Agentic Zero-Day Bug Hunters: AI Systems That Find Software Flaws Before Anyone Else Does

AI coding agents — from Google's Big Sleep to open-source tools like T3MP3ST — can now autonomously discover and exploit previously unknown software vulnerabilities, collapsing the line between defensive research and offensive capability.

Created 2026-07-05 Last reviewed 2026-07-05

What it is

A “zero-day” is a software vulnerability unknown to the vendor responsible for fixing it — meaning defenders have had zero days to prepare before it can be exploited. Finding these flaws has traditionally been slow, specialized human work: security researchers manually audit code, fuzz software with automated testing tools, and report what they find, sometimes for a bug-bounty payout, sometimes to a vendor’s disclosure program.

What’s changed is that AI coding agents — the same class of tool used to write software — can now perform much of this work autonomously. Rather than a person directing a scanner, an AI agent reads source code, reasons about how it might fail, writes and runs test exploits, and iterates on its own, in a loop that can run continuously without human guidance. Google’s Project Zero and DeepMind teams built one of the first documented examples, an internal tool called Big Sleep (evolved from an earlier prototype named Naptime), which in October 2024 found an exploitable stack buffer underflow in SQLite — a vulnerability the developers hadn’t yet released, let alone discovered. Academic researchers reached a similar milestone independently: a 2024 paper by Zhu, Kellermann, Gupta, Fang, Bindu and Kang (“Teams of LLM Agents can Exploit Zero-Day Vulnerabilities”) showed that coordinated teams of LLM agents — using a planner-and-subagent architecture called HPTSA — could exploit real-world zero-days that single agents struggled with.

The editorial’s reference to “agentic zero-day bug hunters” points specifically to a newer, more accessible category: open-source frameworks that turn general-purpose coding assistants (Claude Code, OpenAI’s Codex, and others) into autonomous offensive-security operators without requiring separate infrastructure. T3MP3ST, built by a researcher known as elder-plinius and released in 2026 under an open license, is one such framework — a multi-agent “kill chain” (reconnaissance, scanning, exploitation, reporting) that coordinates whatever coding agent a user already has running on their machine.

Why it matters for AI governance and narratives

This is a case where the same capability reads as either a defensive breakthrough or an offensive proliferation risk, depending entirely on who is asking. Google frames its work as protective — finding flaws before attackers do, inside a controlled research program with disclosure norms. Open-source tools like T3MP3ST are framed by their builders as democratizing access to serious security research for authorized testing and bug bounty work. But the underlying technical capability is identical to what a malicious actor would want: fast, cheap, scalable vulnerability discovery, no longer bottlenecked by scarce human expertise. Google Threat Intelligence Group reported in May 2026 that it had identified a real-world attacker using an AI-developed zero-day exploit against a system-administration tool — evidence the capability doesn’t stay contained to the research programs that pioneer it.

For the observatory, this is a clean example of the framing contest around “dual-use” AI capability: builder ecosystems emphasize safety research and responsible disclosure; security vendors emphasize the speed at which defenses are being outpaced (one tracking project cited a fall in mean time-to-exploit from roughly 2.3 years in 2018 to under 20 hours in 2026); and open-source/offensive-security communities frame the same tools as leveling access. None of these framings is neutral — each serves the institutional position of the actor advancing it.

Key facts and dates

Google Project Zero and DeepMind’s Big Sleep found its first real-world zero-day (a SQLite flaw) in early October 2024, publicly announced that November; by August 2025 it had reported a first batch of roughly 20 vulnerabilities in open-source projects including FFmpeg and ImageMagick. The academic case for multi-agent exploitation was made in the June 2024 paper by Zhu et al., which reported up to a 4.3x improvement over prior single-agent approaches across 14 real-world vulnerabilities. T3MP3ST, the specific tool named in the editorial’s source item, ships roughly 35 built-in tools (83 with an opt-in full toolset) and reports strong results on established benchmarks; it is released under an AGPL-3.0 license with an explicit legal disclaimer restricting use to authorized targets.

Where to learn more

Sources

Primary source: Google Project Zero's own account of the Big Sleep project and its first real-world zero-day discovery
Peer-reviewed-track academic paper (Zhu, Kellermann, Gupta, Fang, Bindu, Kang) establishing the multi-agent exploitation capability
Primary source: the project's own README, describing architecture, tools, license, and use restrictions
Google's threat-intelligence team reporting real-world malicious use of AI-assisted exploit development
Referenced in: Editorial No. 216