Nicolas Carlini (67.2k citations on Google Scholar) says Claude is a better security researcher than him, made $3.7 million from exploiting smart contracts, and found vulnerabilities in Linux and Ghost

In a viral interview, renowned AI security researcher Nicolas Carlini made a startling admission: Anthropic's Claude AI model has surpassed his own capabilities in finding critical software vulnerabilities. Carlini, whose work has over 67,000 academic citations, detailed how Claude identified a severe buffer overflow flaw in the Linux kernel that had gone undetected since 2003. This vulnerability allows attackers to steal the system's root (admin) key, representing a fundamental security failure in one of the world's most scrutinized codebases.

Carlini emphasized the significance of this discovery, noting that finding such classic buffer overflows is exceptionally difficult—so much so that he had never successfully found one himself in his career. Beyond the Linux exploit, he revealed that Claude has been instrumental in his own security research, helping to identify vulnerabilities in smart contracts that have yielded approximately $3.7 million in bug bounties. He also mentioned Claude finding flaws in the Ghost publishing platform.

The researcher's testimony points to a paradigm shift where large language models (LLMs) are no longer just assistants but primary research tools capable of outperforming human experts in specialized technical domains. Carlini expressed confidence that this is just the beginning, predicting LLMs will continue improving at finding security flaws as models like the rumored 'Mythos' from Anthropic evolve. This development suggests automated security auditing may soon become standard practice, fundamentally changing how software is tested and secured.