Read more about DARPA’s AIxCC:
- DARPA Challenges AI Pros to Safeguard US Infrastructure
- DARPA's AI Cyber Challenge Heats Up as Healthcare Sector Watches
The AI Cyber Challenge (AIxCC), run by the Defense Advanced Research Projects Agency (DARPA), officially awarded seven semifinalists $2m each at DEFCON 32 where the agency hosted an immersive experience to underscore the real-world stakes of the competition.
The competition aims to find a cyber reasoning system to successfully find and fix vulnerabilities in open-source software.
Speaking to Infosecurity ahead of DEFCON, DARPA's information innovation office director Kathleen Fisher, said, “We’re building a city at DEFCON to be a place to show the results as they are evolving. The other purpose in building the city as the venue for showing the results is to give people who attend the visceral experience of a cyber-attack on the critical infrastructure of a city.”
The seven teams announced as semifinalists who will advance to the final competition include:
- 42-b3yond-6ug
- all_you_need_is_a_fuzzing_brain
- Lacrosse
- Shellphish
- Team Atlanta
- Theori
- Trail of Bits
“In true DARPA fashion, we didn’t know if our hypothesis would be proven when we launched this program. Now, we’ve seen that AI systems are capable of not only identifying but also patching vulnerabilities to safeguard the code that underpins critical infrastructure,” said Andrew Carney, program manager for AIxCC.
In collaboration with the Advanced Research Projects Agency for Health (ARPA-H), AIxCC asked competitors to design novel AI systems to secure the open-source software that undergirds everything from financial systems to public utilities and the healthcare ecosystem.
For the AIxCC Semifinal Competition, teams aimed to develop Cyber Reasoning Systems capable of automatically processing a set of Challenge Projects. The goal was to find and fix Challenge Project vulnerabilities.
AIxCC received nearly 40 Cyber Reasoning Systems and tested each against an identical corpus of Challenge Projects that had a basis in real-world, open-source projects that are critical to industry, national security, and the public: Jenkins, Linux kernel, Nginx, SQLite3, and Apache Tika.
The Challenge Projects contained synthetic vulnerabilities for teams’ systems to identify and attempt to patch. Competitors’ systems were scored according to a public algorithm and the AIxCC organizers verified the results.
“There will be finals next year to see how much they can mature their technology. We’re already talking about commercializing, open-sourcing and getting the technology used with critical infrastructure sectors to see to what extent we can use this technology to find and fix vulnerabilities,” Fisher said.
The AIxCC Final Competition will be held in August 2025.