How an Engineer Used AI to Find Security Flaws

An engineer used GitHub Copilot, Claude, and Gemini to hunt for security vulnerabilities in the complex ClickHouse database codebase.

A software engineer from ClickHouse shared a detailed account of using artificial intelligence to hunt for security vulnerabilities. Despite being an experienced developer but not a professional bug bounty hunter, they successfully used a combination of popular AI models to analyze the company's own complex codebase. The toolkit included GitHub Copilot for in-editor assistance, alongside more powerful models like Anthropic's Claude Opus and Google's Gemini for deeper analysis. The engineer's workflow involved feeding code snippets and high-level questions to the AI models to generate hypotheses about potential security weaknesses. This approach allowed them to systematically investigate different parts of the ClickHouse system, turning a complex security audit into a more manageable task. The AI acted as a research partner, helping to quickly understand unfamiliar code and suggest areas that might contain hidden flaws. This method proved effective for identifying potential issues that could have been missed during a standard code review process.

This case study is significant because it provides a real-world example of how AI can empower developers to take a more active role in security. It demonstrates that specialized AI tools are no longer just for security experts but can be effectively used by any skilled engineer. For development teams, CTOs, and founders, this highlights a practical way to augment their security practices without hiring a large team of dedicated security specialists. By integrating AI into their workflows, teams can speed up the process of finding and validating vulnerabilities, ultimately building more secure products. The experiment shows that AI can lower the barrier to entry for security auditing, allowing developers to proactively identify and fix flaws in the code they write and maintain. This shift makes security a more integrated part of the software development lifecycle, rather than a separate, final step.

The broader implication is that AI is becoming an indispensable tool for modern software engineering and cybersecurity. As codebases grow larger and more complex, manual security reviews become increasingly difficult and time-consuming. AI models like Claude and Gemini can process and reason about vast amounts of code, spotting subtle patterns and potential errors that a human might overlook. While these tools still require careful guidance and validation from an experienced engineer, they serve as powerful force multipliers. Companies should watch this trend closely and consider how to equip their own teams with similar capabilities. Encouraging developers to experiment with AI for code analysis can foster a stronger security culture and improve the overall resilience of their software. This approach represents a move towards democratizing security, making it a shared responsibility across the entire engineering organization.

This shows that general-purpose AI models can effectively assist developers, not just security specialists, in finding real-world software vulnerabilities, making security more accessible.

Companies can leverage AI to augment their existing development teams for security tasks, potentially reducing reliance on specialized security hires and speeding up the vulnerability discovery and remediation process. This leads to more secure products and lower risk.