Speaker
CEO
Jason Haddix AKA jhaddix is the CEO and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company. Jason has had a distinguished 20-year career in cybersecurity previously serving as CISO of FLARE, CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 57th all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. Jason has also authored many talks on offensive security methodology, including speaking at cons such as DEFCON, Bsides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, Toorcon and many more.
View full speaker profile →