DEF CON 33 Breakthrough: DARPA’s AI Cyber Challenge Crowns Team Atlanta as $4M Winners

If you’ve ever wished patching a critical vulnerability could happen in minutes instead of months, DEF CON 33 just gave you a reason to pay attention. At DARPA’s AI Cyber Challenge (AIxCC), autonomous systems fixed bugs in an average of 45 minutes at an estimated $152 per fix — and they found real zero-days along the way. That’s not a teaser from a vendor slide deck. It happened on stage in Las Vegas, and the code is being open-sourced.

Here’s what that means for security leaders, engineers, and anyone who cares about the fragile scaffolding of our digital world.

What Is AIxCC — And Why It Matters

AIxCC is a two-year, government-backed competition designed to push AI beyond copiloting code and into automated cyber defense. Announced at Black Hat 2023, the program challenged top teams to build AI-powered “cyber reasoning systems” capable of finding, fixing, and validating software vulnerabilities at scale.

The program is led by the Defense Advanced Research Projects Agency (DARPA) with support from the Advanced Research Projects Agency for Health (ARPA-H).
Big tech backed the effort with compute: Google Cloud, Microsoft, Anthropic, and OpenAI contributed over $1M each in AI model credits.
The final showdown took place at DEF CON 33 on August 9, where DARPA revealed the winners and, critically, committed to releasing the models so others can build on the work.

Why that matters: cyber defense has a speed problem. Vulnerability disclosure is up. Patching backlogs are huge. Attackers don’t wait. If AI can compress the time from detection to fix, defenders could finally flip the script.

Meet the Winners: Team Atlanta, Trail of Bits, and Theori

Seven finalist teams made it to DEF CON 33 after a year of building, testing, and staged evaluations. Three stood out.

1) Team Atlanta — The $4M Champions

Team Atlanta is a powerhouse collaboration of researchers from the Georgia Institute of Technology (Georgia Tech), Samsung Research, the Korea Advanced Institute of Science & Technology (KAIST), and the Pohang University of Science and Technology (POSTECH).

Their approach: blend the best of “traditional” vulnerability discovery — static analysis, dynamic analysis, and fuzzing — with modern large language models (LLMs) like OpenAI’s o4-mini, GPT-4o, and o3 to reason about patches and validate fixes. In practice, this meant automated pipelines that could:

Find exploitable weaknesses across codebases
Propose and apply candidate patches
Verify those patches didn’t break functionality
Repeat quickly, reliably, and at scale

They topped almost every category, including most real-world (not planted) vulnerabilities discovered among finalists. Team lead Taesoo Kim, a Georgia Tech professor, noted that a significant portion of the prize will go back to the institute to drive future AI-powered vulnerability research.

2) Trail of Bits — $3M Runner-Up

Trail of Bits, a New York-based security research firm, finished second with a lean team of 10 engineers. They combined their in-house cyber reasoning system, Buttercup, with LLMs like Anthropic’s Claude Sonnet 4 and OpenAI’s GPT-4.1/4.1 mini, plus the classic trio of static/dynamic analysis and fuzzing.

Notably, Trail of Bits achieved the highest coverage across unique Common Weakness Enumeration categories (CWEs) — breadth that matters for defending large, heterogeneous environments. The firm is also well-known for translating cutting-edge research into usable tools, which bodes well for real-world adoption. For a taste of their research ethos, see the Trail of Bits blog.

3) Theori — $1.5M Third Place

Theori, a team of AI researchers and veteran CTF champions from the US and South Korea, rounded out the top three. With eight DEF CON CTF finals wins in their history, Theori brought deep offensive knowledge to defensive automation — a valuable mindset when your job is to anticipate how attackers think and move.

AIxCC by the Numbers: Speed, Scale, and Cost

The final evaluation ran in a controlled environment seeded with known flaws — plus unknown ones. Teams didn’t just scan. They had to deploy, detect, patch, and prove their fixes worked. The results:

77% detection on planted flaws: 54 of 70 synthetic vulnerabilities uncovered by the finalists
43 of those 54 were patched
18 previously unknown real-world vulnerabilities (zero-days) discovered
11 of those real-world vulnerabilities were patched during the challenge
Average time to patch: 45 minutes per vulnerability
Estimated cost per completed task: $152

That last number should make engineering leaders sit up. If AI can push unit costs down while compressing mean time to remediate (MTTR), the economics of defense change.

During the announcement, AIxCC program manager Andrew Carney emphasized the stakes: “This is the new floor — it will rapidly improve.” He also confirmed that the newly discovered zero-days are going through responsible disclosure to maintainers.

Jennifer Roberts, director of resilient systems at ARPA-H, underlined why speed matters in healthcare: the sector sees an average of 491 days to patch a vulnerability, compared with 60–90 days in other sectors. That lag time is a patient safety risk. It’s also a reminder: automation isn’t a luxury; it’s how critical infrastructure catches up.

For more on vulnerability classes, see MITRE’s CWE. For broader secure-by-design guidance, visit CISA’s initiative.

Prize Money, Funding — and What Gets Open-Sourced

The AIxCC funding model was designed to catalyze usable tools, not just leaderboards.

Each of the seven finalists received $2M heading into the final year.
At DEF CON 33, DARPA awarded $4M to Team Atlanta, $3M to Trail of Bits, and $1.5M to Theori.
Before the winners were announced, Jim O’Neill, Deputy Secretary at the US Department of Health and Human Services, pledged an extra $1.4M on top of the $29.5M in planned prizes — with an eye toward making the US healthcare system “great again” by accelerating adoption of these defenses.
Following the event, Carney explained that additional funds will be distributed in phases as teams demonstrate real-world deployments in key infrastructure organizations.

On availability: DARPA confirmed that four of the seven finalist systems have already been open-sourced, including the three winners’ models. The remaining three models will roll out over the next few weeks. Expect links via the DARPA AI Cyber Challenge page and teams’ official sites. Open sourcing is essential here: reproducibility and community scrutiny harden systems faster than private demos ever could.

How These Systems Actually Work (Plain-English Version)

Think of a cyber reasoning system as a stack of specialized bots with a strategist on top.

The “bots” are analyzers: static checkers to reason about code paths, dynamic tools to observe runtime behavior, and fuzzers to shove unexpected inputs at software and see what breaks.
The “strategist” is the LLM layer. It synthesizes signals, forms hypotheses, drafts patches, and explains why a change is safe. It also helps de-duplicate findings and map them to known weakness categories (CWEs).

When wired into a tight loop, the system looks like this: 1) Find a bug candidate in a function or module. 2) Reproduce it reliably. 3) Draft a patch. 4) Run targeted tests and regression checks. 5) If it passes, submit the fix; if not, refine and retry.

It’s like pairing an elite triage nurse with a robot surgeon. The nurse decides what needs to happen. The surgeon executes with precision, checks vitals, and doesn’t get tired. Humans remain in the loop for policy, exceptions, and high-impact changes — but the heavy lifting speeds up.

Why DEF CON’s Results Are a Turning Point

Let me explain why the numbers matter beyond the leaderboard.

Speed becomes a safety feature. If healthcare averages 491 days to patch, cutting fixes to hours is transformative. That’s the difference between containing an exploit and watching it spread.
Cost curves shift. At $152 per fix during a high-stakes competition, the real-world unit cost could fall further. With less toil, human experts can focus on risk decisions, secure design, and higher-order engineering.
Discovery broadens. Teams didn’t just find planted bugs. They discovered 18 real-world zero-days and patched 11 during the event. That hints at a future where defenders proactively clean up legacy debt, not just chase headlines.
Open-source accelerates trust. When code and benchmarks are public, the community can test, adversarially probe, and improve the systems faster than any single vendor.

DARPA director Stephen Winchell put it plainly: “We’re living in a world right now that has ancient digital scaffolding… huge technical debt.” AI-driven repair crews won’t remove all of it, but they can shore up the beams while we rebuild.

What Security Teams Should Do Next

You don’t need to wait for a perfect solution. Here’s a pragmatic plan to take advantage of what AIxCC unlocked.

Pilot an automated patching lane. Start with low-risk services and CI/CD pipelines. Aim at memory-safety bugs, input validation, and common injection classes. Measure MTTR and regression rates.
Use AI for triage. Apply LLMs and analyzers to de-duplicate findings, map to CWE, and prioritize by exploitability and blast radius.
Put guardrails first. Require test coverage for AI-generated patches. Enforce code review by humans for critical systems. Log all model prompts, code changes, and test results.
Integrate with disclosure workflows. Prepare playbooks for responsible disclosure when your systems uncover real-world vulnerabilities in third-party components.
Track the right KPIs. MTTR, false-positive rate, patch regression rate, coverage across CWE classes, and developer hours saved.
Harden the AI itself. Threat-model prompt injection, data poisoning, and model drift. Red-team the AI stack like you would any exposed service.
Align with frameworks. Use NIST’s AI Risk Management Framework and CISA’s Secure by Design as scaffolding for policy and process.

Here’s why that matters: the winners didn’t invent magic. They engineered a disciplined loop. You can adopt parts of that loop today and level up over time.

Healthcare and Critical Infrastructure: What Changes First

ARPA-H’s presence wasn’t symbolic. Hospitals, biomanufacturing, and public health systems are high-value targets with sprawling, legacy-heavy software. Patching is hard. Downtime is dangerous. Automation helps by:

Scanning wide without burning out staff
Proposing contained fixes with high test coverage
Slashing the time from alert to validated patch
Freeing clinicians and IT to focus on care and resilience

Expect early wins in auxiliary systems first: non-clinical apps, third-party components, and infrastructure libraries. Over time, as confidence grows, higher-criticality systems will follow — with tighter human oversight and validation.

Risks and Realities: Attackers Will Use This Too

Dual-use is inevitable. The same AI that helps defenders find and fix bugs can help attackers find and weaponize them. That’s not a reason to slow down. It’s a reason to release responsibly and raise the baseline together.

Practical steps: – License and rate-limit hosted models to deter automated bulk abuse. – Ship with safe defaults: sanitization, SBOM insights, exploitability scoring, and mandatory testing. – Share signals. When AI uncovers a systemic weakness, coordinate with ISACs/ISAOs and relevant open-source foundations. – Invest in memory-safe languages and sandboxing. AI buys time. Secure-by-design eliminates whole classes of bugs.

As Carney said: “To make ourselves safer, we need to make everyone safer.” Open-source models plus sane guardrails are how we get there.

What’s Coming Next

More model releases. Four models are already public, with three more promised within weeks via the DARPA AIxCC page and team repositories.
Adoption milestones. DARPA and ARPA-H will release additional funds as teams prove deployment in real organizations. Expect case studies in critical infrastructure and healthcare first.
Better pipelines. The 45-minute average isn’t the ceiling. With tighter integration into CI/CD and test suites, latencies will fall.
Community hardening. As researchers probe and patch the open-sourced systems, we’ll see rapid iterations — and probably some spectacular failures along the way. That’s good. It’s how we learn.

Key Takeaways for Leaders

AI cyber defense isn’t theoretical anymore. The DEF CON 33 results show working systems that find, fix, and validate vulnerabilities end-to-end.
Speed and cost curves are bending. 45-minute patches at ~$152 per fix won’t solve everything, but they change planning math and risk posture.
Open-source will accelerate trust. Watch for releases from Team Atlanta, Trail of Bits, and Theori. Test them in sandboxes. Share what breaks.
The safest path forward is adoption with guardrails. Use frameworks, instrument your pipelines, and keep humans in the loop for high-impact changes.

If you’re considering where to start, pick one service, wire up an automated fix lane with strict tests, and define success metrics. In a month, you’ll know more than you do today.

FAQs: AIxCC, DEF CON 33, and AI Cybersecurity

Q: What is the DARPA AI Cyber Challenge (AIxCC)? A: AIxCC is a DARPA-led, two-year competition to build AI systems that automatically find and fix software vulnerabilities. It culminated at DEF CON 33 with live evaluations and a prize ceremony. Learn more at the DARPA AIxCC page.

Q: Who won AIxCC at DEF CON 33? A: Team Atlanta won $4M; Trail of Bits took second with $3M; Theori placed third with $1.5M.

Q: What did the winning systems actually do? A: They combined static and dynamic analysis, fuzzing, and LLM reasoning to detect vulnerabilities, propose patches, and validate fixes — often in less than an hour.

Q: Were the results real or synthetic? A: Both. Finalists found 77% of seeded bugs (54/70) and patched 43. They also discovered 18 previously unknown real-world vulnerabilities and patched 11 during the competition, with responsible disclosure underway.

Q: Will the AIxCC models be open-source? A: Yes. DARPA says four models are already open-sourced (including systems from the top three teams), with three more releasing in the coming weeks via the official page.

Q: How fast did the systems patch vulnerabilities? A: On average, about 45 minutes per patch, with an estimated $152 unit cost per completed task.

Q: How is healthcare involved? A: ARPA-H and HHS are backing adoption because healthcare’s patch timelines are among the slowest. Faster fixes reduce patient safety risk and ransomware exposure. See ARPA-H and HHS for context.

Q: What about safety and misuse? A: Dual-use is a real concern. Teams and agencies are emphasizing safe releases, testing, and governance. Organizations should align with NIST’s AI RMF and CISA’s Secure by Design.

Q: How can my team start using these tools? A: Begin with a sandbox. Integrate an open-sourced system into a non-critical service’s CI/CD. Require tests, code review, and full logging. Measure MTTR, regression rates, and CWE coverage.

Q: Will this replace security engineers or pentesters? A: No — it will change their work. AI handles repetitive detection and patch drafting. Humans set policy, validate high-impact changes, and design secure systems. Think augmentation, not replacement.

Q: Where can I see technical details or code? A: Watch the DARPA AIxCC site and the teams’ pages: Georgia Tech, Trail of Bits blog, and Theori.

The Bottom Line

AIxCC didn’t solve cybersecurity. It did something more useful: it proved that automated systems can find and fix real vulnerabilities fast, at lower cost, and in a way that stands up to public scrutiny. With the winning models going open-source, the baton now passes to the community — to integrate, test, and pressure these systems into maturity.

If you’re serious about resilience, pick a pilot, set guardrails, and start measuring. This is the new floor. It will rapidly improve.

Want more deep dives like this? Subscribe to stay ahead of the next big shift in AI and security — and how to put it to work in your stack.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

DEF CON 33 Breakthrough: DARPA’s AI Cyber Challenge Crowns Team Atlanta as $4M Winners — And Signals a New Era in Cyber Defense

What Is AIxCC — And Why It Matters