apidays New York 2025 - AI in Application Security by Katie Warren (Portswigger)

Transcript

1. The Journey to Burp AI AI in Application Security

2. Why AI, Why Now? • Apps are more complex →

   testing is harder • Attackers are using AI → defenders must too 🛡 AI is already transforming AppSec • Enhancing triage, fuzzing, log analysis, enrichment • Improving signal-to-noise ratio • Boosting tester focus and speed ⚠ But attackers are using AI too • AI-crafted phishing & malware mutation • AI fuzzing to find and exploit vulnerabilities • Jailbreaks + prompt injection against AI tools • Hackerbots scale faster than defenders

3. Why AI? Why now?

4. 54% of testers struggle with modern application complexity Application s

   are more complex than ever. Why AI? Why now?

5. Why AI? Why now? But attackers are using AI too

   Automate Exploit Generatio n

6. Why AI? Why now? But attackers are using AI too

   Prompt Injection & AI-specifi c attacks

7. Why AI? Why now? AI is already transforming AppSec -

   Google’s Big Sleep - L -driven u zers

8. Why AI? Why now? AI vs AI

9. Why AI? Why now? It is a massive efficienc y

   driver

10. Why AI? Why now? Free up space for creativit y

11. Why AI? Why now? Secure the web

12. Why AI? Why now?

13. The Journey Begins Dec 2023: AI-focused R&D begins November 2024:

    Trial December-February: Iterate and productionize March 2025: LAUNCH April-September 2024: Build AI tooling in Burp Suite

14. Bringing Developers into an AI Mindset

15. Solve AI for every user and every workflow?

16. *AI Generated What we put down: Autocomplet e

17. Case Study - Semantic Crawling Problem: Code doesn’t crawl sites

    like a user would

18. Case Study - Semantic Crawling Big wins We taught AI

    to crawl like a human a. b. We unlocked even more new ideas

19. alone enough isn’t Shift-lef t

20. The Journey Begins Dec 2023: AI-focused R&D begins April-September 2024:

    Build AI tooling in Burp November 2024: Trial December-February: Iterate and productionize March 2025: LAUNCH

21. Unblock users to focus on the value

22. Data privacy User control

23. The Journey Begins Dec 2023: AI-focused R&D begins November 2024:

    Trial December-February: Iterate and productionize March 2025: LAUNCH April-September 2024: Build AI tooling in Burp

24. Real-World Validation: Nov 2024 Feedback “To be honest, I am

    a little bit disappointed. I was expecting something different.” “To be honest with you, like I told you in the beginning, I’m not AI at all” “after five minutes it was all done, I was so impressed. Like, that's really good.”

25. The Journey Begins Dec 2023: AI-focused R&D begins December-February: Iterate

    and productionize March 2025: LAUNCH April-September 2024: Build AI tooling in Burp November 2024: Trial

26. Trust , privacy and ease of use

27. The Journey Begins Dec 2023: AI-focused R&D begins March 2025:

    LAUNCH April-September 2024: Build AI tooling in Burp November 2024: Trial December-February: Iterate and productionize

28. Launching Burp AI: Feb 2025 & Beyond Hackvertor Shadow repeater

    Gareth Heyes

29. Explore Issue Explainer AI-enhanced login recording False Positive Reduction: Broken

    Access Control

30. AI features optional and toggleable

31. What I’ve Learned Innovation in engineering is never easy AI

    is awkward. Validate early and often Find actual value Me

32. Data The Biggest Challenge?

33. Join us on: Discord - https://discord.com/invite/portswigg er Katie_swigpm LinkedIn 1.

    AI is changing the security landscape 2. Real innovation means be disruptive, but solace real problems 3. Trust, not hype Key Takeaways Thank You