HackerOne, the world’s leading platform for coordinated vulnerability disclosure and bug bounty programs, processes massive volumes of security reports every day. With submissions coming from more than 3 million ethical hackers and thousands of organizations, deduplication and triage have become mission-critical challenges—often requiring deep semantic understanding of vulnerability patterns, exploitation techniques, and historical context.
To explore next-generation approaches to intelligent report handling, HackerOne’s top engineers turned to CAI (Cybersecurity AI) as a framework for studying agentic architectures, autonomous reasoning models, and AI-driven security workflows. Through this exploration, CAI’s Retester agent—designed to re-validate vulnerabilities automatically— became key sources of inspiration.
This research directly influenced the design and development of HackerOne’s new AI-powered Deduplication Agent, a production system capable of automatically identifying and consolidating duplicate vulnerability submissions at scale. The case demonstrates how CAI accelerates innovation by translating research-grade autonomous security concepts into real, commercial features deployed on one of the most widely used security platforms in the world.
Read HackerOne's blog post 📖 Get CAI
This video showcases HackerOne engineers solving a HackerOne CTF challenge focused on information disclosure. CAI autonomously analyzes the target webpage's HTML source, identifies a CSS reference, accesses the file directly without authentication, and successfully retrieves the hidden flag. The session demonstrates CAI's autonomous reasoning capabilities for vulnerability triage, HTML analysis, and exploitation—core competencies that directly inspired HackerOne's approach to building intelligent security automation.
CAI is the leading open-source framework that democratizes advanced security testing through specialized AI agents. With EU backing, CAI is used by thousands of researchers and organizations worldwide. Platforms like HackerOne face extreme scale challenges—tens of thousands of reports, global researcher communities, and complex, high-impact vulnerability workflows.
By 2028, most cybersecurity operations will be autonomous, with humans teleoperating. CAI’s approach to AI-powered vulnerability reasoning, triage, and exploit validation is therefore becoming essential infrastructure for large-scale security platforms. HackerOne’s adoption of CAI-inspired agentic designs demonstrates how open frameworks accelerate real-world innovation.
HackerOne is the global leader in hacker-powered security, connecting organizations with a community of over 3 million ethical hackers to identify and fix vulnerabilities. With more than 600,000 vulnerabilities resolved and over $300 million paid in bounties, HackerOne operates at unprecedented scale—processing thousands of reports daily across every industry vertical.
This massive volume creates unique challenges: identifying semantically identical submissions, filtering noise, accelerating triage, and providing enterprise-grade response times. The development of an AI-driven Deduplication Agent inspired by CAI reflects HackerOne’s commitment to advancing the state of vulnerability lifecycle automation.
HackerOne receives thousands of vulnerability reports each day, many of which are semantically similar but differ significantly in syntax. Traditional rule-based or keyword-based detection systems struggle to capture nuanced variations in:
This results in manual triage bottlenecks and delayed response times for customers. HackerOne needed a way to understand vulnerability semantics, not just text patterns. The challenge was clear: Could an agentic AI framework like CAI provide architectural models capable of scaling intelligent vulnerability deduplication and triage across millions of submissions?
HackerOne's principal engineers used CAI to explore agentic workflows and study how CAI agents reason, maintain context, and operate across vulnerability lifecycles. They analyzed the Retester agent's design—particularly its ability to autonomously validate and re-exploit vulnerabilities—as a conceptual blueprint for building persistent, context-aware agents. The team also examined CAI's agent for triage capabilities, learning patterns for semantic similarity detection, contextual enrichment, multi-source information gathering, and agent-to-agent communication. Within CAI's modular environment, engineers rapidly prototyped clustering of vulnerability report embeddings, semantic comparison strategies, autonomous triage workflows, and multi-agent orchestration patterns. These explorations led directly to the creation of HackerOne's Deduplication Agent—a production system capable of identifying and consolidating duplicate submissions at scale.
