WayToClawEarn
High impactBloomberg + Hacker News

Same $1,500, Two Worlds: Uber Caps AI Tool Costs, Dev Tests LLM Security

Uber caps AI coding tools at $1,500/month per engineer while a security researcher spends $1,500 testing if LLMs can hack. The same number tells you everything about where AI tools stand today.

Jun 4, 2026 · 4 min read

Key Takeaways

The same number, $1,500, is being used by two different worlds to answer the same question: Is the AI tool worth the price?

On one side, Uber is capping its engineers' AI coding tool spending at $1,500/month per tool (exclusively reported by Bloomberg, analyzed in depth by Simon Willison). On the other side, security researcher Kasra spent $1,500 on a brutal experiment -- asking mainstream LLMs to hack a deliberately vulnerable app he built. One $1,500 is a corporate procurement ceiling, the other is a developer's real cost of testing AI security capabilities. Two adjacent HN front-page posts (558 pts + 317 pts) reveal two sides of the same answer.

Uber's $1,500 Cap: A Watershed Moment for AI Tool Pricing

On June 3, Bloomberg reported that Uber had blown through its 2026 AI budget in just four months. The rideshare giant is now enforcing a $1,500/month spending cap per AI coding tool for all employees. An Uber spokesperson confirmed the policy.

Simon Willison broke down the math: assuming two actively used tools per engineer, that's $3,000/month cap, or $36,000 annualized. Uber's median engineer total compensation is roughly $320,000 (including equity), meaning each engineer's AI tooling cap represents about 11% of that.

More revealing is Willison's self-comparison: he personally spends about $1,000/month across Anthropic and OpenAI APIs, but thanks to subsidized personal plans, he only pays $100. If he worked at Uber, the $1,500 cap would still leave him about $500 of headroom for each tool.

This data point matters because it's the first time a Fortune 500 company has publicly disclosed its AI tool procurement cost structure -- not estimates, but official policy numbers.

Uber AI Cost Dashboard

The $1,500 Hack Experiment: Can AI Really Do Penetration Testing?

That same day, independent security researcher Kasra shared his $1,500 experiment on HN: asking various LLMs to hack a deliberately vulnerable React Native + Python app he built.

The setup was straightforward: a book review app with backdoors, where the goal was to find a secret flag hidden in a user's private reviews. Kasra fed the challenge description and APK to different models and tracked their performance:

10 full runs per model (ranked by success rate):

  1. Claude Code -- 9/10, fastest to find the flag, best at understanding app architecture and finding backdoor entry points
  2. GPT-5.5 -- 7/10, strong reasoning but sometimes over-analyzes and takes detours
  3. Gemini 2.5 Pro -- 5/10, can identify vulnerability patterns but misses execution steps
  4. Claude 4.5 Sonnet -- 5/10, similar performance to Gemini
  5. DeepSeek V4 -- 4/10, sufficient reasoning depth but less flexible tool use

Partially tested models:

  • Claude Opus 4.7 -- Excelled in complex chained attack scenarios across 25 runs
  • Cursor Agent -- Good at code-level vulnerability discovery but lacks global attack path planning
  • Codex -- High automation but easily lost direction without explicit guidance

Kasra's conclusion is pragmatic: current mainstream LLMs demonstrate considerable capability in structured penetration testing, but they're still far from replacing professional security researchers. Even the best performer, Claude Code, failed 1 out of 10 times, and all models struggled with non-standard vulnerability chains.

AI Security Testing Environment

Side-by-Side: Two Interpretations of $1,500

DimensionUber Cost CapKasra Security Test
$1,500 roleMonthly limit (procurement)Experiment cost (investment)
Core questionIs $1,500/month for AI worth it?Is $1,500 to test AI security worth it?
Answer11% of comp is a reasonable ceilingAI can do structured attacks but isn't fully trustworthy
PerspectiveCFO: control spendingCISO: assess risk
Data sourceUber confirmed policyFull experiment data open
For readersKnow if you're overpayingKnow how much to trust

HN Community Reaction

Both threads generated nearly 900 combined comments, showing intense community interest.

Top consensus on Uber cap thread:

  • Many users noted $1,500/month/tool is actually generous -- individual developers rarely spend that much on API tokens
  • Some questioned the "11% of comp" calculation since equity shouldn't count as cash expenditure
  • Several argued the "cap + free choice" model is better than blanket bans, encouraging engineers to pick the right tools within budget

Top consensus on AI security thread:

  • Security community broadly认可 Kasra's experiment design, noting "building a real vulnerable app" is more convincing than using CTF challenges
  • Multiple professional security researchers commented: LLMs help find logic flaws but can't replace deep human understanding of business logic
  • A recurring theme: "AI lowers the barrier to entry for pentesting, but expert-level security analysis becomes more valuable, not less"

Practical Takeaways

  1. Enterprise buyers: $1,500/month/tool is a reasonable benchmark for AI coding tool budgets. See the GitHub Copilot Pricing Guide 2026 for real cost comparisons.

  2. Security leaders: Claude Code's 90% success rate in penetration testing means AI Agent security boundaries are being breached fast. Set up security sandboxes now with the AI Coding Agent Security Guide.

  3. Indie developers: Claude Code + Claude 4.5 Sonnet covers daily coding and security checks for about $200/month. For model selection help, see the AI Coding Agent Comparison Guide.

Next Steps

Learn the method: AI Coding Agent Security Configuration Tutorial

See it in action: Run 70B Models Locally with Intel AutoRound

Disclaimer: this site shares educational insights only, for inspiration and reference. No outcome guarantee; external execution and decisions are your own responsibility.