Over the last 12 months, one of the biggest issues in cybersecurity has been how generative AI is a new weapon for hackers. One of the main companies looking at trends in cybersecurity is HackerOne, a security research firm that companies often use to find vulnerabilities in their systems and processes. Laurie Mercer, security architect for HackerOne, spoke to Space Security Sentinel about what HackerOne has seen and shares his key learnings to space companies about how to counter this new wave of AI threats coming their way.
Mercer said that HackerOne is seeing many more reports that are either related to or generated by AI tools, and he does not expect this trend to slow down in 2026. He reports a 210% increase in valid AI reports.
“If you think about a chatbot, an image generation tool, a genetic AI system of some sorts, and the kind of bugs that we are seeing from an offensive security perspective in those areas are things like sensitive information exposure,” Mercer says. “So, for example, let’s say I’m using a chatbot and I ask it about another user and what they are up to. Then sometimes these chatbots have issues. They are not always configured with the right permissions.”
There are now lots of AI tools and these are changing how things are being done. Mercer says there are now 16 AI collectives operating on the HackerOne platform. These are engines being operated by companies, individuals, or collectives, that are finding an increasing number of vulnerabilities on the platform that are not possible from one individual.
“We have got lots of reports that affect AI systems,” he says. “We have lots of reports that have been made with the help of AI and then now we have this concept of AI agents, or AI collectives that are basically discovering vulnerabilities at scale. These are the big movements that we are seeing in our platform, in our community.”
Implications for Space
With satellites being equipped with more capable software and becoming a bigger part of the overall communications ecosystem, this is changing the game from a security perspective. Mercer talks of the possibilities of space companies working more closely with companies like HackerOne in finding vulnerabilities. HackerOne has already worked with the likes of OneWeb.
“It is all about having the same security controls in place that are the same that you would have with a normal telco or ISP. So, having the usual kind of ISO 27,001 controls around cybersecurity. However, you could also do things like a vulnerability disclosure program, which is a form of crowdsource security where people can report vulnerabilities to you. It is not paid,” he said.
Crowdsourced security in the space industry is an interesting concept and it remains to be seen how far some space companies would go in this direction. Mercer says these players could consider a bounty program for paid engagement. The challenge, with IoT systems, generally, with crowdsourced security is that testers can only test what they can access.
“The challenge with physical devices, including satellites, is the access problem. The question is, how do we access this? And there’s always the question of, should we be accessing production or some sort of pre-production environment.” He says. “The second challenge is that if you were to run a fully public bug bounty program where you hear about any vulnerabilities that are in production systems and pay for a report if it’s valid and if it’s found to be impactful, then you can expect a ton of traffic. You are going to get maybe hundreds, perhaps thousands of people involved, this can cause problems.”
This could lead to issues. For example, if a satellite operator has one thousand extra users trying to break into its systems, this can sometimes cause disruption.
“It depends on the system in scope. A lot of companies in this perspective, especially when things can go wrong, will opt to test a non-production system in a private engagement, rather than testing production systems in a public engagement,” says Mercer.
Supply Chain
The cybersecurity sector is a fast moving one. When analyzing what he saw over the last 12 months, Mercer said weaknesses around supply chain security remain one of the biggest talking points in the industry.
“2025 was the year where companies realized the security controls that they had for their own software are way more advanced than what they insist its suppliers do, and that is now beginning to hit. Basically, companies are beginning to get breached through third parties rather than their own stuff.”
One of the issues that HackerOne’s research is looking at is how companies can use the transformative power of generative AI to help with finding and isolating vulnerabilities. Interestingly, Mercer speaks of AI doing some of the legwork that security analysts’ would usually do.
“Is it possible to codify what a security analyst would do when it comes to prioritizing a vulnerability, and therefore do this in a relatively automated, perhaps with a human in the loop fashion?” he says. “And is it possible to get to a point where we can do automatic patching and remediation of vulnerabilities. Can we have AI agents talking to each other with one of them saying I found something, another person saying, yes, I have confirmed you found it. And then a third agent saying I found the source code where the issue iss. How far can you take it with this paradigm of digital coworkers?”
Worrying Trends
Every year, HackerOne releases an annual state-of-the-union report looking at what has gone on in the world of cybersecurity and what companies should look out for in terms of security. Mercer flags a worrying trend in increasing business logic flaws and improper access control vulnerabilities.
“The big thing is if you look at the percentages and the changes from year-to-year is that we are seeing an increased number of business logic flaws and improper access control vulnerabilities. We are seeing a nearly 20% increase year-over-year,” he reports. “At this stage, I would expect things to be decreasing. Because as organizations mature and invest more in cybersecurity in their development processes, you would naturally expect a decrease in certain known vulnerability categories. And instead, we are seeing the opposite, which is an increase in the number of vulnerabilities submitted for those.”
Interestingly, HackerOne is also seeing an interesting profile of research around the world. On the demographic side of things, HackerOne is seeing that the U.K. is neck and neck with China in terms of Pentest and bug bounty hunter locations. India has always been the number one location for researchers, while the United States has always been number two. U.K., China, and Egypt are tied for joint third place.
The rise of a strong hacker community in the Middle East is also something to watch. Mercer points to the fact that Egypt came in second in a hacker World Cup that HackerOne ran last year. Spain won the tournament.
“What is interesting is seeing these bubbles of talent pop up around the world. We are obviously a very practical platform. So, to see Egypt popping up online and competing with the U.K. and China was surprising for me. Iraq also had a strong team. Is this the Middle Eastern hacker community awakening happening now? Suddenly, you have a bunch of people coming out to technical universities and testing out their skills and finding things. This is different to the past, which has always been a U.S. and India kind of race.”
