The whole video hangs on one distinction: his buddy Douglas earned $40,000 on a single program with Claude not because of the AI, but because he already had years of bug-class fluency for the AI to multiply. Hand the same tooling to a beginner with no fundamentals and it produces zero (and floods triage queues with slop), so the roadmap is five pillars where every stage is “learn it, then let AI accelerate it, never the reverse.”

AI as multiplier, not substitute

The central thesis rejects both loud camps: the “just vibe-hack with Claude and skip the boring stuff” crowd and the “AI is useless, grind fundamentals like we did” crowd are both wrong. AI does not replace the hunter yet, but it does erase the gap between a beginner and a competent hunter: the mentor you never had, the write-up you cannot find, the senior engineer to review your code. That gap is what traps beginners for years, and used well, AI closes it in months instead. Douglas’s real unlock was not throwing Claude at a target and hoping; he took his own HackerOne reports, bugs found with his own methodology in his own words, and turned them into custom skills the AI could execute a thousand times faster than he could by hand. AI is valuable because it runs your playbook, not because it knows things, and if you have no playbook, there is nothing to amplify.

Foundations you cannot skip

Pillar one is the part everyone wants to skip and genuinely cannot. Without understanding how the web works, no LLM will save you; you will get a great answer from Claude and not know what any of it means. Three concrete targets at this stage: first, the mechanics of the web itself (requests, responses, status codes, headers, cookies, sessions, and how authentication is handled); second, the OWASP Top 10 understood rather than memorized, meaning you can say what an IDOR, XSS, or SQL injection actually is and why it exists; third, pick one proxy, Burp Suite or Caido, and learn to intercept, modify, and replay requests without chasing every extension yet. For where to learn, the free path is PortSwigger’s Web Security Academy, worked top to bottom with no skipping, which is genuinely enough to reach a first bug if you grind it. The paid path is his own Bug Bounty course (15-plus hours) and a lab bundle (broken access control, XSS, blind XSS, nuclei), but he is blunt that the courses do not matter and doing the labs is what matters.

The AI learning loop

Pillar two is where AI changes everything for beginners, and he thinks it is under-discussed. The old loop was reading a write-up, hitting an unfamiliar term like server-side template injection, Googling into a years-old Stack Overflow post that assumed six other things you did not know, recursing, and three hours later closing the tab feeling dumb. That loop is dead. The new loop is read, ask, quiz, apply: paste the entire write-up into Claude or ChatGPT, say “explain this to me like a beginner, I understand HTTP basics, walk me through SSTI, why does this bug work, and what was the attacker thinking at each step,” then ask follow-ups, ask it to quiz you, and ask it for similar challenges to try. You now have a tutor that knows every bug class, CVE, and published write-up, available 24/7, that never tires of your questions. The hard constraint: this only works if you have pillar one, because asking Claude to explain SSTI when you do not understand HTTP just generates two words of confusion stacked on more confusion. And AI is a tutor, not a community, so you still need humans: get on X, follow hunters, join a Discord, hit a local meetup, and find people one step ahead and one step behind you, because AI will never introduce you to a program manager or vouch for you and people will.

Recon, target selection, and specification

Pillar three is where AI starts to feel like a superpower. Picking a good target is half the game; beginners run straight at Google, Apple, or some giant on HackerOne and find nothing in six months because those are the most-hunted surfaces on Earth. Aim instead for programs where the scope is wide, the program is newer, and the attack surface is messy, because that is where the good bugs live. The non-negotiable recon backbone is the ProjectDiscovery stack: subfinder, httpx, alterx. AI plugs in three ways. First, comprehension: paste 400 subdomains from subfinder into Claude and have it categorize them by likely function (authentication, admin, API, internal tooling, marketing) to turn a wall of text into a prioritized hit list. Second, payload generation: describe a weird custom auth flow and ask for ten bypass variations you would never have thought of, instead of Googling for hours hoping a HackTricks page applies. Third, custom tooling with Claude Code or Cursor: not knowing Python no longer matters, because you can ask it to write a script that hits every endpoint with your JWT and re-checks each without auth, giving you a broken-access-control scanner other hunters spend a weekend building.

The skill has shifted from coding to specification. “Write me a script” gets garbage; a precise spec (“take URLs from targets.txt, send each with my JWT in the Authorization header, send the same request without it, output a CSV of endpoints returning the same response in both cases”) gets you a real broken-access-control scanner. The old advice to read every line of AI-generated code is now largely gatekeeping, because Claude can debug its own output better than most beginners can debug it by hand. The two things that actually matter: learn to describe precisely, and keep good documentation. When you build a recon tool, save the prompt, what the script does, and the edge cases it handles into a README or a comment block (or let Claude write that too), so that in three months when the target site changes and the script breaks, you hand that context back and it is fixed in minutes with no memory required on your part.

The hunt

Pillar four is where beginners freeze because they do not know where to start, so the AI-assisted hunt runs in three pieces. Piece one is feature mapping: before clicking randomly, describe the app to the LLM (“user dashboard, billing page, team management, an admin panel I cannot access”) and ask which bug classes to prioritize and where, getting back a hit list like broken access control on team management, IDORs on billing IDs, and privilege-escalation paths from user to admin. Piece two is request analysis: when you intercept something odd in Burp (a base64 blob, a JWT, an unfamiliar parameter), drop it in and ask it to walk you through every parameter, what it likely does, and what to tamper with. Piece three, his favourite, is code review of client-side JavaScript or open-source components: feed it into Claude Code or Cursor and ask it to identify every API call, document each one’s method, headers, parameters, and expected payload, and flag any additional domains or subdomains referenced anywhere, producing a complete attack-surface map to fuzz. The honest caveat: AI does not find the bugs, it does not know business logic or your context, so you are still the hacker making the calls while AI erases the boring 70-80% so your brain goes to the part that pays. Recommended beginner bug classes are broken access control, IDOR, and XSS (especially blind XSS), because they reward attention to detail and creativity (which AI amplifies) rather than the deep technical knowledge a deserialization bug demands, and you will hit your first bounty faster on them.

Reporting, privacy, and the growth loop

Pillar five is reporting and growth, where how you write it up is the difference between a $500 and a $3,000 bounty on the same finding. The privacy point matters: you do not have to paste your full unreported bug into an LLM, because many hunters are rightly wary of unreported bug data going into models that may train on it, and you can get most of the value without sharing the finding. Concretely: describe only the bug class and ask for a professional impact statement (“low-privilege user can access another user’s billing information”) without naming the app, input, or payload; write the draft yourself, sanitize payloads, endpoints, and URLs, then ask it to critique what is unclear, missing, or would make a triager take it more seriously, or ask it to role-play triaging it, all without ever seeing the real finding. A huge lever for non-native English speakers: a large chunk of the global community gets underpaid because their writing is rough, not their bugs, so drop the draft in and ask it to rewrite in clear professional English keeping the technical content identical and matching a senior-researcher tone, or write in your native language and have it translate, since the report is your only chance to make triage understand the submission. The growth habit that compounds fastest: for every bug, even informational or duplicate ones, describe the process (not the bug if you prefer) and ask what you did well, what a more experienced hunter would have done differently, and what to look for next time, which is the mentor feedback loop that used to require a senior hacker, now free and runnable on every finding.

Script-kiddie test

Everything above (the tutor, the recon assistant, the code-review partner, the write-up helper) will quietly turn you into a script kiddie if you let it. The test to run after every AI interaction: do I understand what is happening well enough to direct this, or am I just copy-pasting and paying? If you can describe the bug class, articulate why a payload should work, and explain what a generated script does even without writing it from scratch, you are using AI as an accelerator and you will be great. If you cannot, you will plateau, bounce off your first hard bug, become the slop in someone’s triage queue, and fail to defend your finding when a program owner pushes back. The one takeaway: fundamentals then AI, always in that order, so you become the person who compressed five years of learning into one rather than the person who paid into a fake skill set that the market can tell apart.

Key takeaways

  • AI multiplies an existing playbook; with no fundamentals there is nothing to multiply, which is why beginners with the same tooling produce zero and flood triage with slop.
  • Foundations first and non-negotiable: web mechanics (HTTP, cookies, sessions, auth), the OWASP Top 10 understood not memorized, and one proxy (Burp or Caido) for intercept/modify/replay. Do the labs, not just the courses.
  • Learning loop is read, ask, quiz, apply: paste write-ups into an LLM for beginner-level walkthroughs, but only after the fundamentals exist. AI is a tutor, not a community, so keep human relationships (X, Discord, meetups).
  • Pick targets with wide scope, newer programs, and messy attack surface, not the most-hunted giants. Recon backbone is subfinder, httpx, alterx.
  • The new core skill is specification, not coding: precise prompts plus saved prompt/behaviour/edge-case documentation let Claude Code build and later repair custom recon tools.
  • During the hunt, use AI for feature mapping, request analysis, and JS/source code review to build an attack-surface map, but you still supply business-logic judgement; AI does not find the bugs.
  • Beginner-friendly bug classes: broken access control, IDOR, and blind XSS (creativity over deep technical depth).
  • You can extract report impact statements, critique, translation, and per-bug growth feedback from AI without ever pasting the unreported finding; guard unreported bug data against training use.
  • Self-check: if you cannot explain your finding or your generated script, you are using AI as a crutch and will plateau.

Sources