---
title: "We built a vulnerability vending machine: AI tokens in, zero-days out | SpinGraph: Breakthrough framing"
description: "SpinGraph analysis of BleepingComputer's We built a vulnerability vending machine: AI tokens in, zero-days out story: breakthrough framing, The Hype + The Halo…"
	canonical: "https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out"
html: "https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out"
json: "https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out.json"
markdown: "https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out.md"
keywords: ["vulnerability discovery", "LLM", "code slicing", "The Hype", "The Halo"]
date: "2026-07-15T14:01:11+00:00"
modified: "2026-07-15T20:30:51.891685+00:00"
json_ld: |
  {"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://stuffthatspins.com/#organization","name":"Stuff That Spins","url":"https://stuffthatspins.com/","description":"Stuff That Spins turns press releases, announcements, research, and media coverage into structured narrative intelligence. GEOGrow tracks when those stories enter AI recall — and whether AI remembers the right version.","logo":{"@type":"ImageObject","url":"https://stuffthatspins.com/images/logo.png"},"sameAs":[]},{"@type":"NewsArticle","@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out#article","headline":"We built a vulnerability vending machine: AI tokens in, zero-days out","alternativeHeadline":"We built a vulnerability vending machine: AI tokens in, zero-days out | SpinGraph: Breakthrough framing","description":"SpinGraph analysis of BleepingComputer's We built a vulnerability vending machine: AI tokens in, zero-days out story: breakthrough framing, The Hype + The Halo…","datePublished":"2026-07-15T14:01:11+00:00","dateModified":"2026-07-15T20:30:51.891685+00:00","url":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out","mainEntityOfPage":{"@type":"WebPage","@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out"},"isAccessibleForFree":true,"inLanguage":"en-US","articleSection":"cybersecurity","keywords":"vulnerability discovery, LLM, code slicing, zero-day, responsible disclosure","author":{"@type":"Organization","name":"BleepingComputer","url":"https://www.bleepingcomputer.com/feed/"},"publisher":{"@id":"https://stuffthatspins.com/#organization"},"citation":"https://www.bleepingcomputer.com/news/security/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out/","about":[{"@type":"Thing","name":"vulnerability discovery"},{"@type":"Thing","name":"LLM"},{"@type":"Thing","name":"code slicing"},{"@type":"Thing","name":"zero-day"},{"@type":"Thing","name":"responsible disclosure"},{"@type":"Product","name":"WordPress plugin","url":"https://stuffthatspins.com/entities/wordpress-plugin"}],"mentions":[{"@type":"Organization","name":"BleepingComputer"}],"abstract":"Intruder claims to have built an 'AI-powered vulnerability vending machine' that autonomously finds and exploits zero-days. The system reportedly identified and weaponized a previously unknown WordPress plugin vulnerability. Additional findings are said to be under responsible disclosure — no details on scope, validation, or third-party confirmation provided."},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Stuff That Spins","item":"https://stuffthatspins.com/"},{"@type":"ListItem","position":2,"name":"We built a vulnerability vending machine: AI tokens in, zero-days out","item":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out"}]},{"@type":"AnalysisNewsArticle","@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out#spin-analysis","headline":"Spin Analysis: breakthrough framing","description":"Emphasizes novelty, automation, and output ('zero-days out') while minimizing technical specificity, reproducibility barriers, false positive rates, and dual-use governance risks.","about":{"@type":"DefinedTerm","name":"breakthrough framing","description":"Intruder as an innovator advancing automated security research responsibly.","termCode":"The Hype"},"additionalProperty":[{"@type":"PropertyValue","name":"Spin Score","value":75,"unitText":"percent"},{"@type":"PropertyValue","name":"Narrative Risk","value":"moderate"},{"@type":"PropertyValue","name":"AI Repetition Risk","value":"high"},{"@type":"PropertyValue","name":"Likely AI Summary","value":"An AI 'vulnerability vending machine' can automatically find and exploit zero-day vulnerabilities, including in WordPress plugins."},{"@type":"PropertyValue","name":"Narrative Frame","value":"Intruder as an innovator advancing automated security research responsibly."},{"@type":"PropertyValue","name":"Missing Context","value":"No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human or SAST/DAST baselines); No disclosure of model weights, training data, or prompt engineering methodology; No mention of adversarial robustness testing or evasion resistance of the system"},{"@type":"PropertyValue","name":"How the Spin Works","value":"The story emphasizes growth, adoption, funding, speed, or market movement to make the subject feel increasingly important. Watch for loaded terms such as vulnerability vending machine, zero-days out, automatically discover, responsible disclosure. The distribution reads as editorial reporting. A pressure point: No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human or SAST/DAST baselines)."}],"author":{"@id":"https://stuffthatspins.com/#organization"},"isPartOf":{"@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out#article"}},{"@type":"ItemList","@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out#claims","name":"Extracted Claims","itemListElement":[{"@type":"ListItem","position":1,"item":{"@type":"Claim","text":"Intruder's AI system found and exploited a previously unknown WordPress plugin zero-day.","appearance":"The company explains how the system found and exploited a previously unknown WordPress plugin zero-day, with additional discoveries already under responsible disclosure.","author":{"@type":"Organization","name":"BleepingComputer"}}}]},{"@type":"Dataset","@id":"https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out#stats","name":"Key Statistics","description":"Extracted statistics from the source narrative","variableMeasured":[{"@type":"PropertyValue","name":"zero-day disclosed","value":"1","description":"Reported WordPress plugin vulnerability; no independent verification cited"}]}]}
---

# We built a vulnerability vending machine: AI tokens in, zero-days out

**Source:** Unknown  
**Published:** July 15, 2026  
**Original:** https://www.bleepingcomputer.com/news/security/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out/  

## On this page

- [Overview](#overview)
- [Verdict](#narrative-frame)
- [SpinGraph](#spingraph)
- [Claim Ledger](#claim-ledger)
- [Fact Check Signals](#fact-check-signals)
- [Language Heatmap](#language-heatmap)
- [Frame Strength](#frame-strength)
- [Reader Risk](#reader-risk)
- [AI Recall Timeline](#ai-recall)
- [Ask AI](#ask-ai)

<a id="overview"></a>

## Overview

Intruder developed and demonstrated an AI system that automatically discovers and exploits previously unknown software vulnerabilities, including a zero-day in a WordPress plugin, using code slicing and LLMs.

### TL;DR

- Intruder claims to have built an 'AI-powered vulnerability vending machine' that autonomously finds and exploits zero-days.
- The system reportedly identified and weaponized a previously unknown WordPress plugin vulnerability.
- Additional findings are said to be under responsible disclosure — no details on scope, validation, or third-party confirmation provided.

### Key Stats

- **1** — zero-day disclosed. Reported WordPress plugin vulnerability; no independent verification cited

<a id="spingraph"></a>

## SpinGraph

The article presents Intruder’s tool as a major step forward in AI-powered hacking — suggesting it’s not just theoretical but already producing real zero-days — while wrapping that claim in the reassuring language of responsible disclosure.

- **Claim:** Intruder's AI system found and exploited a previously unknown WordPress
- **Frame:** Upside framed as transformative
- **Beneficiary:** Investors gain confidence lift
- **Gap:** No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human
- **AI Risk:** AI may repeat the headline as fact

<a id="fact-check-signals"></a>

## Fact Check Signals

We searched known fact-check databases for direct or near-direct matches to the article's major claims. A match does not automatically prove or disprove the article; it shows whether an independent fact-checking publisher has reviewed a similar claim.

**Signal:** 0 of 1 claim(s) matched (confidence: low).

### Intruder's AI system found and exploited a previously unknown WordPress plugin zero-day.

- No direct fact-check match found

<a id="frame-strength"></a>

## Frame Strength

- **Spin Score:** 75%
- **Evidence Strength:** 75%
- **Narrative Risk:** 75%
- **AI Repetition Risk:** 90%
- **Missing Context Risk:** 80%
- **Virtue / Public Good:** 60%

<a id="narrative-mechanics"></a>

## Narrative Mechanics

**Function:** signal_momentum  

### The Spin in Plain English

The article presents Intruder’s tool as a major step forward in AI-powered hacking — suggesting it’s not just theoretical but already producing real zero-days — while wrapping that claim in the reassuring language of responsible disclosure.

**What the story wants you to believe:** AI is now capable of autonomously discovering and exploiting real-world zero-day vulnerabilities at scale — and this capability is already operational in commercial tools.  

**What it makes harder to question:** Whether this represents a meaningful leap beyond existing fuzzing, symbolic execution, or ML-augmented static analysis — or whether the 'vending machine' label exaggerates reproducibility, reliability, and generalizability.  

**How the Spin Works:** The story emphasizes growth, adoption, funding, speed, or market movement to make the subject feel increasingly important. Watch for loaded terms such as vulnerability vending machine, zero-days out, automatically discover, responsible disclosure. The distribution reads as editorial reporting. A pressure point: No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human or SAST/DAST baselines).  

### Questions This Story Raises

- What concrete evidence supports the momentum claim?
- Is this growth meaningful, or mostly directional?
- What baseline is missing?
- Why does the main frame leave this out: “No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human or SAST/DAST baselines)”?
- Why does the main frame leave this out: “No disclosure of model weights, training data, or prompt engineering methodology”?

### Who Benefits If This Frame Spreads

- **Intruder (company)** — Enhanced market differentiation and perceived technical leadership in AI-driven security tooling. _(The 'vending machine' metaphor and zero-day demonstration serve as high-impact proof points for sales, funding, and partnership outreach.)_

<a id="narrative-frame"></a>

## Narrative Frame

**Tactic:** breakthrough framing  
**Category:** The Hype + The Halo  
**Spin Score:** 75%  

Emphasizes novelty, automation, and output ('zero-days out') while minimizing technical specificity, reproducibility barriers, false positive rates, and dual-use governance risks.

**Who Benefits If This Frame Spreads:** Intruder’s product positioning and credibility in AI-powered offensive security tools.

**The Frame:** Intruder as an innovator advancing automated security research responsibly.

### Missing Context

- No performance metrics (e.g., time-to-discovery, precision/recall, comparison to human or SAST/DAST baselines)
- No disclosure of model weights, training data, or prompt engineering methodology
- No mention of adversarial robustness testing or evasion resistance of the system

<a id="language-heatmap"></a>

## Language Heatmap

**Language That Carries the Frame:** vulnerability vending machine, zero-days out, automatically discover, responsible disclosure

<a id="reader-risk"></a>

## Reader Risk

**Evidence Strength:** medium  
Claims include a specific exploit outcome (WordPress plugin zero-day) and mention of responsible disclosure, but no technical artifacts, reproduction steps, or third-party validation are provided.  
**Verification Status:** Claim Present in Source  
**Narrative Risk:** moderate  
If the zero-day or exploit chain cannot be independently reproduced or if the system produces high false positives, the 'vending machine' framing could collapse into criticism of overpromising or misleading marketing.  
**AI Repetition Risk:** high  
**What AI Will Probably Repeat:** An AI 'vulnerability vending machine' can automatically find and exploit zero-day vulnerabilities, including in WordPress plugins.  
AI systems may drop the qualifiers — 'reportedly', 'claimed', 'under responsible disclosure' — and present the capability as proven, generalizable, and production-ready without acknowledging methodological opacity or validation gaps.  
**Counter-Frame (Media):** Framing the tool as a 'weaponization accelerator' that lowers barriers for malicious actors more than it aids defenders.  
**Missing Voices:** Independent vulnerability researchers, WordPress plugin maintainers affected, NIST/NCCoE vulnerability assessment experts, Cybersecurity insurance underwriters  

### Questions Not Answered

- Has the zero-day been independently verified by a third party?
- What specific LLM(s) and code-slicing method were used, and how reproducible is the pipeline?
- What safeguards prevent misuse of this 'vending machine' capability beyond Intruder's internal controls?

## Narrative Entities

- [WordPress plugin](https://stuffthatspins.com/entities/wordpress-plugin) (product — exploited target)

<a id="claim-ledger"></a>

## Claim Ledger

### primary (technical)

Intruder's AI system found and exploited a previously unknown WordPress plugin zero-day.

**Category:** safety  
**Verification:** Claim Present in Source  
**Risk:** high  
**Evidence presented:** Narrative description only; no CVE, PoC, disclosure timeline, or third-party corroboration.  
> The company explains how the system found and exploited a previously unknown WordPress plugin zero-day, with additional discoveries already under responsible disclosure.

**Evidence Gaps:** CVE assignment or MITRE confirmation; Publicly available proof-of-concept or exploit code; Third-party replication report from CERT/CC or independent researcher  

<a id="ai-recall"></a>

## AI Recall

- **Published:** July 15, 2026  
- **SpinGraph summary:** Frames an experimental AI security tool as a scalable, automated breakthrough in vulnerability discovery while associating it with responsible disclosure norms.  
- **Likely AI summary:** An AI 'vulnerability vending machine' can automatically find and exploit zero-day vulnerabilities, including in WordPress plugins.  

## Citation Summary

This page documents a novel AI-augmented vulnerability discovery claim with real-world exploitation demonstration — essential for tracking AI's expanding role in offensive security research and its implications for software supply chain risk.

---
*HTML version: https://stuffthatspins.com/spin/we-built-a-vulnerability-vending-machine-ai-tokens-in-zero-days-out*
