Pwn2Own Berlin 2026: DEVCORE Wins Master of Pwn Title with Microsoft Exploits
Pwn2Own Berlin 2026, widely regarded as the leading global competition for vulnerability research, wrapped up on May 16 following three days of high-stakes challenges. Against a backdrop of rapidly advancing AI-powered vulnerability discovery and intense rivalry among elite white-hat hackers, Taiwan-based offensive cybersecurity firm DEVCORE delivered a standout performance. The company’s researchers identified flaws in four major Microsoft platforms, earning 50.5 points—more than twice the total of the nearest competitor—and claiming the prestigious Master of Pwn title.
DEVCORE Dominates Microsoft Categories at Pwn2Own Berlin
Headed by Principal Security Researcher Orange Tsai, the DEVCORE Research Team finished the event with 50.5 points and secured $505,000 in prize winnings alongside the Master of Pwn championship. During the contest, the team successfully demonstrated exploits targeting Microsoft Edge, Exchange, Windows 11, and SharePoint. DEVCORE stood out as the only team to achieve a successful browser-category exploit. The company also reinforced its reputation in Exchange Server research, becoming the only team in Pwn2Own history to successfully exploit critical Exchange vulnerabilities on two separate occasions, following an earlier victory in 2021. Their Exchange research additionally earned the competition’s highest payout for a single target.
Reflecting on the achievement, Orange Tsai said it was a privilege to bring international recognition back to Taiwan while highlighting the advanced cybersecurity research capabilities of both Taiwan and DEVCORE. He noted that the experience would further strengthen the company’s Offensive Product Security Research (OPSR) services by helping organizations uncover high-risk attack surfaces, validate exploitable attack chains, and better understand the real-world business impact of product vulnerabilities.
AI and Human Expertise Combine to Shape Modern Vulnerability Research
As generative AI tools continue to improve offensive security and vulnerability discovery capabilities, this year’s Pwn2Own competition incorporated AI models as official research targets for the first time. The broader cybersecurity industry has also seen a sharp increase in vulnerability disclosures due to AI-assisted research methods, according to reports from the Zero Day Initiative (ZDI), the event organizer.
DEVCORE integrated AI into parts of its research workflow during the competition, using it to speed up tasks such as code analysis and proof-of-concept validation. The Exchange Server vulnerability that earned the event’s top single-target reward was reportedly discovered within one week, drawing on Orange Tsai’s years of Exchange expertise while using AI as a supporting tool to develop a Remote Code Execution (RCE) exploit.
By comparison, the team’s 17.5-point Microsoft Edge exploit relied entirely on manual analysis without AI support. Researchers combined four separate logic flaws to achieve a sandbox escape technique that ZDI described as unprecedented. Due to the seriousness of the issue, Microsoft released a security update within 24 hours after the vulnerability disclosure.
Tsai emphasized that while AI significantly boosts efficiency, widespread use of these tools means many researchers often uncover the same vulnerabilities. He explained that DEVCORE’s advantage comes from focusing on unconventional bug classes and technically demanding targets that others may avoid, paired with the team’s deep low-level expertise and years of experience. According to Tsai, although AI has transformed how white-hat hackers work, discovering truly critical vulnerabilities still depends heavily on skilled researchers directing AI toward meaningful research paths.
DEVCORE Dominates Microsoft Categories at Pwn2Own Berlin
Headed by Principal Security Researcher Orange Tsai, the DEVCORE Research Team finished the event with 50.5 points and secured $505,000 in prize winnings alongside the Master of Pwn championship. During the contest, the team successfully demonstrated exploits targeting Microsoft Edge, Exchange, Windows 11, and SharePoint. DEVCORE stood out as the only team to achieve a successful browser-category exploit. The company also reinforced its reputation in Exchange Server research, becoming the only team in Pwn2Own history to successfully exploit critical Exchange vulnerabilities on two separate occasions, following an earlier victory in 2021. Their Exchange research additionally earned the competition’s highest payout for a single target.
Reflecting on the achievement, Orange Tsai said it was a privilege to bring international recognition back to Taiwan while highlighting the advanced cybersecurity research capabilities of both Taiwan and DEVCORE. He noted that the experience would further strengthen the company’s Offensive Product Security Research (OPSR) services by helping organizations uncover high-risk attack surfaces, validate exploitable attack chains, and better understand the real-world business impact of product vulnerabilities.
AI and Human Expertise Combine to Shape Modern Vulnerability Research
As generative AI tools continue to improve offensive security and vulnerability discovery capabilities, this year’s Pwn2Own competition incorporated AI models as official research targets for the first time. The broader cybersecurity industry has also seen a sharp increase in vulnerability disclosures due to AI-assisted research methods, according to reports from the Zero Day Initiative (ZDI), the event organizer.
DEVCORE integrated AI into parts of its research workflow during the competition, using it to speed up tasks such as code analysis and proof-of-concept validation. The Exchange Server vulnerability that earned the event’s top single-target reward was reportedly discovered within one week, drawing on Orange Tsai’s years of Exchange expertise while using AI as a supporting tool to develop a Remote Code Execution (RCE) exploit.
By comparison, the team’s 17.5-point Microsoft Edge exploit relied entirely on manual analysis without AI support. Researchers combined four separate logic flaws to achieve a sandbox escape technique that ZDI described as unprecedented. Due to the seriousness of the issue, Microsoft released a security update within 24 hours after the vulnerability disclosure.
Tsai emphasized that while AI significantly boosts efficiency, widespread use of these tools means many researchers often uncover the same vulnerabilities. He explained that DEVCORE’s advantage comes from focusing on unconventional bug classes and technically demanding targets that others may avoid, paired with the team’s deep low-level expertise and years of experience. According to Tsai, although AI has transformed how white-hat hackers work, discovering truly critical vulnerabilities still depends heavily on skilled researchers directing AI toward meaningful research paths.
Companies