Recently I've used Claude Code to perform some entry to mid level web-based CTF hunting in a fully autonomous mode (--allow-dangerously-skip-permissions in an isolated environment). It excels at low hanging fruit - XSS, other injections, IDOR, hidden form fields, session fixation, careful enumeration, etc.