I've been doing security research for years. These days, every other pitch I hear involves AI finding vulnerabilities "automatically" or "at scale." Vendors promise their tools will replace human testers. Founders believe a quick AI scan means their app is secure.

Let me be direct: this is dangerous thinking.

I'm not here to trash AI tools. I use them. They help. But the gap between what AI can do and what people think it can do is getting people hacked.

Why Finding Vulnerabilities Matters More Than Ever

Indie SaaS is everywhere. Solo founders and small teams ship products every week. Most of them have zero security budget and no time for proper reviews. The logic is simple: ship fast, get users, fix problems later.

The problem? "Later" often means "after the breach."

One security incident can kill a bootstrapped company overnight. Not just the technical damage. The reputation hit. The refunds. The legal questions. I've watched promising startups disappear because someone found an IDOR that exposed customer data.

Regulations are also catching up. GDPR, state privacy laws, industry requirements. Even small companies now face real consequences for poor security practices. "We're just a startup" doesn't work as an excuse anymore.

The attack surface keeps growing. Every API endpoint, every integration, every third party library is a potential entry point. And attackers know that indie SaaS often has weaker defenses than enterprise targets.

Where AI Actually Helps

Let's give credit where it works. AI tools are genuinely useful for certain tasks.

Pattern matching in code. AI is good at spotting known vulnerability patterns. SQL injection with string concatenation. Hardcoded API keys. Obvious XSS sinks. If it looks like a textbook example, AI will probably catch it.

# AI catches this easily
query = "SELECT * FROM users WHERE id = " + user_input
cursor.execute(query)

# AI also spots this
api_key = "sk-1234567890abcdef"

Automated scanning at scale. When you need to check thousands of endpoints for basic issues, AI powered fuzzers save time. They generate payloads, track responses, and flag anomalies faster than manual testing.

Summarizing large codebases. Before diving into a security review, AI can map out the architecture. "Show me all the authentication functions" or "find every database query" gives you a starting point.

Generating test payloads. Need variations of XSS payloads for filter bypass? AI can produce hundreds of mutations quickly. Not creative, but useful for coverage.

These are real benefits. I'm not pretending AI is useless.

Where AI Completely Fails

Here's where people get hurt. AI tools have fundamental blind spots that no amount of training data fixes.

Business logic flaws. This is the big one. AI doesn't understand your application. It doesn't know that "premium users shouldn't access this endpoint before payment clears" or "admins from company A shouldn't see data from company B."

Real example: I tested a SaaS where users could upgrade their subscription tier by replaying a modified API request. The endpoint accepted the tier change without checking payment status. The code was clean. No injection. No obvious bugs. Just a missing business rule that AI had no way to understand.

Authentication edge cases. AI can spot missing auth checks on obvious endpoints. But what about the weird flows? Password reset tokens that don't expire. Session tokens that survive password changes. OAuth implementations that accept tokens from unintended providers.

I found a vulnerability last month where the "forgot password" flow let you reset any account by manipulating the redirect URI after token validation. The token check was correct. The redirect logic was the problem. AI saw valid code doing its job. A human saw an attack chain.

Race conditions and timing attacks. Most AI tools test endpoints one at a time. They don't think about what happens when two requests hit simultaneously. Can you double spend credits? Can you create duplicate transactions? Can you bypass rate limits with parallel requests?

These bugs require understanding how the system behaves under real world conditions. AI doesn't think about concurrency.

Context dependent vulnerabilities. Storing user input in a database isn't inherently dangerous. But if that input gets rendered in an admin panel without sanitization, you have stored XSS. AI often can't connect these dots across different parts of the application.

The same function might be safe in one context and dangerous in another. AI evaluates code in isolation. Attackers think in chains.

Social engineering vectors. Can your support team be tricked into resetting MFA? Does your password reset email contain enough information to enable phishing? These are security issues that don't exist in code at all.

Supply chain attacks. Is that npm package you installed actually maintained? Does it have hidden dependencies with known vulnerabilities? Could an attacker take over an abandoned package your app relies on?

Dependency confusion attacks require understanding the build process, the package ecosystem, and the trust relationships between components. AI tools mostly just scan for known CVEs.

Novel attack vectors. AI is trained on past vulnerabilities. It recognizes patterns from yesterday's attacks. But security research is about finding what nobody has seen before.

When a new attack technique emerges, AI tools are blind until they get retrained. Humans can reason about new possibilities.

Questions to Ask Yourself That No AI Will Ask

What happens if a user manipulates the order of steps in this workflow?

Who else can access this resource if they guess or brute force the identifier?

What assumptions does this code make about the data it receives?

What happens if this operation runs twice at the exact same time?

Could an attacker chain this with another feature to cause harm?

What does the system trust that it shouldn't?

If I were attacking my competitor's product, how would I approach this feature?

The Practical Approach

Here's what actually works: use AI as a first pass, not a final answer.

Run your automated scans. Let AI tools catch the obvious stuff. Fix the low hanging fruit they find.

Then bring in humans. Bug bounty programs like patchli.st connect you with researchers who think like attackers. They understand your specific business logic. They chain vulnerabilities together. They find what automation misses.

The best security programs use both. AI handles the volume. Humans handle the creativity.

If you're an indie founder, here's the honest truth: you probably can't afford a full security team. But you can afford to run basic scans yourself and set up a bug bounty program for the rest. That combination beats either approach alone.

If you're a security researcher, learn to use AI tools efficiently. They speed up reconnaissance. They help with payload generation. But don't let them replace your intuition. The bugs that pay well are the ones AI can't find.

The Bottom Line

AI has made certain parts of security testing faster and more accessible. That's good.

But it has also created a false sense of security. Founders run an AI scan, see no critical findings, and assume they're safe. They're not.

The vulnerabilities that actually compromise companies are the ones that require understanding context, intent, and real world usage. AI doesn't understand any of those things. A human attacker does.

Use the tools. But don't trust them to do the thinking for you.

Your users are counting on you to know the difference.