VibeScan Pt. 4
VibeScan Framework
So, let’s reiterate: why is the VibeScan framework—which, as a reminder, is a Multi-Tool product—so essential?
Going back to the Dunning-Kruger effect, everyone appears to be a software engineer now thanks to AI. Admittedly, AI is very good at generating ‘bullshit,’ but it isn’t always great at generating functional code. For example, I saw an ‘AI-slop’ version of what is effectively GoBuster on Twitter. It chains multiple exploitation frameworks we already use, like Metasploit, to brute-force exploits.
The problem is that it runs so fast that pointing it at any singular web server would simply annihilate and crash the target, returning 500 Internal Server Errors or 503 Service Unavailable errors. This is the issue with generative AI slop; on Twitter, people are ruthlessly mocking the original developer on GitHub because they clearly have no understanding of penetration testing.
If they did, they’d know that web servers are not particularly robust. Without a Web Application Firewall (WAF) or Layer 3, 4, and 7 protection—the kind of biometric and DDoS mitigation Cloudflare provides—the server will fold. Cloudflare’s alert pages mitigate Layer 7 attacks (except for logic attacks), which would normally halt this ‘MCP brute-forcer’ AI bullshit—I think it’s called PentAGI or something similar.
Ultimately, that tool only works against a super-beefy server or something on a local area network. Any server unprotected by a CDN or WAF will just be destroyed before the tool produces an actual result.
Comparing and defining stacks
Let’s talk about ‘the stack.’ People use that term for everything, but I have my own specific stack for the VibeScan framework.
In web development, you have the LAMP stack (Linux, Apache, MySQL, PHP). Then you have the binary stack, based on the Application Binary Interface (ABI), where instructions are pushed and popped—a Last-In, First-Out (LIFO) structure. That’s the most basic description for getting into binary exploitation, though you don’t need to be writing exploits to understand how native compiled code manipulates the stack. If you write in C or C++, the fundamentals of an unsafe language, you see how the stack is rendered through static analysis and then dynamic analysis by attaching a debugger.
Today, everyone calls everything a ‘stack.’ I remember Trace Labs CTF VMs that were just a bunch of bookmarks and Tor, yet they called it an OSINT stack. If a set of preconfigured tools—like EDR or Wazuh—is orchestrated into a single interface, people call it a stack.
The problem is that these ‘vibe coders’ don’t actually understand what they’re doing. VibeScan isn’t just auditing security vulnerabilities; I’m using custom Semgrep rules and custom S-BOM rules to identify technical debt. You can’t just burn through VC cash on inflated, stupid ideas that cost more to run than they earn. If an idea is truly that good, someone would have bought you out already.
The real ‘moat’ here isn’t just the code; it’s that I have no competition when it comes to DBI (Dynamic Binary Instrumentation). This allows me to trace bugs all the way down to the CPU—a concept so arcane it’s rare even among malware researchers and reverse engineers.
Vibe coders suffer from technical debt because they aren’t architecting solutions for both the best method and the cheapest method. You can’t architect a solution in 24 hours. That’s why I benchmark VibeScan as I write it. The operating costs and compounding technical debt of un-refactored code will eventually cause these ‘vibe stacks’ to fail. I’ve heard of sites like “Vibe Code Fixers”, but even they rely on professionals to manually fix vulnerabilities. My goal is automation—fixing the technical debt all at once. While fixing UX isn’t easy to automate, technical debt is. I’ve seen ‘influencer’ programmers using thousands of nested if-else statements. It’s a nightmare.
Why we used automated frida and kept AI out
Another thing that is much easier when you document a Dynamic Binary Instrumentation (DBI) tool—whether it’s Frida, Intel PIN, or DynamoRIO—is the ability to correctly trace and reconstruct execution paths. We use Frida for its cross-platform and cross-language compatibility.
You can scan static code without compiling, running, or interpreting it, but that doesn’t mean a function will actually run. You can easily have unreachable code; in higher-level languages, it might not even be compiled or reachable. This has been proven time and again. Using Clang, you can even perform that ‘switch and pointer’ trick where you add unreachable code beneath the main entry point—and yet, it remains reachable in certain contexts.
Would a ‘vibe coder’ be able to figure this out? Of course not. It would take them hours, if not days, to find those bugs. But with components like FridaGuard, we can instrument the binary and determine whether a declared function is actually reachable. In addition to measuring technical debt (complexity and unmaintainability), we can identify redundant or unreachable functions.
We will never ‘bolt’ AI onto this because we don’t want to create more technical debt. That’s the problem with our competitors—they just keep layering AI on top. I recently read about a ‘doomsday scenario’ called Semantic Ablation. It’s a form of confirmation bias where the model trains on previous memory and prompts, reinforcing the Dunning-Kruger effect.
In this context, a semantic is a symbol (a keyword or token), and a mnemonic carries the meaning. Tokens are the semantics LLMs use to translate keywords into back-end meaning. However, the model becomes biased the more you shape it. As you continue to prompt, semantic ablation occurs. It doesn’t matter if our competitors release custom-trained models; they all suffer from semantic ablation.
The snowballing embarassments of AI generated slop
n the last, maybe just over five years, I’ve seen the dumbest things come out of people’s perception of ChatGPT. I distinctly remember SANS instructors generating non-compilable malware code and sharing it on LinkedIn. I remember Marcus Hutchins ripping it apart—I think I included a YouTube video of that in my previous post. SANS had to immediately walk back on it, although they are now reintroducing it to try to make malware writing ‘more efficient.’
One of the things Hutchins pointed out was that the function was located beneath the main entry point, meaning you have to declare the prototype at the top—otherwise, it’s just sloppy coding. You have to initialize and define the function correctly if you aren’t just going to paste the entire block above main().
A year or two later, a judge in the UK was messing around and called one of the LLMs (probably ChatGPT) a ‘jolly good robot’ because he wanted to use it for sentencing guidelines. That was also incredibly dense. Now, AI grifters are selling this ‘impending doom’ of losing the AI race, leading to these $100 billion projects based on flawed AI and plagiarized content.
Just recently, the Department of Defense (now effectively the ‘Department of War’) has been involved with Anthropic/Claude because Anthropic is tightening guardrails following geopolitical instability. AI is already being used destructively. We’ve seen terrible lawyers being disciplined for citing non-existent case law in sentencing memos because the AI hallucinated. We shouldn’t call them ‘hallucinations’; we should call them lies and generated technical debt.
Breaking News: Vercel is retarded
VibeScan is designed strictly to audit your code. It combines multiple tools: Semgrep for static analysis, DBI for dynamic instrumentation, S-BOMs, and token scanning via TruffleHog. It also safely lets the client—whether a large company, small business, or solo developer—know they are being legally scanned. We even added a special header, similar to how Nmap identifies its scans. Nmap can do more than just port scanning; it can do packet recommendation and test for common exploits, but most people don’t touch the Nmap Scripting Engine (NSE) for exploitation, though they do use it for validation of well-known bugs like Shellshock/Bashdoor.
Real professionals, especially neurodivergents, are being laid off or rehired at lower rates to fix slop because of mediocre to dumb managers
In some ways, the ‘nerd’ trope from old movies—the reclusive, socially awkward tech expert—has evolved. We see it in TV shows, though you don’t have to be in computer science to be a nerd; you can be a medical nerd, too.
I suspect that people who aren’t quite as bright are trying to eliminate the ‘Malcolm in the Middle’ types. In that show, Malcolm is the bright kid, but he’s ‘unfortunate’ because people don’t like how preachy he is when he tries to warn them about red flags. No one listens to him; that’s the gist of every episode. Malcolm represents the ‘Bright Kid’—the exact person AI is being positioned to replace.
Look at tools like Perplexity AI. They are ruthless, scraping people’s blogs and even museum websites to steal content. These ‘not-so-smart dipshits’ have drifted to the top. I’m not trying to insult my customer base, but the most offensive among them are clearly grifters and scammers. They see an opportunity to cut out the ‘Grown-up Malcolm’ who has been designing their backend the entire time.
A real-life Malcolm would likely have three to five master’s degrees with a mind like his. But now, they see a chance to get rid of the Malcolms and the Lisa Simpsons of the world. They’re tired of listening to the smartest people in the room—the ones they used to pay six figures—even though those people are the ones preventing the ship from sinking.
Revenge of the Mediocre: Eliminating the outspoken to be replaced with Yes-Men and Yes-Women
Yes, exactly: Revenge of the Mediocre. These days, ‘mediocre’ is a heavy insult—probably since Mad Max: Fury Road, I guess.
I distinctly remember that episode of The Simpsons where Ned Flanders finally goes apeshit and snaps at the entire population of Springfield. He described Lisa Simpson as the ‘big-brain-something girl’ who provides answers to questions that no one ever asked. It was a pretty hurtful moment, but wow—when Ned Flanders, usually an annoyingly ‘common sense’ kind of guy (despite being creepy), finally snaps, he tells the truth and becomes extremely ‘based.’
In that moment, he’s pointing out the friction between the ‘experts’ and the average person. But the reality is, when the experts are removed, the ‘mediocre’ people are left running a system they don’t actually understand.