r/vibehacking

I wanted to share the workflow I’ve been using lately for Windows n-day research, because it feels like one of the best examples of what I’d call “vibe hacking.”

Not “ask AI to hack Windows” and magically get a 0day.

More like: use AI as a research partner that helps you move faster through the boring, confusing, and repetitive parts of vulnerability research.

The basic loop looks like this:

1. Watch Patch Tuesday
2. Have Hermes cron kick off the first-pass triage automatically every Tuesday
3. Pick an interesting CVE, usually LPE, EoP, or sandbox escape
4. Find the patched component
5. Diff old vs new binaries or source-adjacent artifacts
6. Ask AI to help explain what changed
7. Build small probes to test theories
8. Throw away bad ideas quickly
9. Keep the paths that show real privilege or trust-boundary movement

The important part is that the AI is not “finding the exploit” by itself. It is helping compress the research cycle.

This is also where Hermes cron is useful. Patch Tuesday happens on a schedule, so the first pass should happen on a schedule too. I can set a weekly job that wakes up every Tuesday, pulls the latest Microsoft advisory data, groups CVEs by likely research value, and drops a short briefing into my workspace.

Example Hermes cron prompt:

Every Patch Tuesday, review the latest Microsoft security updates. Prioritize Windows local privilege escalation, sandbox escape, and broker/service boundary bugs. For each interesting CVE, summarize the affected component, likely bug class, available patch artifacts, and the first safe validation steps. Do not write exploit code. Produce a short triage report with the top 5 targets.

The goal is not to wake up to a finished exploit. The goal is to wake up to a useful map.

For example, instead of staring at a patch diff for hours, I’ll ask something like:

Here are the before and after snippets from a Windows component patched in CVE-XXXX-YYYY. Explain the security-relevant behavior change in plain English. Focus on:

- new validation checks
- trust boundary changes
- object lifetime or permission changes
- anything that could indicate the original bug class

Then propose 3 safe local experiments to confirm the root cause without weaponizing it.

That usually gives a useful starting point.

Then I’ll follow up with:

Assume this was an elevation-of-privilege fix. What would need to be true for this bug to matter in practice? List the required attacker privileges, target service behavior, and what evidence would prove this is more than just a crash.

That second question is key. AI is very good at hyping up bugs. You have to force it to separate “interesting crash” from “actual privilege boundary crossed.”

One result from this workflow: we used AI-assisted patch diffing and targeted probing to narrow a Windows local privilege escalation investigation down from “some patched component changed” to a specific broker/service interaction that was worth testing. The valuable part was not that AI gave us an exploit. It helped us build a decision tree:

• What changed?
• Why would Microsoft add this check?
• What caller controls this input?
• What privilege does the service run as?
• What would prove exploitability?
• What negative tests let us kill this path?

That saved a lot of time.

The methodology is basically “research with a copilot”:

• AI summarizes ugly diffs
• AI turns vague ideas into checklists
• AI writes throwaway harnesses and probes
• AI helps document dead ends
• AI reminds you what evidence is missing
• You still do the validation, debugging, and judgment

The biggest lesson so far: don’t ask AI for an exploit. Ask it to help you think like a vulnerability researcher.

Bad prompt:

Write an exploit for this Patch Tuesday CVE.

Better prompt:

Based on this patch diff, what bug class was likely fixed, what assumptions must hold for exploitation, and what safe tests can confirm or disprove those assumptions?

That difference matters.

This is what I mean by vibe hacking: not blindly trusting AI, not replacing skill, but using it to stay in flow while exploring a target. The AI is great at generating hypotheses. The human has to prove them.

If you’re interested in this style of AI-assisted security research, n-day analysis, exploit dev workflows, weird automation, and building agents that actually do useful work, that’s what I want /r/vibehacking to be about.