Skip to content
Back to Blog
Announcement

Introducing IQ AI: The First Iraqi AI Bug Hunter and Pentester

Author
Ahmed Ghadban
Published
Reading time
6 min read

IQ AI is an Iraqi AI security research project focused on bug bounty, pentesting, and responsible vulnerability discovery. It was built to answer a simple question: what happens when frontier AI reasoning is pointed — carefully, ethically, and at scale — at the messy reality of modern attack surfaces? The result is an autonomous research platform that discovers, validates, and reports real-world vulnerabilities, and does so under authorized programs and coordinated disclosure.

This is our introduction: what IQ AI is, why we believe AI belongs in serious security research, why we are proud to build it in Iraq, and where we are headed next.

What is IQ AI?

IQ AI combines autonomous AI agents, frontier language models, security automation, and human researcher expertise to discover and validate vulnerabilities. Rather than a single model answering questions, IQ AI operates as a pipeline of specialized agents. A recon agent maps assets and builds a security-focused model of the target. A reasoning agent works through access control, authentication flows, API behavior, and business logic to identify plausible attack paths. A validation agent focuses on reproducible proof — turning a hypothesis into a clearly demonstrable finding. Finally, a reporting agent assembles structured write-ups with impact, reproduction steps, affected components, and remediation guidance.

Throughout, human researchers stay in the loop. AI accelerates the tedious and the broad; people provide judgment, scope discipline, and final review. The goal is not to replace the researcher, but to give a small team the reach of a much larger one.

Why AI for Bug Bounty?

Modern attack surfaces are large, complex, and constantly changing. A single application can expose hundreds of endpoints, multiple APIs, third-party integrations, and layers of access control that evolve with every deploy. Reviewing all of it by hand, repeatedly, is simply not realistic.

This is where AI earns its place. It helps with recon — enumerating and organizing a sprawling surface; pattern recognition — spotting the shape of a flaw across many similar endpoints; reasoning through application logic — following multi-step flows that a scanner would miss; and structured reporting — producing consistent, evidence-backed write-ups. Used well, AI reduces noise instead of adding to it, because every candidate finding is pushed toward concrete, reproducible proof before a human ever spends time on it.

Built in Iraq

IQ AI represents Iraqi talent in the global cybersecurity and AI community. The team behind it has spent years in offensive security and bug bounty programs, and IQ AI is the product of that experience combined with the latest advances in AI.

We believe world-class security innovation does not belong to any single region. By building IQ AI in Iraq, we want to show that ambitious, rigorous, internationally relevant work can come from here — and to help open a door for the next generation of Iraqi researchers and builders.

From Findings to CVEs

IQ AI is measured by outcomes, not activity. Through responsible disclosure, it has already helped identify vulnerabilities that became public CVEs, including CVE-2026-34912 and CVE-2026-34913 in Revive Adserver. Both are access-control weaknesses that allowed low-privileged users to create relationships they should not have been able to — exactly the kind of logic-level issue that automated scanners routinely miss and that careful, AI-assisted reasoning is well suited to surface.

Each of these findings was reported through authorized, coordinated disclosure — the only way we operate.

Our Vision

IQ AI is a long-term mission. We want to:

  • make AI-powered security research more effective and more honest;
  • reduce noise in vulnerability discovery by anchoring everything to verified impact;
  • support ethical hacking and responsible disclosure as the default;
  • help organizations understand and fix real risk, not chase false positives;
  • and show that world-class cybersecurity innovation can come from Iraq.

The platform will keep evolving — new agents, stronger models, deeper coverage of complex attack surfaces — but the principles stay fixed: authorized research, reproducible proof, and responsible disclosure.

IQ AI is only getting started.