HackerOne, a global leader in offensive security, today released its 9th annual Hacker-Powered Security Report with this year’s theme: The Rise of the Bionic Hacker. The report, which highlights the latest insights drawn from HackerOne’s platform, shows how the rapid adoption of artificial intelligence (AI) is transforming both attack and defense. It also examines the convergence of safety and security into a single trust challenge for AI systems in production.
Organizations expanded AI program adoption by 270% this year, while HackerOne’s platform reported a 540% surge in prompt injection vulnerabilities—the fastest-growing threat in AI security.
“AI demands a different approach to risk and resilience,” said Kara Sprague, CEO of HackerOne. “AI vulnerabilities increased by more than 200% this year, while enterprises expanded AI security initiatives at nearly three times last year’s pace. At the same time, a new generation of ‘bionic hackers’—security researchers using AI to enhance their hunting abilities—are driving the discovery of security issues at unprecedented scale. The organizations that thrive will be those that evolve with AI and tap into the expertise of security researchers in both testing and response.”
Key findings from the report include:
- Researchers are now AI-native: 70% of surveyed researchers now use AI tools in their workflow, making AI-powered testing the new industry standard. This evolution marks the beginning of a new class of ‘bionic hackers’—researchers using AI to enhance their hunting abilities. To support this, HackerOne is previewing Hai for Hackers, a new AI-powered capability designed to supercharge security research workflows by streamlining communication, improving report quality, and accelerating impact.
- AI in production is expanding exponentially: 1,121 distinct customer programs included AI in scope in 2025, a 270% increase year over year.
- Prompt injection tops the threat list: Valid reports of prompt injection rose 540%, highlighting the difficulty of controlling how models interpret user inputs.
- Crowdsourced security delivers billions in customer value. Across HackerOne programs, there was $3 billion in breach losses avoided in 2025, as measured based on HackerOne’s Return on Mitigation (RoM) methodology.
- Researchers break new earning records. HackerOne bug bounty programs collectively paid out $81 million, an increase of 13% from last year.
- Fully autonomous Hackbots emerge: Autonomous agents submitted 560+ valid reports, signaling the start of the hackbot arms race.
“Hackers are becoming builders. By crafting AI enhancements throughout our workflows, we’re amplifying our unique tradecraft to hack deeper, faster. We are entering an era of bespoke automation, and the power of the crowd is growing,” said James Kettle, Director of Research at PortSwigger. “This is a rapidly emerging field of research, and we’re just getting started.”
