In the shadowy realm of cybersecurity, where attackers and defenders engage in a perpetual chess match, one organization continues to rewrite the rules of engagement. The Defense Advanced Research Projects Agency (DARPA) has long been the crucible of technological innovation, and now, through the Autonomous Cyber Challenge (ASCC), they’re preparing to unleash a new generation of cyber defense capabilities that could fundamentally transform how we protect digital infrastructure.
At the heart of this transformation is Andrew Carney, a program manager who brings a unique perspective to the challenge of software vulnerabilities. “DARPA’s superpower is getting communities to collaborate that don’t typically work together,” Carney explains, his eyes lighting up with the passion of a true innovator. This collaborative spirit is at the core of DARPA’s ASCC, a groundbreaking competition that aims to revolutionize how we detect and patch software vulnerabilities.
The Problem: A Cybersecurity Bottleneck
For years, organizations have struggled with a critical challenge: finding vulnerabilities is relatively easy, but effectively patching them is exponentially more difficult. Carney has witnessed this firsthand.
“We’ve seen a pattern of folks who have given up or become frustrated with how easy it seems to be for attackers to find problems with their systems,” he says.
The statistics are sobering. In the healthcare sector alone, a 2024 report documented over 1,000 exploitable vulnerabilities in medical devices and healthcare applications. Yet, most ransomware attacks leverage only a handful of these vulnerabilities. This isn’t a problem of scarcity, but of efficiency.
The DARPA Approach: Autonomous Vulnerability Resolution
The ASCC competition represents a radical approach to this challenge. Carney and his team are developing autonomous systems capable of not just identifying vulnerabilities, but producing meaningful patches – and doing so at an unprecedented cost of just tens of dollars per patch.
“We’re changing the calculus,” Carney explains. “We’re shifting from a perspective of frustration and helplessness to one of proactive problem-solving.”
DARPA’s AIxCC Experience at RSA Conference 2025 in San Francisco
Open Source, Open Possibilities
Perhaps most revolutionary is DARPA’s commitment to transparency. After the competition finals at DEF CON this August, the teams will release their cyber reasoning systems with a permissive open-source license. This means the knowledge and techniques developed will be available to everyone.
“It’s always been a tragedy to see DARPA programs produce interesting work that doesn’t clear the valley of transition depth,” Carney admits.
By open-sourcing the technology, they’re ensuring that the innovations don’t just remain academic exercises but become practical tools for cybersecurity professionals.
Beyond Finding Vulnerabilities
Carney is quick to dispel concerns about invasive scanning or network intrusions. “Our solution fits into the normal workflow for patching that an organization would already have,” he emphasizes.
The goal isn’t to create additional burden but to integrate seamlessly into existing cybersecurity processes.
The implications extend far beyond immediate vulnerability management. By raising the cost and complexity of attacks, the ASCC could fundamentally reshape the cybersecurity landscape.
“We’re squeezing out attackers,” Carney says. “We’re raising the cost of attacks and reducing their frequency and intensity.”
For organizations interested in applying this technology, DARPA is remarkably accessible.
“We’re prepared to assist with the application of this technology to critical infrastructure,” Carney notes, providing the email [email protected] as a direct point of contact.
DARPA AIxCC Competition Key Dates
The Human Element
What drives this innovation isn’t just technology, but a deep commitment to solving real-world problems. “We’re trying to do things that other folks won’t try to do,” Carney reflects.
It’s this spirit of audacious innovation that has long defined DARPA’s approach to technological challenges.
Looking Ahead
As the cybersecurity landscape continues to evolve, initiatives like the ASCC represent more than just a technological solution. They represent a fundamental reimagining of how we approach software security.
“We want to enable folks to do this kind of testing themselves,” Carney says.
It’s a simple statement, but one that carries profound implications for the future of cybersecurity. The Autonomous Cyber Challenge is more than a competition. It’s a glimpse into a future where vulnerability management is proactive, efficient, and accessible to all.
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
