2025-12-13 –, Track 2
LLMs have enabled a whole new generation of security tooling. One of the most obvious applications is the automated discovery of code vulnerabilities, which so far has had extremely mixed results. In this talk, we explore whether LLMs can truly excel at uncovering code vulnerabilities.
We present a new approach to the problem, going into the successes and failures along the way, and how it found 30 CVEs, ranging from auth bypasses, IDORs, and CVE bypasses, in popular OSS repos.
We cover how to build code parsers that provide LLMs with enough context of a codebase and new methods for modelling business logic vulnerabilities using LLMs that can’t be written with static rules.
Finally, as a bonus, we cover how to use LLMs' hallucinations to creatively threat model and create non-obvious attack paths that rule-based systems might miss.
Jeevan Jutla, Co-Founder and CEO at Gecko Security, joined the NCSC as a teenager, working in security research. He later led offensive security tooling for Binance's Red Team in China.