Prize-winning hacker thinks AI might make her obsolete — and she's not wrong to worry

Valentina Palmiotti, the ethical hacker known as Chompie, walked away from this year's Pwn2Own Berlin competition as its standout individual performer. She also walked away quietly wondering if it might be her last.

Pwn2Own, run by the ZeroDay Initiative, is the annual gladiatorial arena where researchers race to find zero-day vulnerabilities in real software. This year the event paid out nearly $1.3 million across 47 previously unknown attack methods, all of which have since been reported to vendors for patching. Chompie's haul included $20,000 for cracking a system tied to Nvidia on day one, followed by a 12-hour caffeine-and-adrenaline session that she calls 'zombie hacker mode' before returning to the stage the next morning, visibly exhausted, to claim another $50,000 for compromising a Linux-based system.

'I worked from 6pm until 6am and didn't sleep,' she said, which is either impressive or deeply concerning depending on your relationship with healthy habits.

For now, AI is part of her toolkit and she says it helps. Tools like Claude Code have made her faster, both at competitions and in her day job as a security researcher at IBM X-Force. The current moment, she reckons, is a 'sweet spot' where humans direct AI to punch above their weight.

But she doesn't think it lasts.

Anthropics's Claude Mythos model is part of what's concentrating minds. Anthropic claims it can autonomously identify vulnerabilities across hundreds of software programmes, having already flagged around 1,600 of them. The company considers it too potent for general release and has restricted access to select governments and security institutions. Whether you find that reassuring or alarming probably says something about how much you trust those institutions.

Chompie's read on the trajectory is bleak for mid-tier researchers. She said she entered Pwn2Own this year partly because she feared it might be her last realistic shot. 'A lot of the lower-hanging fruit will start to go away,' she said. In her view, only genuinely elite researchers will remain competitive once models like Mythos and OpenAI's GPT 5.5 Cyber mature further.

Not everyone at Pwn2Own shares her pessimism. Orange Tsai, the Taiwanese researcher who led his team to a $375,000 prize by uncovering a chain of highly complex vulnerabilities, is more sanguine. For him, AI is an assistant that frees up human researchers to pursue the ideas they already have. 'I usually come up with many interesting ideas, but unfortunately I still need to sleep,' he said. A fair point. AI doesn't.

He acknowledges the bar is rising but holds out hope that human intuition will continue finding the things models miss.

On the criminal side, the picture is messier. Yes, there is evidence that threat actors are incorporating AI to accelerate attacks and, in some cases, discover new intrusion paths. Ransomware gangs and data thieves are not sitting this one out. But the uncomfortable truth is that most cybercrime still runs on phishing, credential stuffing, and social engineering. You don't need a frontier model to trick a tired employee into clicking a malicious link.

Chompie's broader take is that AI ultimately tilts the field toward defenders. Better automated vulnerability discovery means more bugs get found and patched before criminals reach them. That's a reasonable argument, provided the powerful tools get to the right hands first. Her concern is sequencing: if offensive AI capabilities outpace the defenders' access to equivalent tools, the window of exposure gets dangerous.

She's not calling it doom. She's calling it a race, and right now it's genuinely too close to call.