Speaker:: Rob T. Lee, Glenn Thorpe, Dan Hubbard & Sergej Epp Title:: Vibe Coded Duration:: 12 min Video:: https://www.youtube.com/watch?v=2_Vq4vY5EaA ## Key Thesis A rapid-fire series of live demos and micro-talks from four practitioners showing what they built by "vibe coding" during or just before the conference — ranging from a 14-minute full intrusion analysis using Claude Code on top of the SIFT workstation, to a phishing-quality conference website clone, to a real-time visualization of time-to-exploitation trends showing that average exploitation time has compressed from over a year (2020) to roughly one day. ## Synopsis Rob T. Lee (SANS Institute) demonstrates Claude Code installed on top of the SIFT workstation (a forensic analysis toolkit he created 18 years ago). He shows a 14-minute, 27-second video of Claude Code autonomously performing a full intrusion analysis on a compromised Windows C: drive image — producing a complete incident report with no further human input. He argues that since offensive teams can now compress kill chains from months to days or minutes, defenders must achieve comparable speed in intrusion analysis. He notes all resources (SIFT workstation config, CLAUDE.md, NotebookLM setup) will be posted publicly. Glenn Thorpe (GreatNoise) shares a cautionary tale: he vibe-coded a personalized conference agenda app, was proud of it, showed it to his boss — then noticed the LLM had confabulated talk descriptions, including one that claimed a speaker would demo integration with GreatNoise intelligence (which wasn't true). On re-checking, 75% of the talk descriptions were hallucinated. He re-ran with more explicit validation instructions and fixed it. The irony: his actual conference talk later in the day was focused on the validation skill. Dan Hubbard demonstrates a social media aggregator he built in ~8 minutes with Lovable that scraped all [un]prompted social mentions across platforms, mimicked the conference website's visual design (6,800 lines of code auto-generated), and as a security demonstration — embedded a fake conference registration form accepting passwords and credit card numbers for a fictional "$7.99" registration. His point: it's trivially easy to build a convincing phishing site for any event or brand in minutes. Sergej Epp (Sysdig) presents a single-slide visualization of time-to-exploitation data aggregated by agents pulling from CISA, NVD, and commercial vulnerability data sources. Key finding: in 2020 median time-to-exploitation was over a year; by 2025 it's dropped to approximately one day. Over 50% of weaponized exploits are now zero-days (exploited before or on patch day). The rate of weaponized exploits has held roughly constant at ~2% of all CVEs — but if LLMs make exploit generation as cheap as many expect, that 2% number becomes catastrophic at scale. ## Key Takeaways - Claude Code on SIFT: 14-minute full intrusion analysis from raw drive image to report — historically a 3-day human task - Vibe-coded hallucination trap: 75% of LLM-generated talk descriptions were wrong when given insufficient validation instructions - Phishing-quality event clone built in 8 minutes / 6,800 lines of code with Lovable - Time-to-exploitation: 2020 = >1 year average → 2025 = ~1 day - >50% of weaponized exploits are now zero-days (pre-patch or same-day) - Weaponized exploit rate is ~2% of all CVEs — cheap LLM exploit generation could make this catastrophic ## Notable Quotes / Data Points - Rob Lee: "About 3 days to get from initial C: drive of an intrusion into a full report" → now 14 minutes 27 seconds - Glenn Thorpe: "25% of the talk descriptions were correct, 75% were wrong" - Dan Hubbard: 6,800 lines of code, 17 dependencies, generated in 8 minutes - Sergej Epp: "In 2020 the time to exploitation was more than a year. Just last year we've crossed months and now it's just about a day." - Epp: "If finding exploits, building exploits, finding CVEs is going to be as cheap as we believe, this is going to be dramatically dangerous" #unprompted #claude