(Design: Tharon Green | Image Credit: Yuichiro Chino/Moment/Andriy Onufriyenko/Moment/Yaroslav Kushta)
Nearly two years ago, scientists at the Defense Advanced Research Projects Agency (DARPA) within DoD launched the AI Cyber Challenge, referred to in mil-speak as AIxCC. With collaboration from Anthropic, Google, Microsoft, and OpenAI, this competition challenges entrants to use AI to find and fix software vulnerabilities in massive real-world programs. It’s a two-year marathon, with its first phase completed at the DEF CON 2024 hacker conference and the final phase scheduled for DEF CON 2025 in Las Vegas, immediately following the Black Hat conference.
This is high-level technology; it's not easily understandable for the average consumer (or computer security worker). To make it more accessible, DARPA set up the AIxCC Experience at the RSAC 2025 Conference in San Francisco, which whisks participants off to the fictional town of Northbridge to illustrate the dangers the challenge will help fend off, and how the kinds of vulnerabilities that AI could help fix might affect everyday life.
Visitors arrive in Northbridge on a special “train,” and are greeted by a friendly AI, KITI, and a not-so-friendly manifestation of malware. The experience fills a ballroom-sized area with sound, lights, video, and plenty of information. One area highlights the consequences of an attack on the Northbridge hospital. Another simulates an infrastructure attack that backs up the sewers, with a visible (if not tangible) flood hitting the walls every few minutes. It’s all just short of overwhelming, and any visitor will leave better informed.
The experience illustrates that utility control systems and infrastructure platforms are particularly vulnerable to attack. Many were built decades ago, with software fixes tacked on over the years. When a program contains millions of lines of code, finding and patching problems is almost beyond human capabilities. But it’s precisely the kind of thing AI should do well.
The Challenge Continues
DARPA—which managed the first network connection between computers in the 1960s—devised this challenge to encourage innovation in AI-powered cybersecurity. Ninety companies applied, and 42 made it into the competition. At DEF CON last summer, DARPA's experts put the contenders through rigorous tests, requiring them not only to autonomously find vulnerabilities in massive programs but to patch the problems they found.
Seven contenders made it through the semifinals, each receiving $2 million to advance their research. Later this year, the competition finals will reveal the first, second, and third-place winners, who will receive $4 million, $3 million, and $1.5 million, respectively, provided they open-source their discoveries.
The Experience Is Time-Limited, But Malware Persists
I wish I could say this experience is coming soon to a city near you, but that’s not the case. DARPA presents it strictly in connection with the challenge.
But I’m encouraged to think that AI can help defend us against malicious code and that the algorithms that make it happen will eventually be available to all as open-source code. If you’re lucky enough to attend the RSAC Conference right now, don’t miss this experience. For everyone else, help is hopefully on the way.