DARPA eyes transition of AI Cyber Challenge tech to ‘widespread use’
After announcing the winners of its AI challenge, DARPA wants to help transition the technology into “real-world critical infrastructure-relevant software.”
The Defense Advanced Research Projects Agency has wrapped up an inaugural competition focused on using artificial intelligence to quickly find and patch cyber vulnerabilities in software.
DARPA announced the winner of the “AI Cyber Challenge” at DEF CON 2025 over the weekend. DARPA Director Stephen Winchell said four of the seven finalist systems have already been released as open source code, with plans to release the remaining systems in the coming weeks.
“Finding vulnerabilities and patching codebases using current methods is slow, expensive, and depends on a limited workforce, especially as adversaries use AI to amplify their exploits,” Winchell said in a statement. “AIxCC-developed technology will give defenders a much-needed edge in identifying and patching vulnerabilities at speed and scale.”
A cyber reasoning system designed by “Team Atlanta” was picked as the winner of the overall competition. The team was comprised of experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science & Technology, and the Pohang University of Science and Technology.
The competition was a collaboration between DARPA and the Advanced Research Projects Agency for Health (ARPA-H). The top three teams won $4 million, $3 million, and $1.5 million, respectively.
DARPA and ARPA-H announced they would be awarding an additional $1.4 million in prizes for the finalists to integrate their technology into “real-world critical infrastructure-relevant software.”
The finalists’ software will be made available under a license approved by the Open Source Initiative. DARPA says it is working with the teams “to transition the technology to widespread use.”
“The success of today’s AIxCC finalists demonstrates the real-world potential of AI to address vulnerabilities in our health care system,” ARPA-H Acting Director Jason Roos said in a statement. “ARPA-H is committed to supporting these teams to transition their technologies and make a meaningful impact in health care security and patient safety.”
DARPA announced the AI Cyber Challenge in 2023. Leading AI companies Anthropic, Google, Microsoft and OpenAI provided support for the challenge.
At the outset of the challenge, a White House official in the Biden administration said officials hope the bug-hunting-and-patching tech could be used to improve the cyber defenses of federal agencies and critical infrastructure.
“We’re certainly particularly interested in approaches that, for example, help us identify bugs in the energy grid, bugs in signaling systems for transportation, and help us not only find that but fix them,” the official said in 2023. “So this fundamentally is about finding solutions. And then we’re eagerly looking for those solutions to then apply them both for federal government and for critical infrastructure.”
Improving cybersecurity is a widely cited use case for AI. The cybersecurity industry and many agencies have been exploring the concept for several years. The National Institute of Standards and Technology and other agencies are also addressing concerns around the risks of using AI for cybersecurity.
During the final of the AI Cyber Challenge, the teams were challenged to identify and generate patches for synthetic vulnerabilities injected into 54 million lines of code.
DARPA said that the competitors were able to use their systems to discover 54 unique synthetic vulnerabilities and were able to patch all but 11 of them.
Since the competition used real software, the AI systems also discovered 18 “real, non-synthetic vulnerabilities that are being responsibly disclosed to open source project maintainers,” DARPA reported.
The winning tech could also have major implications for the bug bounty industry. DARPA reports that the competitors’ cyber reasoning systems “provided they can create valuable bug reports and patches for a fraction of the cost of traditional methods, with an average cost per competition task of about $152.” Traditional bug bounties, meanwhile, “can range from hundreds to hundreds of thousands of dollars,” DARPA reports.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
