20 Minutes With an AI Agent Changed How I Think About Recon
TLDR: I spent 20 minutes doing AI-assisted red team simulation with Claude Cowork against a live production SaaS. No purpose-built tooling. No prior knowledge of the target. I walked away with confirmed PII exposure — real names, email addresses, account identifiers — on a live system. The same capabilities that make AI agents useful for legitimate work make them highly capable recon tools. The gap between "helpful assistant" and "passive attacker" is smaller than most people think. I’m a QA analyst and secrets management practitioner — not a red teamer by primary specialization. I don’t have a toolkit of custom scripts for offensive security work. What I do have is a browser, Claude Cowork, and enough security fundamentals to know what I’m looking at. ...