We're thrilled to announce that Trail of Bits won second place in DARPA's AI Cyber Challenge at DEF CON 33! Download our presentations to learn about Buttercup's journey and our experience competing in this groundbreaking challenge.
About Buttercup and our Approach
Competition format and outcome summary
Buttercup is an AI Cyber Reasoning System (CRS) developed by Trail of Bits. Now that DARPA's AI Cyber Challenge (AIxCC) has officially concluded, we've made Buttercup open source! Our fully automated, AI-driven system for discovering and patching vulnerabilities in open-source software is now available for the entire security community to use, extend, and benefit from.
Click on any bullet point above to explore the details of that milestone in our journey.
Tap any timeline item to learn more
Hear from experts about DARPA's AI Grand Cyber Challenge, autonomous vulnerability detection systems, and the future of AI-driven cybersecurity
The AI Cyber Challenge (AIxCC) spotlighted the potential of AI in cybersecurity. Discover what it takes to move from competition to real-world impact. Watch this recorded Q&A with Edera's Dan FernΓ‘ndez and Trail of Bits' Michael Brown covering AI-driven vulnerability management, agent design, and deploying secure AI systems at scale.
Trail of Bits' Buttercup secured $3 million in DARPA's AI Cyber Challenge, autonomously finding 28 vulnerabilities across 20 CWE categories and patching them with high accuracy. We'll show how our open-source system discovers and patches real vulnerabilities using static analysis and AI-guided fuzzing.
You'll see our multi-agent architecture in action, learn the design principles that enabled Buttercup to go beyond the AIxCC competition, and discover what we learned about when AI helps versus hurts. From laptop deployments to enterprise Kubernetes environments, we'll show how Buttercup makes world-class automated vulnerability discovery and patching accessible to everyone.
Tap any name to learn more about their role
Follow @trailofbits on X
DARPA's AIxCC finals: 7 autonomous AI systems are competing RIGHT NOW to find and patch vulnerabilities in critical open-source programs like the Linux kernel, SQLite, and cURL. π§΅
Buttercup is now open source! Here's our updated and refactored repo, suitable for use by individuals. The blog has key architectural background about how it works:
Buttercup won the $3M second prize at DARPA's AIxCC. We found 28 vulnerabilities across 20 CWEs with 90% accuracy at just $181/point, achieving this with exclusively non-reasoning LLMs.
We are excited to announce @trailofbits won a $1mil @DARPA award to compete in the AIxCC! Learn about our approach and guiding principles.
Our complete journey and insights from DARPA's AI Cyber Challenge
DARPA's official AI Cyber Challenge program information
View all seven teams that competed in the AIxCC Finals
Official AI Cyber Challenge competition website
Get in touch with our team about Buttercup and AIxCC
Explore open source code from all AIxCC finalist teams
Read the latest coverage of Buttercup's success in DARPA's AI Cyber Challenge and explore the significance of this breakthrough in automated cybersecurity.
Official DARPA announcement of the AI Cyber Challenge results. Teams discovered 54 unique synthetic vulnerabilities, patched 43, and found 18 real vulnerabilities across 54 million lines of code.
Axios explores DARPA's groundbreaking AI Cyber Challenge competition, examining how teams developed autonomous systems to find and patch software vulnerabilities at DEF CON.
Cybersecurity Dive covers DARPA's announcement of the AI Cyber Challenge winners, highlighting the potential of autonomous vulnerability detection and the competition's impact on cybersecurity.
Cyberscoop examines the results of DARPA's AI Cyber Challenge, detailing how the winning systems automated vulnerability discovery and patching processes with unprecedented effectiveness.
In-depth analysis of DARPA's groundbreaking AI Cyber Challenge, exploring how autonomous systems are revolutionizing vulnerability detection and patch deployment at unprecedented speed and scale.