So cool. An LLM-based, language-agnostic vulnerability variant hunter was presented yesterday by Michal Kamensky at BlueHat IL.

The talk, along-side Amir Gombo, was about hybrid cloud vulnerabilities, but that wasn't what excited me.

Give the variant hunter a known bug (a report + vulnerable code file), and a target codebase, and it would find variants of that same bug class, regardless of language or control flow, then verify exploitability. This is especially useful for logical vulnerabilities.

As presented, Michal eliminated a whole class of vulnerabilities in Microsoft's Hybrid Cloud with the tool.

Essentially, the variant hunter inverts the classic SAST calculation.

With signature matching, someone hand-writes a per-language taint flow and the engine finds exactly that shape, so you only catch what you already described. A variant through a wrapper or renamed field slips past.

With Michal's variant hunter, the bug is described in natural language and the LLM judges whether code realizes that concept, so one definition generalizes across languages.

Michal’s method enables hunting for variants of logical bugs that could be unique to your product, with legitimate, “by design” flows. But then, in a specific context they become vulnerable.

In the talk, the example given was calling IMDS on the cloud, which is reasonable, but when done on-prem becomes an RCE.

Most current harnesses map flows in which vulnerabilities are plausible, Michal looks for vulnerabilities by creating a "logical flow signature", if I'm to abuse the analogy, making LLMs effective for logical bugs as well.

The architecture and pipeline with my interpretation (see video):

- Skill 1: Analyze. Distills the seed bug into 2 distinct outputs: the flow (in which a vulnerability might occur) and the reason this flow can become vulnerable. No function names, no literals.

- Skill 2: Find similar flows. All similar flows, no mention of the vulnerability.

- Skill 3: Correlate. For each similar flow found, decide whether it is vulnerable to the same issue or not.

- Skill 4: Verify. Independently and skeptically argues attacker-control, reachability, and sanitizers, and generates a poc.

Apparently, the variant hunter was written months ago. I'm beyond excited Michal made this concept public. It helps us further evolve in our thinking on vulnerability research with AI.

I asked Michal if she plans to open source, and she said: “When I taught people how to write custom Semgrep rules, they took the concepts and ran with them. Just ask the agent to implement it for you, and let’s see what wonderful ideas people come up with.”

My own take:

We must think differently to adapt to the AI age. Every moment wasted on super useful and effective older techniques - empowered by AI - means we aren't learning to think differently, while models keep on advancing, leaving us further behind.

Thank you to #BlueHatIL, Microsoft, and Hila Yerushalmi for a wonderful BlueHat IL, 2026.

📅 Upcoming #infosec events in the next 14 days:

• OWASP Global AppSec EU @owasp — Jun 22-26, 2026, Vienna 🇦🇹 #Austria
• BlueHat IL #BluehatIl — Jun 23-24, 2026, Tel Aviv 🇮🇱 #Israel
• TROOPERS @WEareTROOPERS — Jun 24-26, 2026, Heidelberg 🇩🇪 #Germany
• BSidesTLV #Bsidestlv — Jun 25, 2026, Tel Aviv 🇮🇱 #Israel
Full list & calendar subscription → https://xsa.github.io/infosec-events/
#cybersecurity #conference

🆕 New event added:

📌 BlueHat IL
📅 Jun 23-24, 2026
📍 Tel Aviv 🇮🇱
🔗 https://www.microsoftrnd.co.il/bluehatil/home

#infosec #cybersecurity #conference #BluehatIl #Israel