72% of hackers are confident that AI cannot replace human creativity in security research and vulnerability management, according to Bugcrowd.
Generative AI hacking
Generative AI was a major theme in the 2023 report, with 55% of respondents saying that it can already outperform hackers or will be able to do so within the next five years. However, hackers aren’t worried about being replaced, with 72% of respondents saying that generative AI will not be able to replicate the creativity of hackers.
When asked how generative AI is being used, the top functions that hackers mentioned were automating tasks (50%), analyzing data (48%), identifying vulnerabilities (36%), validating findings (35%), and conducting reconnaissance (33%). 64% believed that generative AI technologies have increased the value of ethical hacking and security research.
The uptick in AI usage among hackers aligns with guidance from the U.S. Department of Defense in 2022 and President Biden’s Cybersecurity executive order, EO 14028 where he noted “The value of harnessing AI in cybersecurity applications is becoming increasingly clear…The methods show great promise for swiftly analyzing and correlating patterns across billions of data points to track down a wide variety of cyber threats in the order of seconds.”
Challenging and confirming hacker stereotypes
Most hackers were Gen Z aged 18–24 (57%) or Millennials 25–34 (28%). Nevertheless, the stereotype of the teenage hacker proved to be more accurate than its counterpoint in Gen X phreakers, with 5% being under 18 and only 2% being over 45. Additionally, the trope of hackers being disproportionately male proved true, based on this research, with 96% of respondents identifying as male and just 4% as female, with another 0.2% identifying as non-binary or genderqueer.
82% of hackers do not hack full time, treating it either as a part-time job, side hustle, or something they are in the process of making a full-time occupation. Only 29% described hacking as their full-time profession.
The motivations for ethical hacking were varied, but the top incentives included personal development (28%), financial gain (24%), excitement (14%), and the challenge (12%). Another 6% of respondents said they hack for the greater good, and 87% said that reporting a vulnerability is more important than making money from it.
While more than half of the respondents have graduated from college (54%) and 14% completed grad school, only 24% learned to hack through academic or professional coursework. 71% of hackers were self-taught, with 84% learning to hack through online resources, while others learned through trial-and-error (40%) or friends and mentors (34%).
The state of hacking and vulnerability management
Views varied on how many companies understand their true risk of being breached, with 27% of respondents saying that less than 10% of companies really understand their risk. Another 33% of respondents said that 10–25% of companies understand their risk, but only 16% said that more than half of companies understand their true risk of being breached.
The respondents painted a mixed picture of the global threat landscape, with 84% saying there have been more vulnerabilities since the start of the COVID-19 pandemic and 88% saying point-in-time security testing is not enough to keep companies secure. Nevertheless, 78% of respondents said that most companies’ attack surfaces are getting harder to compromise, and 89% said that companies increasingly view ethical hackers in a favorable light.
63% of respondents reported finding a new vulnerability in the past 12 months that they had not encountered before. In addition, 54% said they did not disclose a vulnerability because a company lacked a clear pathway to report it without risking legal consequences.
Hacking is increasingly leveraged for career development, as 42% of respondents said that building long-term relationships with security decision-makers and brands was one of their top goals when hacking on Bugcrowd. In addition, 53% of the respondents said hacking has helped them get a job working remotely.
“With this report, more hackers are stepping out from the shadows of their stereotypes to tell real stories and redefine what hacking looks like as a career path,” said Dave Gerry, CEO of Bugcrowd.
“As global enterprise AI adoption reaches critical mass, Bugcrowd is proud to stand at the coal face of security research, and we are thrilled that more organizations are tapping the diverse skills and expertise of hackers—at just the right time—through our platform,” Gerry concluded.