Can AI find and fix bugs on its own?
DARPA’s AI Cyber Challenge (AIxCC) asked a blunt question: can a system, with no human in the loop, find real vulnerabilities in real software, prove them with working exploits, and patch them without breaking anything? Not on toy benchmarks. On the open-source code that actually runs the world.
I didn’t compete, but I’ve been working through the open-source submissions and final reports from the teams that did. It’s the most concrete read we have on where autonomous security actually is, rather than where the hype puts it.
This is the start of a series. I want to take apart what the problem really was, what the winning teams actually built, and where the open questions are for anyone, grad students especially, looking for a way in.
It rhymes with DARPA’s Cyber Grand Challenge from a decade ago, which framed autonomous find-and-patch before modern AI existed. AIxCC is that vision again, with large models in the mix.