IMHO these type of projects are not tools per-se but methodologies. I think this is a better framing since that's exactly what they are - a bunch of markdown files that describe in general terms how to perform an assessment aligned to some principles.
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
ph3t
All these security/vulnerability scanning harnesses look more or less the same. Not sure what’s the point of bragging or publishing about them anymore, there’s no moat
I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
_joel
Why does this feel like an exec trying to justify token spend?
show comments
spikk
I think it's actually interesting how you can use the same model to both find and falsify the findings
show comments
bpmct
Curious if the team at CapitalOne can share in more detail how this tool is being used internally, including how it’s helped their security practices and culture. That would help address some of the legitimacy concerns.
xur17
> If you intend to use VulnHunter on Anthropic's first-party platforms (Claude API / Claude Code), we strongly recommend enrolling first via the verification portal.
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
show comments
liampulles
Wasn't Capital One founded on the premise of massive-scale market and product experimentation? Makes sense that they would design tools that match that approach.
jp0001
This is a sad. Makes me want to move my bank accounts.
show comments
sbarrofan1
Put a wrapper around nessus, stave off a "below strong" rating another six months
show comments
medina
VulnHunter: Capital One’s open-source, agentic AI code security tool.
IMHO these type of projects are not tools per-se but methodologies. I think this is a better framing since that's exactly what they are - a bunch of markdown files that describe in general terms how to perform an assessment aligned to some principles.
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
All these security/vulnerability scanning harnesses look more or less the same. Not sure what’s the point of bragging or publishing about them anymore, there’s no moat
If there is a pentester here who uses mitmproxy, the security skills below (distilled from 4000 h1 disclosures) might help -https://github.com/instavm/security-skills
this is just a side project though for me
There are few more:
https://github.com/visa/visa-vulnerability-agentic-harness
https://github.com/cloudflare/security-audit-skill
I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
Why does this feel like an exec trying to justify token spend?
I think it's actually interesting how you can use the same model to both find and falsify the findings
Curious if the team at CapitalOne can share in more detail how this tool is being used internally, including how it’s helped their security practices and culture. That would help address some of the legitimacy concerns.
> If you intend to use VulnHunter on Anthropic's first-party platforms (Claude API / Claude Code), we strongly recommend enrolling first via the verification portal.
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
Wasn't Capital One founded on the premise of massive-scale market and product experimentation? Makes sense that they would design tools that match that approach.
This is a sad. Makes me want to move my bank accounts.
Put a wrapper around nessus, stave off a "below strong" rating another six months
VulnHunter: Capital One’s open-source, agentic AI code security tool.
seems weird to not include shell scripts.
https://github.com/capitalone/VulnHunter/blob/main/vulnhunt/...