Las Vegas―DEF CON 32―A two-year competition aimed at bringing together the brightest minds in artificial intelligence and cybersecurity has reached its midpoint, concluding its semifinal round at DEF CON 32 on August 11. The Defense Advanced Research Projects Agency (DARPA), the U.S. government agency overseeing the contest, announced seven finalists whose AI systems outperformed others in addressing security challenges. These finalists will continue competing for another year.
The AI Cyber Challenge (AIxCC) was launched by DARPA last summer in partnership with the Advanced Research Projects Agency for Health (ARPA-H). Aimed at protecting the nation from security threats posed by software vulnerabilities, the initiative brought together leading AI companies—Anthropic, Google, Microsoft, and OpenAI—along with major security communities, including the Linux Foundation, the Open Source Security Foundation (OpenSSF), Black Hat USA, and DEF CON.
AIxCC’s goal is to develop AI-powered automatic defense systems. Contestants were tasked with building AI systems that can autonomously identify and patch vulnerabilities in real-world software, such as the Linux Kernel, Apache Tika, Jenkins, sqlite3, and Nginx, without any human intervention. These systems, referred to as “Cyber Reasoning Systems (CRSs)” in advanced computer studies, were put to the test in the semifinal. Each team’s AI system was run on five different programs for four hours, with scores assigned based on the tasks completed.
Out of approximately 40 contestants, seven top-scoring teams advanced to the final competition: 42-b3yond-6ug, all_you_need_is_a_fuzzing_brain, Lacrosse, Shellphish, Team Atlanta, Theori, and Trail of Bits. Each of these teams received $2 million in prize money. The final competition, scheduled for August 2025, will award an additional $8.5 million in total, with $4 million going to the first-place winner, $3 million to second place, and $1.5 million to third place.
“It was about designing a fully automated AI system that can address security problems from start to finish,” said Baek Min-woo, a Ph.D. student at the Korea Advanced Institute of Science and Technology (KAIST), in an interview with The Readable at the Las Vegas Convention Center, where the AIxCC semifinal took place alongside DEF CON 32. Baek is one of approximately 30 members of Team Atlanta, which is led by Kim Tae-soo, a professor at the College of Computing at the Georgia Institute of Technology. The team includes four research organizations: Georgia Tech, KAIST, Pohang University of Science and Technology (POSTECH), Samsung Research, and Samsung Research America.
The AIxCC demanded months of intense intellectual effort, particularly because contestants were required to develop more realistic software patches than in other competitions, according to Yun In-su, a professor at KAIST and a member of Team Atlanta. “In this competition, the programs we had to analyze for bugs were much larger than in other contests, and we were required to create individual patches for each vulnerability, closely mirroring real-life scenarios,” Yun explained in an interview with The Readable, conducted a week before the semifinal at his laboratory in Daejeon, South Korea. Unlike some competitions where participants can create a ‘superman patch’ that applies to multiple bugs simultaneously as a mitigation measure—something that doesn’t reflect the complexities of the interconnected world—DARPA’s latest challenge required contestants to develop unique solutions for each issue.
“This is a first-of-its-kind collaboration between top AI companies to empower competitors to develop AI-driven systems that address key challenges,” said Perri Adams, Program Manager of the AI Cyber Challenge at DARPA, during the AIxCC launch at Black Hat USA 2023. “What’s crucial for success here isn’t just resources, but realism. We need a competition that drives innovation around real-world problems. Our goal is to create systems that can automatically defend any kind of software from attacks, whether it’s used in commercial industries or life-saving medical devices.”
DARPA’s efforts to build a fully autonomous defense system date back nearly a decade to the Cyber Grand Challenge (CGC). In 2014, DARPA launched the CGC to address the “urgent need for automated, scalable, machine-speed vulnerability detection and patching, as more and more systems—from household appliances to major military platforms—get connected to and dependent on the internet.” The agency emphasized the necessity of such a system, noting that the traditional, human-driven approach to finding and fixing bugs had become “artisanal,” a “sluggish process that can no longer keep pace with the relentless stream of threats.”