In 2026 the AI slop problem got impossible to ignore: bug bounty platforms paused programs, maintainers like curl walked away from bounties, and autonomous agents started flooding open source projects with low quality reports. The lesson is that discovery got cheap and proof got scarce.
Discovery is now the easy part
An LLM can generate a plausible looking finding in seconds. That is exactly why platforms are drowning. When the cost of producing a report drops to near zero, volume stops being a signal of value and starts being noise.
Proof of exploit is the scarce thing
The finding that matters is the one you can actually exploit, with the exact commands and raw output to back it. An autonomous tool that only reports what it can prove, and attaches the evidence, produces a short list a human can trust instead of a long list a human has to triage.
Responsible behaviour toward maintainers
Autonomous offensive tooling that scrubs public repos and files unsolicited reports is part of the problem, not the solution. Scope proof, deduplication, rate limiting and a human sign off should be defaults, not afterthoughts.
The design principle
Optimise for validated exploitation and an auditable evidence trail, not for the number of findings. That is the antidote to slop, and it is the only version of autonomous pentesting that survives contact with a real remediation team.
Try it
If you care about proof over volume, the methodology and evidence trail are the part worth scrutinising.
- Repo (GPLv3): https://github.com/ASCIT31/Dark-Moon
- Docs: https://docs.dark-moon.org/
- Demo: https://youtu.be/1bFRVuMkZzY
Built by pentesters, open sourced for pentesters. Feedback on the methodology and the evidence trail is genuinely welcome.
Top comments (0)