HackerOne’s 9th annual Hacker-Powered Security Report (HPSR) has revealed that the security industry is ushering in a new era: The Rise of the Bionic Hacker.
A growing number of security researchers are now AI-native. In fact, 70% of surveyed researchers use AI tools in their workflow, making AI-powered testing the new industry standard. This evolution directly led to the formation of ‘bionic hackers,’ researchers that embrace AI to power their bug hunting abilities.
“AI demands a different approach to risk and resilience,” said Kara Sprague, CEO of HackerOne. “AI vulnerabilities increased by more than 200% this year, while enterprises expanded AI security initiatives at nearly three times last year’s pace. At the same time, a new generation of ‘bionic hackers’—security researchers using AI to enhance their hunting abilities—are driving the discovery of security issues at unprecedented scale. The organizations that thrive will be those that evolve with AI and tap into the expertise of security researchers in both testing and response.”
HackerOne has also seen fully autonomous hackbots emerge. These new, autonomous agents submitted 560+ valid reports. To keep up with AI-fueled risks and challenges, there is a place for both in the security research world.
“Hackers are becoming builders. By crafting AI enhancements throughout our workflows, we’re amplifying our unique tradecraft to hack deeper, faster. We are entering an era of bespoke automation, and the power of the crowd is growing,” said James Kettle, Director of Research at PortSwigger. “This is a rapidly emerging field of research, and we’re just getting started.”
Humans are still making and will continue to make a massive impact. Security researchers have recently broken new earning records, according to the HPSR. HackerOne bug bounty programs collectively paid out $81 million, an increase of 13% from last year.
While AI is fueling faster, impactful security research and bigger earnings, it’s also generating new challenges and risks security teams must contend with.
For instance,
the 2025 HPSR uncovered that 1,121 distinct customer programs included AI in scope in 2025, a 270% increase year over year. This creates an expanded attack surface organizations must cover.
Prompt injection also topped the threat list. Valid reports of prompt injection rose 540%, highlighting the difficulty of controlling how models interpret user inputs.
A promising final takeaway: crowdsourced security delivers billions in customer value. Across HackerOne programs, there was $3 billion in breach losses avoided in 2025, as measured based on HackerOne’s Return on Mitigation (RoM) methodology.
With researchers adapting their methods to embrace AI, the sky is the limit for the impact we’ll see in the coming years.
To read the full 9th annual HPSR, visit https://www.hackerone.com/report/hacker-powered-security.
Join our LinkedIn group Information Security Community!
