Pwn2Own Berlin 2026, widely regarded as the leading global competition for vulnerability research, wrapped up on May 16 following three days of high-stakes challenges. Against a backdrop of rapidly advancing AI-powered vulnerability discovery and intense rivalry among elite white-hat hackers, Taiwan-based offensive cybersecurity firm DEVCORE delivered a standout performance. The company’s researchers identified flaws in four major Microsoft platforms, earning 50.5 points—more than twice the total of the nearest competitor—and claiming the prestigious Master of Pwn title.

DEVCORE Dominates Microsoft Categories at Pwn2Own Berlin
Headed by Principal Security Researcher Orange Tsai, the DEVCORE Research Team finished the event with 50.5 points and secured $505,000 in prize winnings alongside the Master of Pwn championship. During the contest, the team successfully demonstrated exploits targeting Microsoft Edge, Exchange, Windows 11, and SharePoint. DEVCORE stood out as the only team to achieve a successful browser-category exploit. The company also reinforced its reputation in Exchange Server research, becoming the only team in Pwn2Own history to successfully exploit critical Exchange vulnerabilities on two separate occasions, following an earlier victory in 2021. Their Exchange research additionally earned the competition’s highest payout for a single target.

Reflecting on the achievement, Orange Tsai said it was a privilege to bring international recognition back to Taiwan while highlighting the advanced cybersecurity research capabilities of both Taiwan and DEVCORE. He noted that the experience would further strengthen the company’s Offensive Product Security Research (OPSR) services by helping organizations uncover high-risk attack surfaces, validate exploitable attack chains, and better understand the real-world business impact of product vulnerabilities.

AI and Human Expertise Combine to Shape Modern Vulnerability Research
As generative AI tools continue to improve offensive security and vulnerability discovery capabilities, this year’s Pwn2Own competition incorporated AI models as official research targets for the first time. The broader cybersecurity industry has also seen a sharp increase in vulnerability disclosures due to AI-assisted research methods, according to reports from the Zero Day Initiative (ZDI), the event organizer.

DEVCORE integrated AI into parts of its research workflow during the competition, using it to speed up tasks such as code analysis and proof-of-concept validation. The Exchange Server vulnerability that earned the event’s top single-target reward was reportedly discovered within one week, drawing on Orange Tsai’s years of Exchange expertise while using AI as a supporting tool to develop a Remote Code Execution (RCE) exploit.

By comparison, the team’s 17.5-point Microsoft Edge exploit relied entirely on manual analysis without AI support. Researchers combined four separate logic flaws to achieve a sandbox escape technique that ZDI described as unprecedented. Due to the seriousness of the issue, Microsoft released a security update within 24 hours after the vulnerability disclosure.

Tsai emphasized that while AI significantly boosts efficiency, widespread use of these tools means many researchers often uncover the same vulnerabilities. He explained that DEVCORE’s advantage comes from focusing on unconventional bug classes and technically demanding targets that others may avoid, paired with the team’s deep low-level expertise and years of experience. According to Tsai, although AI has transformed how white-hat hackers work, discovering truly critical vulnerabilities still depends heavily on skilled researchers directing AI toward meaningful research paths.

In 2023, there were 2,365 cyberattacks affecting over 343 million individuals—about 10 million more than the U.S. population—according to Forbes Advisor. USA Today reports that by 2024, the cost of cybercrime is expected to hit $9.5 trillion, and by 2025, exceed $10.5 trillion. Additionally, by 2031, cyberattacks on businesses, governments, and devices are predicted to occur every two seconds. With data breaches costing an average of $4.5 million per incident, organizations can no longer afford to overlook the growing threat of cybercrime.
 
Alongside their efforts to address climate change, aging infrastructure, and environmental regulations, utility companies are also focused on safeguarding their systems from cyberattacks to ensure reliable services for their communities. While environmental challenges remain a priority, cybersecurity has become an essential part of their overall strategy.
 
With cyberattacks increasing in sophistication and frequency, utility companies must stay vigilant. A failure to do so could result in significant service disruptions and severe consequences for the communities they serve. The 2024 Black & Veatch Electric Report highlights the critical need for investment in both information technology (IT) and operational technology (OT) security. According to the report, 70% of respondents identify phishing attacks as their top IT concern, while ransomware and malware are the next most worrisome threats. For OT, malware (52%) and ransomware (47%) are the most feared, with cloud vulnerabilities concerning 35% of respondents.
 
Though no defense is impenetrable, utilities have many tools at their disposal to enhance their cyber defenses. However, the rapid increase in attacks on OT systems outpaces the maturity of many industrial cybersecurity programs. As systems become more automated and connected, they become more exposed to skilled cybercriminals, and many OT managers lack a complete understanding of their networks, further increasing vulnerability.
 
This leads to a significant issue: most utilities' cybersecurity measures are too immature to protect their OT assets adequately. Only 25% of respondents in the survey reported employing full-time cybersecurity staff, while around half have consulted external cybersecurity experts, leaving many without specialized protection. Alarmingly, 20% of respondents have never hired or consulted grid cybersecurity experts.
 
Despite this, there is some confidence in utilities' ability to withstand cyberattacks, with 70% of respondents expressing some level of confidence in their IT resilience and 71% expressing similar sentiments for OT. However, the real test lies in how quickly they can recover from an attack and minimize its impact.
 
As the energy landscape evolves and new regulatory standards emerge, utilities must do more than meet compliance requirements. While 18% of respondents believe compliance is the most critical factor in managing cyber risks, simply adhering to regulations is insufficient for real security. Compliance should not be confused with comprehensive protection, as many compliant organizations have still fallen victim to cyberattacks. Effective cybersecurity requires ongoing vigilance, regular updates, and rigorous testing of defenses to keep pace with evolving threats.
 
To illustrate, homes with not just security alarms but also gates, lighting, and warning signs are less likely to be targeted, demonstrating the importance of layered and robust defenses in cybersecurity.
 
Click here to download the 2024 Black & Veatch Electric Report.