Interviews
Mitchell Amadorm, Founder and CEO of Immunefi – Interview Series

Mitchell Amador, Founder and CEO of Immunefi, is a prominent blockchain security entrepreneur, angel investor, and onchain thought leader. He founded Immunefi, the leading bug bounty and security platform for the Web3 ecosystem, helping prevent more than $25 billion in potential hacks and thefts while advancing bug bounty programs as an industry standard. He has played a key role in securing major blockchain protocols, contributed to whitehat security initiatives, and also founded Instituto New Economy, a blockchain think tank that has helped position Portugal as a leading European hub for blockchain innovation.
Immunefi is a leading Web3 security platform that connects blockchain projects with ethical hackers through bug bounty programs, security reviews, and vulnerability disclosure services. The company helps protect billions of dollars in digital assets by enabling organizations to identify and fix critical security flaws before they can be exploited, serving many of the world’s largest blockchain protocols and decentralized finance (DeFi) projects.
Before founding Immunefi, you helped drive adoption at companies like SingularityNET and Steemit and were involved in shaping Portugal’s early crypto legislation. What convinced you that Web3 security was the problem worth dedicating your career to, and what gap in the market did you see when launching Immunefi?
Traditional security firms couldn’t keep pace with the speed and complexity of Web3, and there was no trusted platform that could attract elite researchers at scale while giving protocols confidence that disclosures would be handled professionally. We saw an opportunity to build the infrastructure layer for Web3 security, creating aligned incentives between projects and researchers while making proactive security a core part of how the industry operates.
You helped build Immunefi into the dominant force in Web3 security, protecting hundreds of billions of dollars in assets and handling the vast majority of critical vulnerability disclosures in crypto. Looking back on that journey, what lessons from scaling Immunefi influenced your decision to bring Code4rena’s customers and community into the Immunefi ecosystem?
One of the biggest lessons from scaling Immunefi is that security works best when talent is concentrated rather than fragmented. Bringing Code4rena’s customers and researchers into the Immunefi ecosystem allows us to strengthen both sides of the marketplace: researchers gain access to more opportunities and resources, while projects gain access to a broader set of security services backed by the largest researcher network in Web3.
Code4rena played a major role in popularizing competitive security audits in crypto. What do you think ultimately caused its business model to become difficult to sustain, and what broader lessons does that offer for the future of crowdsourced security?
The core challenge wasn’t the value of competitive audits. That value remains significant. The challenge was building a sustainable business around a standalone offering in an environment where customer expectations have evolved.
Protocols increasingly want comprehensive security solutions rather than point products. They want bug bounties, audits, threat intelligence, security operations, and incident response capabilities under one roof. As the market matured, it became harder for specialized providers to compete against platforms that could offer a broader security stack.
Many security researchers viewed Code4rena as having a unique culture and community. How do you plan to preserve what made that platform valuable while integrating users into Immunefi?
The community is ultimately what made Code4rena successful. The goal is not to replace that culture but to create an environment where it can continue to thrive with greater support and scale. The focus is on continuity rather than disruption. We want researchers to feel that they are gaining access to a broader platform without losing the aspects of the community that made them want to participate in the first place.
Traditional security audits often rely on a relatively small group of reviewers, while audit competitions can attract hundreds of researchers. How do you see audit competitions evolving over the next five years as AI becomes increasingly embedded into security workflows?
What we’ll likely see is a shift where AI handles a growing portion of repetitive analysis, pattern recognition, and initial triage, allowing researchers to spend more time on novel attack vectors and complex system-level vulnerabilities.
That evolution actually makes competitive audits more valuable. If hundreds of researchers can leverage increasingly capable AI tools, you create an environment where diverse approaches can be applied to the same codebase at unprecedented scale. The future isn’t AI replacing crowdsourced security. It’s AI amplifying the effectiveness of large researcher communities.
One of the emerging concerns you’ve highlighted is AI-generated spam submissions. How serious has this problem become, and what does it reveal about the unintended consequences of making advanced AI tools widely accessible?
The issue isn’t that AI is finding too many vulnerabilities. The issue is that it can generate large volumes of convincing but ultimately incorrect findings. Every low-quality submission consumes reviewer time and creates operational overhead.
More broadly, it demonstrates a recurring pattern in technology. When powerful tools become widely accessible, both productive and unproductive activity scales simultaneously. The organizations that succeed will be the ones that build systems capable of efficiently identifying genuine expertise and genuine findings amid a much larger volume of automated output.
Do you believe AI will ultimately improve the quality of vulnerability discovery, or are security platforms facing a long-term arms race between increasingly capable AI systems and the flood of low-quality automated submissions they can generate?
Both things are true.
AI will unquestionably improve vulnerability discovery. We are already seeing researchers use AI to accelerate workflows, analyze larger codebases, and identify potential attack vectors more efficiently than before.
At the same time, there will be an ongoing arms race between systems generating findings and systems validating them. The key differentiator won’t be who can generate the most reports. It will be who can generate the highest-confidence findings.
We are beginning to see AI-assisted researchers identify vulnerabilities faster than ever before. How close are we to AI systems independently discovering, validating, and even prioritizing critical vulnerabilities with minimal human involvement?
We’re closer to the discovery phase than many people realize. AI is already becoming useful for identifying patterns, reviewing code, and surfacing potential vulnerabilities.
Validation remains the harder challenge. Finding something that might be a vulnerability is very different from proving exploitability, understanding business impact, and accurately assessing severity. Those tasks still require substantial human judgment.
The rise of autonomous AI agents is creating entirely new attack surfaces. What security risks associated with agentic AI do you believe are currently being underestimated by both the Web3 industry and the broader enterprise market?
What is often underestimated is the complexity of the trust boundaries involved. Agentic systems don’t operate in isolation. They consume inputs from multiple sources, interact with third-party services, and make decisions based on dynamic environments. Every one of those interactions creates a potential attack surface.
I think many organizations are still applying traditional software security assumptions to systems that behave fundamentally differently. That gap will become increasingly important as autonomous agents gain broader operational authority.
Looking ahead three to five years, how do you expect AI to transform the way vulnerabilities are discovered, reported, and mitigated, and what role do you see human security researchers playing in that future?
AI will dramatically accelerate every stage of the security lifecycle. Vulnerabilities will be discovered faster, triaged faster, and in many cases mitigated faster than they are today. Security teams will have access to far more intelligence and automation than ever before.
But I don’t believe the future is one where human researchers become irrelevant. If anything, their role becomes more important. As AI handles routine tasks, human expertise shifts toward understanding novel systems, identifying unconventional attack paths, validating critical findings, and making strategic security decisions.
The most successful researchers won’t be those competing against AI. They’ll be the ones who learn how to leverage AI as a force multiplier. Security has always rewarded adaptability, and that will remain true in an AI-driven future.
Thank you for the great interview, readers who wish to learn more should visit Immunefi.












