[HackerNotes Ep. 179] Managing Hacker Motivation in the AI Era

Today, we're giving some tips to stay motivated in the AI Era

Author

Aituglo ‎
June 18, 2026

Hacker TL;DR

  • Slow triage, slow payouts and AI doing most of the work are killing the fun in bug bounty. The fix is to stop caring so much about the result and enjoy the finding again

  • Build your own community and competition: hackalongs, ambassador events, working with newer hunters, and racing a friend to enjoy doing it again

  • Keep AI useful by picking one target and setting a clear goal. Systemize a single target well, aim for something like ATO, and keep the parts you actually enjoy

  • Protect the basics: good video PoCs get you triaged faster and avoid NMIs, fast programs are worth picking

Today's Sponsor: Check out Zero Trust Cloud Access from ThreatLocker https://www.criticalthinkingpodcast.io/tl-ztca

The Pipeline Is Delayed, Not Broken

For years we have told pro hunters to keep a pipeline of bugs going so the payouts keep coming over time. That still works in theory: if you keep submitting, even with longer delays you are still getting paid now for bugs you found three months ago. The question is whether this is just a slow period that will catch up, or whether the better move is to stop caring about the result at all.

That is the mindset change. Rez0's idea is to enjoy the finding again. It does not matter if it dupes or takes three months, you still found it. It is the same thing we tell beginners about dupes, just applied to ourselves. The harder part is that a lot of bugs now come mostly from agents, so even a real win can feel like less of a win. Slow payouts plus AI doing the work is what makes the slump feel bad.

Build Your Own Competition and Community

Justin's biggest motivation has always been competition. During the Route53 takeover wave he was getting three, four, five takeovers a week, with a sound playing on his phone every time. When the sound stopped he knew someone else was getting them, so he would improve his setup and start winning again. Beating a specific rival until they catch up feels much better than pointing an agent at a target and getting a full auth bypass back without doing much yourself.

The platforms are too busy to set up this competition for us, so the community has to do it. A few good options came up:

  • Hackalongs. The Adobe hackalong in the CTBB Discord. People found their own bugs live and we passed leads around.

  • Ambassador events. The HackerOne ambassador events get good reactions because they are small local groups hacking something together.

  • Working with newer hunters. Helping someone else often feels better than helping yourself. Helping a friend land their first critical lets you enjoy the win with them, even when your own bugs are stuck.

Keep AI Useful: One Target, One Goal

AI has taken away some of the curiosity that got us into this. It is easier to sit at four Claude panels and let it work than to really learn an app. brutecat is a good counter-example: he knows Google deeply, automates what he can in code, uses AI to fill the gaps, and feeds the leads back to himself to exploit. Justin's takeaway is that he has been using AI to hack less, when he should use it to hack more efficiently and keep the same hours.

Two things make AI feel rewarding again instead of empty:

Systemize one target. Generic prompts like "find all the API endpoints across these targets and attack them" do not feel like much. Picking one target, writing something to parse its JavaScript files, pull out the endpoints, diff for changes, and then letting AI work on that is much more satisfying because the system is yours.

Keep the parts you enjoy. Brandyn does a good chunk himself, mostly on features he finds interesting, and hands off the bug classes he hates. He gives a skill some target context, hooks it to Caido, runs it once on high intelligence to set up the context, then filters that out so he can focus on the fun parts. The idea is to find where you fit as a hacker so AI adds fun instead of removing it.

Pro Tip: make it goal-based. Instead of "find a critical", set a clear goal like ATO, or "take money out of this test bank" (on a Capital One style test bed with fake money, not a live program), and point the agent at that goal. Even if AI does ninety percent of it, hitting a goal you set feels better than just "find a crit".

We do subs at $25, $10, and $5, premium subscribers get access to:

Hackalongs: live bug bounty hacking on real programs, VODs available
Live data streams, exploits, tools, scripts & un-redacted bug reports

Need a Pentest? We just launched CTBB Pentests!

Hack full time? Check out the Full-Time Hunter’s Guild!

The LHE Method and Getting Manager-Sniped

Brandyn's trick for breaking a slump is what he calls the LHE method. When you come off a break or lose motivation, treat a target like a live hacking event: set a time limit, keep the scope tight, read all the docs, and commit to two or three weeks (or a number like $50k) as your limit. The limits make it easier to go all in and then rest. Just do not call it a pentest, or you will never want to work on it.

The other useful pattern is getting manager-sniped. Rez0 has been working with a hacker who sends him new scope almost every day. If a real manager told him to hack something today he would say no, but the same thing from a friend feels like a fun idea instead of a chore, and they have found a lot of bugs that way. We are social, and someone handing you a lead makes you want to work on it more than telling yourself to.

Lower Your Cortisol: PoCs, Triage Speed, and Wins

A few practical things that help:

  • Make good video PoCs. When the setup is complex, a clear video gets you triaged faster and avoids an NMI. There seems to be an unwritten rule that a trusted hacker with a clear video can get triaged on the video alone.

  • Pick fast programs. A team that replies within 72 hours really stands out right now. We gave Anthropic a shout-out for usually triaging in a day or two and paying within a week or two. Even a slightly lower bounty with fast turnaround can be the better pick when motivation is the problem.

  • Share your wins and support your friends. Rez0 has found more this year but shared less, because the wins feel smaller when AI helped. Posting them in something like the full-time hunters guild celebration channel and getting hyped up again brings the feeling back.

Justin had a tooling idea worth stealing: a browser extension that reads a program's severity numbers and shows a simple up or down arrow on whether it pays high and crit above or below the standard. Add response-time stats (Joel's old cross-platform script did some of this) and you could pick targets that are both fast and pay well.

You Are In a Bubble, and Health Matters

Two last reminders. First, you live in a small bubble. Seeing everyone else's best findings on X, in writeups, and in the guild chats makes you feel smaller than you are. Thirty years ago you would have felt great about the same work. Justin's reality check was Zero Trust World, where a basic intro to web security workshop filled up a 600 person room, and that is not even ten percent of a normal podcast episode.

Second, health is part of hacking. This is a desk job where you sit still and stare at a screen, so you have to balance it on purpose: workouts, water, real food, and managing stress.

Pro Tip: a Frans Rosén tip, stop hacking right when you find something interesting. You come back ready to go, and you skip the time you usually spend remembering where you were, because it is right there in your replay tab. Just be careful in a dupe-heavy scope, and do not let it take over family time.

Resources

That's it for the week, keep hacking!