DARPA AI Cyber Challenge Proves Promise of AI-Driven Cybersecurity

The Semifinal Competition of the DARPA AI Cyber Challenge (AIxCC) - the qualifying round for the two-year competition - culminated at DEF CON 32. AIxCC challenges experts in AI and cybersecurity to defend the software that enables modern life. A DARPA-hosted immersive experience to underscore the real-world stakes of the competition and share competition results drew more than 12,500 visits.

The top seven scoring teams that will be awarded $2 million each and advance to the Final Competition are:

• 42-b3yond-6ug
• all_you_need_is_a_fuzzing_brain
• Lacrosse
• Shellphish
• Team Atlanta
• Theori
• Trail of Bits

"In true DARPA fashion, we didn't know if our hypothesis would be proven when we launched this program. Now, we've seen that AI systems are capable of not only identifying but also patching vulnerabilities to safeguard the code that underpins critical infrastructure," said Andrew Carney, program manager for AIxCC. "We saw vulnerability discoveries in every Challenge Project - across vulnerability classes - and successful patches in four out of the five Challenge Projects. What the competitors achieved on a condensed timeline and amidst a multitude of complexities is nothing short of remarkable."

AIxCC, in collaboration with the Advanced Research Projects Agency for Health (ARPA-H), asked competitors to design novel AI systems to secure the open-source software that undergirds everything from financial systems to public utilities and the health care ecosystem. This software is pervasively vulnerable to cyberattacks, which can be carried out remotely from anywhere in the world. Numerous attacks in recent years have spotlighted the threats to society from malicious cyber actors exploiting vulnerable software. Critical infrastructure is particularly vulnerable to cyberattacks given its large attack surface and the lack of tools capable of securing systems at speed and scale.

For the AIxCC Semifinal Competition, teams aimed to develop Cyber Reasoning Systems capable of automatically processing a set of Challenge Projects - which were designed by AIxCC subject matter experts - with the goal of finding and fixing Challenge Project vulnerabilities. AIxCC received nearly 40 Cyber Reasoning Systems and tested each against an identical corpus of Challenge Projects that had a basis in a real-world, open-source project that is critical to industry, national security, and the public: Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika. The Challenge Projects contained synthetic vulnerabilities for teams' systems to identify and attempt to patch. Competitors' systems were scored according to a public algorithm, and the AIxCC organizers verified results.

In total, competitors' systems discovered 22 unique synthetic vulnerabilities in the Challenge Projects, and of those, patched 15. Competitors' systems identified 11 unique patches for C-based challenges and four unique patches for Java-based challenges. Competitors' systems also found one real-world bug in SQLite3, which has been responsibly disclosed according to SQLite3's bug reporting guidelines.

AIxCC will award a cumulative $29.5 million in prizes to teams with the most effective systems.

Finalist teams have one year to mature their technology before the AIxCC Final Competition in August 2025. DARPA will share details about the Final Competition in the coming months. To accept prizes and compete in the Final Competition, teams must agree to release their competition Cyber Reasoning Systems as open-source software under a license approved by the Open Source Initiative following the Final Competition. This requirement aims to accelerate and facilitate the availability of AIxCC-developed technology for the benefit of the cybersecurity and software development communities.

For more information, visit aicyberchallenge.com.

Public link

Please use the above public link if you want to share this noodl on another website.