LAS VEGAS — The Defense Advanced Research Projects Agency on Friday unveiled the winners of a competition to spur the development of artificial intelligence tools designed to autonomously find and fix software vulnerabilities.
Team Atlanta, Trail of Bits and Theori claimed the top three spots in DARPA’s AI Cyber Challenge, agency officials said at the DEF CON cybersecurity conference here. They will receive prizes of $4 million, $3 million and $1.5 million, respectively.
All seven finalist teams will open source their AI tools so that the entire world can use them. Four of the tools debuted on Friday, while the remaining three will be released in the next few weeks.
“They’ve shown that they can patch real software quickly, scalably [and] in a cost-effective way, and those tools are yours to use,” Andrew Carney, program manager for the competition, said during a presentation at DEF CON. “There is no excuse not to leverage this flavor of automation. And it will only get better. This is the new floor.”
DARPA launched the AI Cyber Challenge in 2023 in an effort to put AI to good use amid escalating cyberattacks that leveraged newly discovered vulnerabilities in popular software. Cyber defenders in government and industry face an uphill battle as they race to discover and fix flaws before malicious actors can find and exploit them.
“This is not a sustainable or tenable situation,” Carney said. “We can’t live like this.”
To put the teams through their paces, DARPA created “synthetic” vulnerabilities in forked versions of open-source software, testing researchers’ ability to develop AI tools that could scan millions of lines of code, identify the vulnerabilities and patch them in an efficient manner. Leading AI firms provided engineering assistance and more than $1 million in large language model usage credits so that teams could test them as they developed their software.
At last year’s DEF CON, 42 teams competed in the semifinals, with seven teams advancing to the finals. In that final round, DARPA presented teams with 54 million lines of code and gave them each four hours of cloud compute time to run their models.
The results thoroughly impressed DARPA. Of the 70 synthetic vulnerabilities that the agency created, the finalists discovered 54 (a 77% success rate) and patched 43 (61%). In the process, they even found 18 real-world software vulnerabilities that are now being disclosed to developers.
“These teams found ways to leverage the LLMs alongside traditional dynamic and static analysis techniques in a way that was truly novel, innovative, and game-changing,” Carney said. “This is so exciting.”
DARPA used a scoring algorithm to evaluate each team’s performance, including how many vulnerabilities their software found, how many it fixed and how well it analyzed bug reports.
Team Atlanta, composed of representatives from Samsung Research, the Georgia Institute of Technology and two South Korean universities — the Korea Advanced Institute of Science & Technology and the Pohang University of Science and Technology — significantly outperformed its competitors, earning top marks in all but one category. Trail of Bits is a New York-based small business, while Theori is a collection of AI and cyber experts from the U.S. and South Korea.
DARPA is optimistic that its competition yielded AI tools that can help tip the scales in the contest between attackers and defenders.
“We’re living in a world right now that has ancient digital scaffolding that’s holding everything up,” said Stephen Winchell, the agency’s director. “A lot of the code bases, a lot of the languages, a lot of the ways we do business and everything we’ve built on top of it has all incurred huge technical debt over the years. And the reality is, it is a problem that is beyond human scale.”
DARPA and its sister agency at the Department of Health and Human Services, the Advanced Research Projects Agency for Health (ARPA-H), are continuing to support the competitors, offering an additional $1.4 million to help them integrate their programs into software that can help protect critical infrastructure. DARPA plans to publish the complete competition data archive over the next few months.
In a surprise appearance at the DEF CON presentation, Jim O’Neill, the deputy secretary of health and human services, praised the security community for committing their time and expertise to developing new ways of fixing problems that could endanger lives and disrupt the fabric of society.
“The stakes have never been higher,” he said, “and the opportunities have never been greater.”
