Priority scores (ITN + Soon/Sudden/Sharp) Stage 2c
Priority72.0
Neglectedness72.0
Tractability70.0
Neglectedness: Web search found no existing forecasting question on Metaculus, Manifold, Polymarket, or other platforms specifically asking about AI placing top 3 at DEF CON CTF finals. Metaculus has related questions about Cybench scores and AI cybersecurity benchmarks, but not this specific competitive milestone. However, the general topic of AI offensive cyber capability is receiving increasing attention: SRLabs competed with an AI agent at DEF CON 33 CTF finals placing 8th (2025), Tenzai's AI achieved top 1% on six CTF platforms (March 2026, per Forbes), and DARPA's AIxCC at DEF CON focused on defensive AI. The specific operationalization (top 3 at DEF CON CTF finals) is not being tracked, but the broader domain has growing monitoring. Scored medium-high because no direct forecast exists but adjacent monitoring is increasing.
Tractability: Forecasting this well requires synthesizing multiple lines of evidence: current AI CTF performance trajectories (SRLabs placed 8th in 2025, Tenzai top 1% on platforms), rate of improvement in AI coding/reasoning capabilities, the specific challenge format of DEF CON CTF finals (attack-defense format requiring real-time adaptation), and the competitive landscape of top human teams. There's meaningful room for inside-view analysis beyond base rates, but the question partly reduces to extrapolating AI capability improvement curves. A skilled forecaster can meaningfully outperform a naive prior by tracking capability benchmarks and competition results.
Soon: This is tracking a development at an active inflection point. AI CTF performance is rapidly improving — from no competitive presence to 8th place at DEF CON in 2025 to top 1% on major platforms in early 2026. The resolution deadline of end-2027 gives two more DEF CON CTF cycles (2026 and 2027). The window for this capability threshold is actively being approached, making the forecast time-sensitive.
Sudden: A top-3 placement would be a discrete event at a specific competition, but the trajectory toward it is somewhat visible. We can observe incremental improvements (8th place in 2025, etc.). However, capability jumps in AI can be nonlinear — a new model generation or novel agent architecture could produce a sudden leap in competitive performance. The exact timing of crossing the top-3 threshold could surprise observers.
Sharp: There are partial warning shots — AI placing 8th at DEF CON 2025, top 1% on online platforms — that signal the trajectory. These warning shots exist but may be underappreciated by the broader policy community. The gap between "top 1% on online platforms" and "top 3 at DEF CON finals" is significant enough that crossing it could still catch many stakeholders off guard, but the cybersecurity community is increasingly aware of AI offensive capability improvement.
Proto-question Stage 1
Will an autonomous AI agent or team place in the top 3 at the DEF CON Capture the Flag (CTF) finals by December 31, 2027?
Why this question? The paper discusses HACCA proliferation and the democratization of elite cyber capabilities. A key upstream indicator is AI performance on competitive hacking challenges. Tenzai's AI hacker already ranked in the top 1% across six major CTF platforms, and Wiz Research found AI agents solved 9 of 10 offensive security challenges in controlled environments. However, winning or placing highly at the most prestigious live CTF competition (DEF CON CTF finals) against top human teams remains a harder milestone. This question tracks whether autonomous offensive cyber capability has reached elite-human-competitive levels, directly relevant to the paper's HACCA feasibility timeline.
Paper reference: The paper's Table 11 outlines an illustrative HACCA proliferation timeline, beginning with early HACCAs that 'first become feasible' and progressing to wider deployment. The paper notes that HACCAs could 'democratize what were previously elite nation-state-level capabilities.' AI performance in competitive hacking directly measures progress toward this threshold.
Refined question Stage 2
## Question Title
Will an autonomous AI agent or AI-only team finish in the top 3 at the DEF CON Capture the Flag (CTF) main finals between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC)?
---
## Background
The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2025, the Nautilus Institute ran the event. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026.
Current AI performance benchmarks:
- At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title.
- In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026.
- Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program.
- Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness.
Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027).
---
## Resolution Criteria
This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the official final standings of the main DEF CON Capture the Flag (CTF) finals competition.
### Key Definitions and Clarifications:
1. DEF CON CTF finals: The flagship CTF competition held at the annual DEF CON hacking conference in Las Vegas, as listed on the DEF CON CTF Archive page and tracked on CTFtime. This refers specifically to the main DEF CON CTF, not satellite events, side CTFs, or separate competitions co-located at DEF CON (such as DARPA's AIxCC, Red Alert ICS CTF, or other contest-track events).
2. "Autonomous AI agent or AI-only team": A competing entity where all challenge-solving and strategic decision-making during the live finals competition is performed by AI systems without real-time human cognitive assistance. Specifically:
- Humans may set up, configure, deploy, and monitor the AI system(s) before and during the competition.
- Humans may perform purely operational tasks such as maintaining infrastructure, rebooting systems, or managing network connectivity.
- Humans must not solve challenges, write exploits, make strategic decisions about which targets to attack/defend, or provide hints or guidance to the AI during the live competition.
- A hybrid human-AI team where humans actively collaborate with AI to solve challenges does not qualify. The team must be competing on the strength of AI decision-making and problem-solving alone.
- If there is ambiguity about whether a team qualifies, authoritative determination will be based on (a) the team's own public statements or published write-ups about their approach, and (b) reporting from credible cybersecurity outlets (e.g., Wired, The Record, Dark Reading, or equivalent).
3. "Top 3 finish": The team must be ranked 1st, 2nd, or 3rd in the final official standings as published by the CTF organizers. If the organizers use a multi-component scoring system (e.g., combining attack-defense scores with LiveCTF scores), the relevant ranking is the overall/composite final ranking as published in the official results. In the event of an exact tie for 3rd place or higher, all tied teams are considered to have achieved a top-3 finish.
4. Resolution sources: The primary resolution source is the official DEF CON contest results page (e.g., https://defcon.org/html/defcon-33/dc-33-contest-results.html for 2025; analogous pages for subsequent years), the CTF organizer's official website, or the CTFtime event page for DEF CON CTF. Secondary sources include credible cybersecurity media coverage and the competing team's own published write-ups or blog posts.
5. Evaluation period: The question covers DEF CON CTF finals held during DEF CON 34 (expected August 2026) and DEF CON 35 (expected August 2027). If either competition is cancelled, postponed beyond the resolution date, or no longer held, the question resolves based on whichever competition(s) do take place within the window. If no DEF CON CTF finals are held between April 8, 2026 and December 31, 2027, the question resolves No.
The question resolves No if no autonomous AI agent or AI-only team (as defined above) finishes in the top 3 at any DEF CON CTF finals held within the evaluation period.
Background
The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026.
Current AI performance benchmarks:
- At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title.
- In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026.
- Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program.
- Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness.
Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027).
---
Resolution criteria
This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the unified overall final standings of the main DEF CON Capture the Flag (CTF) finals competition.
Verification scores Stage 3
Quality: 92.0 Ambiguity: 85.0
Quality notes: This is an excellent forecasting question. It identifies a prestigious and well-defined milestone (DEF CON CTF finals) that serves as a high-bar proxy for autonomous offensive cyber capabilities. While recent results (Tenzai ranking in the top 1% of CTF platforms in March 2026 and DARPA's AIxCC results in August 2025) show rapid progress, the flagship DEF CON CTF finals remain significantly more difficult than general CTF platforms or AI-specific competitions. The question has high entropy, as experts disagree on the timeline for AI to surpass elite human teams in dynamic, adversarial, and low-information environments. The resolution source is reliable (DEF CON official results).
Ambiguity notes: The question is very strong, with clear definitions of the event, the ranking, and the timeframes. The 'autonomous' definition is particularly detailed, covering infrastructure vs. cognitive tasks and providing a hierarchy of sources for adjudication. The main reason for not being 'great' is the inherent difficulty in proving a negative (i.e., that no human cognitive assistance occurred) if a team is not fully transparent, though the criteria's reliance on 'public statements' and 'credible reporting' provides a solid fallback for resolution.
Adversarial review NEEDS_REVISION Edge risk: MEDIUM
Assessment: NEEDS_REVISION Edge case risk: MEDIUM
ASSESSMENT: NEEDS_REVISION
REVIEW: Several issues identified:
1. Factual error in background: The question states "from 2018–2025, the Nautilus Institute ran the event." This is incorrect. According to the DEF CON CTF Archive page, Order of the Overflow organized the CTF from 2018–2021, and Nautilus Institute organized it from 2022–2025. This is a clear factual error that should be corrected.
2. Resolution verifiability is the core weakness: The question hinges on identifying whether a team is an "autonomous AI agent or AI-only team," but the official resolution sources (DEF CON results pages, CTFtime) list team names and scores only — they do not categorize teams by their internal composition or level of human assistance. There is no evidence that the Benevolent Bureau of Birds has established registration categories distinguishing AI-only from human teams. The question attempts to address this via fallback criteria (team self-reporting, media coverage), but this creates a situation where resolution depends entirely on voluntary disclosure. If an AI team finishes top 3 but does not publicly disclose its nature, or if there's ambiguity about the degree of human involvement, the question becomes practically unresolvable. SRLabs publicly blogged about Nils, but there's no guarantee future entrants would do the same.
3. Wiz Research model names are correct: The Wiz blog (published January 29, 2026) confirms testing of Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro, solving 9/10 challenges in narrow-scope scenarios AI Agents vs Humans: Who Wins at Web Hacking in 2026? | Wiz Blog. This matches the background.
4. Other factual claims check out: Tenzai's top 1% claim is confirmed by Forbes (March 17, 2026). CMU/Maple Mallard Magistrates' "fourth consecutive and ninth overall" title is confirmed by CMU's own news release. BBB qualifiers on May 22-24, 2026 are confirmed by DEF CON forum and multiple official social media posts. Nils placing 8th at DEF CON 33 is confirmed by SRLabs' blog.
5. No competitions between Jan-April 2026 that would pre-resolve the question: The DEF CON 34 qualifiers are scheduled for May 22-24, 2026, so no qualifying or finals events have yet occurred in the resolution window.
The question is substantively interesting and the time horizon is reasonable, but the factual error needs correction and the resolution mechanism for verifying "AI-only" status is weak enough to warrant revision.
EVIDENCE: https://defcon.org/html/links/dc-ctf.html (CTF Archive showing Nautilus 2022-2025, OOO 2018-2021)
https://srlabs.de/blog/competing-at-the-def-con-ctf-finals-2025 (Nils 8th place)
https://www.cmu.edu/news/stories/archives/2025/august/carnegie-mellons-hacking-team-wins-fourth-straight-record-ninth-overall-def-con-capture-the-flag (MMM wins)
https://www.forbes.com/sites/thomasbrewster/2026/03/17/ai-beat-most-humans-in-elite-hacking-competitions/ (Tenzai top 1%)
https://www.wiz.io/blog/ai-agents-vs-humans-who-wins-at-web-hacking-in-2026 (Wiz Research findings)
https://forum.defcon.org/node/255475 (BBB qualifiers May 22-24)
https://ctftime.org/event/3205/ (DEF CON CTF Qualifier 2026)
SUGGESTION: 1. Fix factual error: Change "from 2018–2025, the Nautilus Institute ran the event" to "from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025."
2. Strengthen resolution verifiability: Consider adding language requiring that at least one team must publicly register or be publicly identified as an AI-only team before or during the competition for the question to be resolvable as YES. Alternatively, add a clause stating: "If no team is publicly identified as an autonomous AI agent or AI-only team through either organizer designation, team self-identification, or credible media reporting within 60 days of the finals, the question resolves No for that year's competition." This prevents indefinite ambiguity about team composition.
Edge cases 7 scenarios
OVERALL_RISK: MEDIUM
1. SCENARIO: An AI team like Nils competes at DEF CON 34 CTF finals and finishes 3rd, but during the competition, human operators occasionally restart specific AI modules targeting particular challenge categories, effectively making strategic decisions about resource allocation by choosing which AI subsystems to activate or deactivate.
SEVERITY: HIGH
FIX: Add language: "Human operators may restart or reboot AI systems, but must not selectively enable/disable specific AI problem-solving modules in response to competition developments. Any selective activation of AI subsystems targeting specific challenges constitutes strategic decision-making and disqualifies the team."
2. SCENARIO: An AI team finishes 3rd overall, but the team's humans pre-programmed detailed heuristics and decision trees before the competition that effectively encode human strategic judgment (e.g., "if service X has vulnerability pattern Y, prioritize attack Z"), blurring the line between autonomous AI decision-making and pre-coded human strategy.
SEVERITY: MEDIUM
FIX: Add language: "Pre-competition configuration, training, and programming of the AI system is permitted regardless of specificity. Autonomy is evaluated only based on whether humans provide real-time cognitive input during the live competition period."
3. SCENARIO: A team finishes in the top 3 and publicly claims to be fully AI-autonomous, but competing teams or observers allege that humans were seen actively typing commands or discussing challenge strategies during the competition, with no definitive video or log evidence either way.
SEVERITY: MEDIUM
FIX: Add language: "In disputed cases, the burden of proof lies with those claiming the team was not autonomous. Absent clear evidence of human cognitive assistance during the live competition, the team's own public statements and write-ups shall be taken at face value unless contradicted by organizer statements or credible investigative reporting."
4. SCENARIO: The DEF CON 34 CTF organizers (Benevolent Bureau of Birds) create a separate "AI track" or "AI division" within the main CTF finals, where AI teams compete alongside but are scored or ranked separately from human teams, and an AI team finishes top 3 in the AI division but not in the overall standings.
SEVERITY: MEDIUM
FIX: Add language: "The AI team must finish top 3 in the unified overall final standings that includes all competing teams. A top-3 finish in a separate AI-only division, sub-bracket, or special category does not qualify unless it also corresponds to a top-3 position in the main combined leaderboard."
5. SCENARIO: An AI system finishes 3rd but had a human "failsafe operator" who intervened twice during the competition to prevent the AI from attacking its own infrastructure or violating competition rules — interventions that arguably constitute strategic guidance by constraining the AI's decision space in real time.
SEVERITY: MEDIUM
FIX: Add language: "Human interventions to prevent rule violations or self-destructive behavior (e.g., attacking own infrastructure) are considered operational maintenance and do not disqualify a team, provided the humans do not redirect the AI toward specific targets or solutions."
6. SCENARIO: An AI team qualifies for and competes in the DEF CON CTF finals but the competition format changes significantly (e.g., from attack-defense to a hybrid format with a large "King of the Hill" component), and the AI finishes 3rd overall but only because it dominated the automated-friendly component while performing poorly on components requiring more creative problem-solving. Disputes arise about whether this "counts" given the format change.
SEVERITY: LOW
FIX: Add language: "The format of the DEF CON CTF finals is determined solely by the organizers. A top-3 finish in the official final standings qualifies regardless of the competition format used that year."
7. SCENARIO: A team that is primarily human-operated uses an AI agent to autonomously handle all defensive operations while humans focus entirely on offensive challenges. The team finishes top 3 and the AI agent's autonomous defense is credited as the decisive factor in the placement.
SEVERITY: HIGH
FIX: Add language: "A hybrid team where humans handle some challenge categories and AI handles others does not qualify. The entire team's competition effort — both offensive and defensive — must be performed by AI systems without human cognitive assistance for the team to be considered an 'AI-only team.'"
Revised question REVISED
## Question Title
Will an autonomous AI agent or AI-only team finish in the top 3 at the DEF CON Capture the Flag (CTF) main finals between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC)?
---
## Background
The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026.
Current AI performance benchmarks:
- At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title.
- In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026.
- Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program.
- Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness.
Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027).
---
## Resolution Criteria
This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the unified overall final standings of the main DEF CON Capture the Flag (CTF) finals competition.
### Key Definitions and Clarifications:
1. DEF CON CTF finals: The flagship CTF competition held at the annual DEF CON hacking conference in Las Vegas, as listed on the DEF CON CTF Archive page and tracked on CTFtime. This refers specifically to the main DEF CON CTF, not satellite events, side CTFs, or separate competitions co-located at DEF CON (such as DARPA's AIxCC, Red Alert ICS CTF, or other contest-track events).
2. "Autonomous AI agent or AI-only team": A competing entity where all challenge-solving and strategic decision-making during the live finals competition is performed by AI systems without real-time human cognitive assistance. Specifically:
- Humans may set up, configure, deploy, and monitor the AI system(s) before and during the competition.
- Pre-competition configuration, training, and programming of the AI system is permitted regardless of how specific the encoded heuristics or decision trees are. Autonomy is evaluated only based on whether humans provide real-time cognitive input during the live competition period.
- Humans may perform purely operational tasks such as maintaining infrastructure, rebooting systems, or managing network connectivity.
- Human interventions solely to prevent rule violations or self-destructive behavior (e.g., attacking own infrastructure) are considered operational maintenance and do not disqualify a team, provided the humans do not redirect the AI toward specific targets or solutions.
- Selective manual activation or deactivation of specific AI problem-solving modules in response to competition developments constitutes strategic input and disqualifies the team. Human operators may restart or reboot AI systems generally, but must not selectively enable or disable specific AI subsystems targeting particular challenges.
- Humans must not solve challenges, write exploits, make strategic decisions about which targets to attack/defend, or provide hints or guidance to the AI during the live competition.
- A hybrid human-AI team where humans handle some categories of tasks (e.g., offense) and AI handles others (e.g., defense) does not qualify. The entire team's competition effort — both offensive and defensive — must be performed by AI systems without human cognitive assistance for the team to be considered an "AI-only team."
- If there is ambiguity about whether a team qualifies, authoritative determination will be based on (a) the team's own public statements or published write-ups about their approach, and (b) reporting from credible cybersecurity outlets (e.g., Wired, The Record, Dark Reading, or equivalent). In disputed cases, the team's public statements and write-ups shall be taken at face value unless contradicted by official organizer statements or credible investigative reporting.
3. "Top 3 finish": The team must be ranked 1st, 2nd, or 3rd in the unified overall final standings that include all competing teams. A top-3 finish in a separate AI-only division, sub-bracket, or special category does not qualify unless it also corresponds to a top-3 position in the main combined leaderboard. If the organizers use a multi-component scoring system (e.g., combining attack-defense scores with LiveCTF scores), the relevant ranking is the overall/composite final ranking as published in the official results. In the event of an exact tie for 3rd place or higher, all tied teams are considered to have achieved a top-3 finish.
4. Public identification requirement: For this question to resolve Yes, the team must be publicly identified as an autonomous AI agent or AI-only team — through organizer designation, team self-identification, or credible media reporting — within 60 days of the conclusion of the relevant DEF CON CTF finals. If no team is publicly identified as autonomous AI within this window, the question resolves No for that year's competition.
5. Resolution sources: The primary resolution source is the official DEF CON contest results page (e.g., https://defcon.org/html/defcon-33/dc-33-contest-results.html for 2025; analogous pages for subsequent years), the CTF organizer's official website, or the CTFtime event page for DEF CON CTF. Secondary sources include credible cybersecurity media coverage and the competing team's own published write-ups or blog posts.
6. Evaluation period: The question covers DEF CON CTF finals held during DEF CON 34 (expected August 2026) and DEF CON 35 (expected August 2027). If either competition is cancelled, postponed beyond the resolution date, or no longer held, the question resolves based on whichever competition(s) do take place within the window. If no DEF CON CTF finals are held between April 8, 2026 and December 31, 2027, the question resolves No.
7. Format changes: The format of the DEF CON CTF finals is determined solely by the organizers. A top-3 finish in the official final standings qualifies regardless of the competition format used that year.
The question resolves No if no autonomous AI agent or AI-only team (as defined above) finishes in the top 3 at any DEF CON CTF finals held within the evaluation period.
Forecast rationale
About 632 days remain, but in practice there are only two relevant shots: DEF CON finals in 2026 and 2027. The status quo is No: the strongest known AI finals result is 8th place in 2025, and this question requires a top-3 finish by an AI-only team with no real-time human cognitive help. Scope matters: top 3 in the unified overall DEF CON standings is much harder than top 1% on online CTF sites, a good LiveCTF showing, or a hybrid human-AI team doing well; those broader scopes are more plausible than the actual one. Why No: DEF CON attack-defense demands simultaneous offense, defense, patching, adaptation, and strategy against elite teams, and the autonomy requirement removes the easiest path to incremental gains (human oversight). Also, strong human teams will themselves use AI tools, raising the bar. Why Yes: jumping from 8th to podium in two years is aggressive but not absurd given rapid model and scaffolding improvements, autonomous participation is already possible, and a single standout weekend from one well-funded team would be enough. In bet terms, I’m about indifferent at 23 cents YES versus 77 cents NO.
Importance rationale
This question tracks a leading indicator for autonomous offensive cyber capability reaching elite-human-competitive levels. The paper identifies HACCA (Hacking AI Capability) proliferation as a major risk pathway. An AI placing top 3 at DEF CON CTF finals — the most prestigious live hacking competition — would represent a clear threshold crossing for offensive AI capability, directly relevant to the paper's HACCA feasibility timeline. This would meaningfully update beliefs about the timeline for democratized nation-state-level cyber capabilities and change resource allocation for cyber defense.
Decomposition & Research Stage 6b 5 subquestions
Initial forecast: 23%→Research-informed: 6% (-17pp)
Re-forecast rationale
## Probability Decomposition for AI-Only Team Finishing Top 3 at DEF CON CTF Finals (2026-2027)
### Critical Distinction: Hybrid vs. AI-Only Teams
The question specifically requires an "autonomous AI agent or AI-only team." This is a crucial filter. At DEF CON 33 (August 2025), SRLabs' AI agent "Nils" competed as part of the "Friendly Maltese Citizens" team, which included at least one human SRLabs researcher ("I had the honor of competing...as a member of the Friendly Maltese Citizens"). This hybrid human-AI team placed 8th out of ~15-20 teams. A hybrid team would NOT satisfy the resolution criteria — only a purely autonomous/AI-only team counts.
### Factor 1: Will a purely AI-only team qualify for and enter DEF CON CTF finals? (~30-40% across both cycles)
DEF CON 34 (2026):
- The Benevolent Bureau of Birds (BBB) has qualifiers May 22-24, 2026. As of April 8, 2026, no rules have been published, and no explicit policy on AI-only teams exists.
- No organization has publicly announced plans to enter an AI-only team at DEF CON 34 CTF. SRLabs, Tenzai ($75M seed), XBOW ($1B+ valuation), and RunSybil are all developing autonomous offensive AI, but none has announced DEF CON CTF entry plans.
- Even if permitted, the AI-only team must first qualify through the jeopardy-style qualifier — achievable given Tenzai's top-1% jeopardy performance, but uncertain.
- Probability of AI-only team in DC34 finals: ~20-25%
DEF CON 35 (2027):
- More time for development and organization. If an AI-only team enters DC34 (even without top-3), the precedent would encourage DC35 entries.
- Probability of AI-only team in DC35 finals: ~30-40%
### Factor 2: Given entry, could an AI-only team finish top 3? (~8-15%)
Technical hurdles of attack-defense format vs. jeopardy benchmarks:
The gap between jeopardy-style CTF success and attack-defense competition is enormous:
1. SLA/Availability: Teams must patch binary services without breaking functionality. Binary patching (not source-code patching like AIxCC) is extremely brittle — "a single bug can kill a CRS entirely" (Team Atlanta's post-AIxCC analysis). Over-aggressive patches cost more points than leaving vulnerabilities unpatched.
2. Real-time multi-service orchestration: Teams manage ~8-10 simultaneous services, requiring coordinated offense and defense every 3-5 minute round over 3 days. No AI system has demonstrated this capability.
3. Binary reverse engineering at elite level: Claude solved 0 challenges at PlaidCTF (April 2025). DEF CON finals binaries are typically harder. Even with Claude Mythos Preview (April 2026), which shows breakthrough defensive capabilities, there's no evidence of autonomous attack-defense CTF readiness.
4. Adversarial real-time adaptation: Opponents evolve defenses, requiring exploit modification and strategic pivots — a capability no current AI has demonstrated in competition.
5. The Wiz Research finding (January 2026) that frontier AI agents degraded significantly in broad-scope, unguided scenarios is directly relevant — attack-defense CTFs are inherently broad-scope.
The scoring gap: Nils (hybrid team, 8th place) scored ~70% of the winner's attack-defense points. Top-3 requires being within ~10-15% of the winner. This is a massive jump from 8th to top-3, and Nils had human assistance.
- P(top-3 | entry, DC34 2026): ~5-8%
- P(top-3 | entry, DC35 2027): ~10-18% (accounting for ~18 months more AI progress, including Mythos-class models)
### Combined Probability:
- P(AI-only enters AND top-3, DC34): ~0.22 × 0.06 ≈ 1.3%
- P(AI-only enters AND top-3, DC35): ~0.35 × 0.14 ≈ 4.9%
- P(at least one across both cycles): ~1 - (1-0.013)(1-0.049) ≈ 6.1%
### Calibration Check (Betting Indifference):
At 6%, would I pay 6 cents for a $1 payout if this happens? Yes — given the rapid pace of AI advancement and multiple well-funded teams, there's a real but small chance. Would I pay 10 cents? No — the technical hurdles of attack-defense format, the requirement for purely autonomous operation, the need to beat elite teams like MMM (9-time champions), and the lack of any confirmed entrants make this unlikely. Would I take 94 cents to bet against? Yes, comfortably. I'm roughly indifferent around 6%.
### Key uncertainties pushing probability up:
- AI capabilities are advancing extremely rapidly (S-curve); Claude Mythos represents a potential step-change
- Multiple organizations with >$100M in combined funding working on autonomous offensive AI
- Two competition cycles provide two chances
- Strong publicity incentive for AI companies to demonstrate capability
### Key uncertainties pushing probability down:
- No confirmed AI-only team plans for either year
- BBB rules unknown — could explicitly ban AI-only teams
- Attack-defense format is qualitatively harder than any benchmark AI has mastered
- Top human teams (MMM/PPP) have decades of experience and are improving too
- The hybrid Nils team only managed 8th — a purely autonomous system would likely do worse
- The gap from "top 1% on jeopardy platforms" to "top 3 at DEF CON finals" is enormous
SQ1: What was the detailed performance breakdown of SRLabs' AI agent "Nils" at the DEF CON 33 CTF finals in August 2025, and what specific capabilities gaps were identified between Nils and the top-finishing human teams?
Summary: At DEF CON 33 (August 8–10, 2025), SRLabs' autonomous AI agent "Nils" competed in the main CTF finals as part of the team "Friendly Maltese Citizens," placing 8th out of approximately 15–20 finalist teams. The competition was won by Maple Mallard Magistrates (CMU-affiliated) with a final score of 976,068, while the 2nd-place team scored 837,676 and SuperDiceCode placed 3rd with 541,693 points. Based on an intermediate attack-defense-only scoreboard posted by the organizers (Nautilus Institute), the top teams scored: MMM 4,419; SuperDiceCode 3,992; mhackeroni 3,956; Nu1L 3,792; Shellphish 3,494; KuK Hofhackerei 3,383; with 8th place at 3,077 points. This means Nils/Friendly Maltese Citizens scored roughly 70% of the winner's attack-defense points—a significant but not insurmountable gap. Nils participated in both the main attack-defense game and the LiveCTF component (a separate bracket-style challenge-solving competition), where it faced mhackeroni in the upper bracket. The SRLabs blog post confirms Nils ran attack-defense operations, participated in LiveCTF, and published exploits—demonstrating capability across offensive and defensive domains. However, I was unable to access the full SRLabs blog post due to repeated timeouts, so granular breakdowns of attack vs. defense scoring, the precise scoring trajectory over the multi-day event, and SRLabs' own detailed gap analysis could not be retrieved. The capability gap between Nils (8th) and the top-3 teams (MMM, 2nd place, SuperDiceCode) was substantial—the winner's final composite score was likely 2–3× Nils' score, suggesting major gaps in exploit development speed, challenge coverage, and possibly defensive patching consistency. The competition format required simultaneous offensive exploitation and defensive patching across multiple services over three days, a format that heavily rewards coordination, rapid adaptation, and deep binary analysis—areas where human teams with decades of CTF experience still held significant advantages.
Background: At DEF CON 33 (August 2025), SRLabs entered an autonomous AI agent called "Nils" into the main DEF CON CTF finals — the most prestigious live hacking competition in the world. Nils placed 8th out of approximately 15–20 finalist teams in an attack-defense format requiring simultaneous offensive and defensive operations over multiple days. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University). Understanding the specific performance gaps — e.g., how Nils performed on attack vs. defense, on the LiveCTF component vs. the main attack-defense game, its scoring trajectory over time, and where it fell short compared to top-3 teams — is critical for estimating whether AI agents could close this gap within 1–2 years. Relevant sources include SRLabs' own blog post about the competition, DEF CON CTF scoreboard data, and any post-competition analysis from organizers or competitors.
Detailed research
## Detailed Findings
### Competition Overview
DEF CON 33 CTF finals took place August 8–10, 2025, at the Las Vegas Convention Center, organized by Nautilus Institute. The format was attack-defense, requiring teams to simultaneously attack other teams' services while defending their own, supplemented by a LiveCTF bracket-style challenge-solving component. The competition ran over three days.
### Final Standings and Scores
Two different scoreboards were identified from search results:
Composite/Final Scores (from DEF CON CTF Archive page):
1. Maple Mallard Magistrates: 976,068
2. [Team name not visible in snippet]: 837,676
3. SuperDiceCode: 541,693
4. Nu1L: 496,550
5. RePokemonedCollections: [score not captured]
Attack-Defense Scores (from Nautilus Institute Mastodon post):
1. Maple Mallard Magistrates: 4,419
2. SuperDiceCode: 3,992
3. mhackeroni: 3,956
4. Nu1L: 3,792
5. Shellphish: 3,494
6. KuK Hofhackerei: 3,383
7. organizers: 3,132
8. cold fusion: 3,077
The discrepancy between the two scoreboards (different rankings for 2nd/3rd place, different score magnitudes) suggests the composite final scores include LiveCTF bonuses and potentially other scoring components beyond the main attack-defense game.
### Nils/Friendly Maltese Citizens Performance
- SRLabs' blog confirms Nils placed 8th overall, competing under the team name Friendly Maltese Citizens
- The SRLabs blog snippet states: "Nils competed in the DEF CON 33 CTF finals, placing 8th while running attack-defense operations, participating in the LiveCTF, and publishing a [exploit/writeup]"
- A separate SRLabs blog snippet also mentions: "I had the honor of competing in this year's DEF CON CTF finals as a member of the Friendly Maltese Citizens"—indicating the team included at least one human SRLabs researcher alongside the AI agent
### LiveCTF Component
- From the LiveCTF GitHub repository (Live-CTF/LiveCTF-DEFCON33), Friendly Maltese Citizens participated in the LiveCTF bracket: "Upper Round 2: 7+8, Loki · mhackeroni vs Friendly Maltese"
- The LiveCTF Day 2 YouTube video description mentions "AI Solve Discovery" at timestamp 4:15:58, suggesting an AI-driven solve was notable enough to be highlighted
- A LinkedIn post references someone from a team using "a background AI agent [to] solve a LiveCTF challenge while that player was still working on it"—though this appears to reference a different team (pb_ctf x BlueWater)
### Capability Gaps vs. Top-3 Teams
Based on the available scoreboard data:
- MMM (1st): 976,068 final / 4,419 A-D
- 2nd place: 837,676 final
- 3rd (SuperDiceCode): 541,693 final / 3,992 A-D
- Nils/FMC (8th): approximately 3,077 A-D score (if the "cold fusion" entry at 8th corresponds—though there's ambiguity here; FMC may not appear in the intermediate scoreboard under that name)
The gap between 1st and 8th in A-D scoring alone was ~31% (4,419 vs ~3,077). In final composite scores, the gap was likely much larger—potentially 2-3x—because LiveCTF bonuses disproportionately rewarded stronger teams.
Key capability gaps likely include:
1. Exploit development speed: Top human teams can rapidly reverse-engineer novel binaries and develop working exploits within minutes
2. Challenge coverage: Top teams solve a higher percentage of challenges across diverse categories
3. Defense/patching: Effective binary patching while maintaining service availability requires deep understanding
4. Adaptation over time: The multi-day format rewards teams that can adapt strategies based on evolving competition dynamics
### Scoring Trajectory
Without access to the full SRLabs blog, the specific round-by-round or day-by-day scoring trajectory could not be determined. The competition ran over approximately 3 days (August 8–10), with multiple tick-based rounds in the attack-defense format.
### 39C3 Talk
A 39C3 (Chaos Communication Congress, December 2025) talk titled "There is NO WAY we ended up getting..." was scheduled by a Friendly Maltese Citizens member, suggesting notable/surprising aspects of their DEF CON performance worth presenting.
### Important Caveats
1. The SRLabs blog post repeatedly timed out and could not be fully accessed, meaning the detailed attack vs. defense breakdown, scoring trajectory, and SRLabs' own gap analysis are not available in this report
2. Nils appears to have been part of a hybrid human-AI team (Friendly Maltese Citizens), not a purely autonomous AI team—the SRLabs blog author describes competing "as a member" of the team
3. The 8th-place identity is ambiguous between the two scoreboards—the Nautilus social post shows "cold fusion" at 8th, while SRLabs claims Nils/FMC placed 8th. These may be different scoring snapshots or the team may appear under different names
4. There may be additional teams below 8th that are not captured in the snippets
SQ2: What are the rules and format of the DEF CON 34 CTF (organized by the Benevolent Bureau of Birds for 2026), and are autonomous AI agents or AI-only teams permitted to qualify and compete in the finals?
Summary: The DEF CON 34 CTF (August 6–9, 2026) will be organized by the Benevolent Bureau of Birds (BBB), with online qualifiers scheduled for May 22–24, 2026. The BBB's official website is bbbirds.org, and they were interviewed on CTF Radiooo episode 025 (published March 18, 2026). As of April 8, 2026, the BBB has not yet published detailed rules for the DC34 CTF, including competition format, scoring system, number of finalists, or any explicit policy on whether autonomous AI agents or AI-only teams are permitted to qualify or compete in the finals. The qualifier is described as "online, open-registration" on CTFtime, suggesting broad eligibility, but no specific AI-related restrictions or permissions have been publicly announced. Historical precedent from DEF CON 33 (2025, organized by Nautilus Institute) saw SRLabs' autonomous AI agent "Nils" compete in the finals and place 8th, with roughly 8–10 finalist teams in an attack-and-defense format supplemented by LiveCTF challenges. DEF CON CTF has traditionally used an attack-and-defense format for its finals, but BBB may change this. The qualifiers have traditionally been Jeopardy-style. No information is yet available about whether BBB will continue these traditions or introduce new elements.
Background: The DEF CON CTF competition changes organizers periodically, and each organizer sets their own rules, format, and qualification criteria. For DEF CON 34 (August 6-9, 2026), the new organizers are the 'Benevolent Bureau of Birds' (BBB), with qualifiers scheduled for May 22-24, 2026. A key question is whether the BBB's rules permit autonomous AI agents or AI-only teams to enter and compete in the finals. Previous organizer the Nautilus Institute allowed SRLabs' AI agent 'Nils' to compete in 2025, but new organizers could change eligibility rules. Additionally, the specific competition format (attack-defense structure, number of finalists, scoring system, any new components) affects how well AI agents might perform. Sources to check include the BBB's official website (bbbirds.org), DEF CON official announcements, the CTF Radiooo podcast interview with BBB organizers, and CTFtime event pages.
Detailed research
1. Organizer and Timeline
DEF CON announced the Benevolent Bureau of Birds (BBB) as the new DEF CON 34 CTF organizers in approximately March 2026. The announcement was posted across DEF CON's official channels (defcon.org, DEF CON Forum, Facebook, Instagram, Reddit). The qualifier round is scheduled for May 22–24, 2026, and finals will take place at DEF CON 34 in Las Vegas, August 6–9, 2026. The BBB's official website is https://bbbirds.org/.
Key BBB members named in public announcements include Vie, Robert Xiao, Zaratec, and Bluepichu — several of whom are associated with Maple Bacon, a CTF team from the University of British Columbia.
2. BBB Official Communications
- bbbirds.org: The site timed out during multiple fetch attempts and could not be queried.
- CTF Radiooo Episode 025 ("Chatting with NEW DEF CON CTF Organizers: Benevolent Bureau of Birds"): Published March 18, 2026. The YouTube video and podcast page could not be directly queried for transcript content. From Google snippets, the episode features adamd and Zardus interviewing BBB members (Vie, Robert Xiao, Zaratec, Bluepichu) about their plans. No specific details about rules, AI policies, format, scoring, or number of finalists were extractable from the snippets.
- DEF CON Forum post (forum.defcon.org/node/255475): Timed out. Google snippet indicates it is a welcome announcement with a link to bbbirds.org and qualifier dates, but no detailed rules.
3. Competition Format and Rules (Not Yet Published)
As of April 8, 2026, extensive searching reveals NO publicly available detailed rules, format specification, scoring system, or finalist count for DC34 CTF under BBB. The qualifier is listed on CTFtime as "On-line, open-registration" with finals at DEF CON in August 2026, but no further details are provided.
4. AI Agent/Autonomous Team Eligibility
No public statement from BBB has been found that explicitly permits or prohibits autonomous AI agents or AI-only teams from entering the qualification round or competing in the finals. The open-registration nature of the qualifier suggests that any team (including AI-driven ones) could potentially register, but this is not confirmed.
5. Historical Precedent: DEF CON 33 (2025)
The Nautilus Institute organized DEF CON 33 CTF. SRLabs' AI agent "Nils" was permitted to compete and placed 8th in the finals. The competition used an attack-and-defense format with LiveCTF components. Approximately 8–10 teams competed in the finals. Google snippets from srlabs.de confirm: "Nils competed in the DEF CON 33 CTF finals, placing 8th while running attack-defense operations, participating in the LiveCTF..." The University of Hawaii article mentioned "top eight teams" for DEF CON 33 finals. Carnegie Mellon's PPP (Plaid Parliament of Pwning) won their fourth consecutive and ninth overall title.
6. Key Uncertainties
- The BBB has not yet released detailed rules, so it is unknown whether they will follow the traditional attack-and-defense format, how many teams will qualify for finals, what the scoring system will be, or whether AI-only teams will be explicitly allowed or banned.
- The qualifier being "open-registration" is suggestive but not definitive regarding AI team eligibility.
- The BBB is a new organizer, and each organizer historically sets their own rules. The fact that Nautilus Institute allowed Nils does not necessarily mean BBB will do the same.
- The CTF Radiooo interview may contain relevant details about format and rules, but the transcript was not accessible for analysis.
SQ3: How rapidly have AI agents improved at cybersecurity tasks (vulnerability discovery, exploitation, CTF challenges) between 2023 and early 2026, and what does the trajectory suggest about near-term capabilities?
Summary: AI agents have shown dramatic improvement in cybersecurity CTF tasks between 2023 and early 2026, but progress has been uneven—rapid on narrow, jeopardy-style challenges while much slower on complex, real-time attack-defense scenarios. Key milestones include: (1) On the NYU CTF Bench (published 2024-2025), top models like Claude 3 solved only ~5.77% of CSAW CTF challenges from 2017-2023, though Claude 3 outperformed the median human in the 2022 CSAW finals NYU CTF Bench: A Scalable Open-Source Benchmark ...; (2) InterCode-CTF, a high-school-level benchmark, was effectively "saturated" by December 2024 when Palisade Research achieved 95% with plain LLM agents; (3) On Cybench (August 2024), professional-level CTF tasks saw GPT-4o achieve only ~12.5% unguided solve rate and ~29.4% with subtask guidance; (4) DARPA's AIxCC finals (August 8, 2025) saw AI systems collectively identify 54 of 63 synthetic vulnerabilities and patch 43, with Team Atlanta winning first place; (5) In the 2025 HTB "AI vs Human" CTF, 5 of 8 AI teams solved 19/20 challenges (95%), outperforming 403 human teams; (6) The CAI agent conquered 5 major jeopardy CTF competitions in 2025, winning $50K at Neurogrid with a 91% solve rate; (7) Wiz Research (January 29, 2026) found that Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro solved 9/10 CTF challenges in narrow scope but degraded significantly in broad, unguided scenarios AI Agents vs Humans: Who Wins at Web Hacking in 2026?; (8) Tenzai (March 17, 2026) claimed its AI hacker ranked in the top 1% across six CTF platforms, outperforming 125,000+ human competitors. The improvement trajectory appears S-curve-like rather than simply linear or exponential: entry-level benchmarks saturated quickly, mid-tier jeopardy challenges saw rapid gains through 2025, but professional-level and attack-defense scenarios show much slower progress. The gap between solving individual jeopardy challenges and competing in real-time attack-defense CTFs (like DEF CON CTF finals) remains substantial, though it is narrowing at the jeopardy end while remaining wide at the attack-defense end.
Background: To forecast whether an AI agent could finish top-3 at the DEF CON CTF finals by 2027, it's important to understand the rate of improvement in AI cybersecurity capabilities. Key data points include: (1) AI performance on CTF benchmarks like NYU's CSAW CTF competitions comparing AI vs. human performance across years; (2) Results from DARPA's AI Cyber Challenge (AIxCC), which ran 2023-2025 focused on automated vulnerability finding and patching; (3) Wiz Research's January 2026 finding that leading AI agents (Claude, GPT-5, Gemini 2.5 Pro) solved 9/10 CTF challenges in narrow scope but struggled with broad multi-step tasks; (4) Tenzai's March 2026 claim of top-1% ranking across six CTF platforms; (5) Academic benchmarks like CyberBench, InterCode-CTF, and others tracking AI progress on cybersecurity tasks over time. The question is whether improvement is linear, exponential, or hitting diminishing returns, and specifically whether the gap between 'solving individual challenges' and 'competing in real-time attack-defense' is narrowing.
Detailed research
## Trajectory of AI Agent Improvement in Cybersecurity Tasks (2023–Early 2026)
### 1. Academic Benchmarks: Establishing Baselines (2023–2024)
InterCode-CTF (2023–2024):
InterCode-CTF, introduced at NeurIPS 2023, contains 100 CTF tasks from picoCTF—a competition aimed at high-school-level participants. Early LLM performance was modest, but by December 2024, Palisade Research published results showing 95% solve rates with plain LLM agent designs. This benchmark is now widely considered "saturated," meaning it no longer differentiates between frontier AI capabilities. The rapid saturation of this entry-level benchmark demonstrates how quickly AI agents can master well-characterized, lower-difficulty challenges.
NYU CTF Bench (2024–2025):
The NYU CTF Bench, based on 200 challenges from CSAW competitions spanning 2017–2023, provides a more challenging evaluation NYU CTF Bench: A Scalable Open-Source Benchmark .... Results published in the paper (arXiv v3: February 18, 2025) showed:
- Claude 3: ~5.77% solve rate across all challenges
- GPT-3.5: ~1.92% solve rate
- GPT-4: Scored 300 in 2023 CSAW qualifiers
- Mixtral and LLaMA: 0% solve rate
- Claude 3 achieved a score of 1500 in the 2022 CSAW finals, outperforming the median human score of 1321
- Open-source models completely failed NYU CTF Bench: A Scalable Open-Source Benchmark ...
This benchmark revealed that while some frontier models could match or exceed median human performance on specific competition subsets, overall success rates remained low, particularly on complex multi-step challenges.
Cybench (August 2024):
Stanford's Cybench introduced 40 professional-level CTF tasks from recent competitions (2022–2024). Results from the original paper showed:
- GPT-4o: ~12.5% unguided solve rate; 29.4% with subtask guidance
- Claude 3.5 Sonnet: Comparable unguided performance (solved at least one task unguided)
- Claude 3 Opus: Also solved at least one unguided task
- These low solve rates on professional-level challenges contrast sharply with the saturation of InterCode-CTF
As of early 2026, the Cybench leaderboard shows Grok-4.1 Thinking leading with a score of 0.390 (39%), indicating continued but incremental improvement on professional-level tasks.
### 2. DARPA AI Cyber Challenge (AIxCC): 2023–2025
DARPA's AIxCC was a two-year, multi-million-dollar competition focused on autonomous vulnerability discovery and patching in open-source software. Key milestones:
- 2023: Competition launched, attracting 42 teams
- August 2024 (DEF CON 32): Semifinals held; 7 teams advanced to finals
- August 8, 2025 (DEF CON 33): Finals held
- Winner: Team Atlanta (Georgia Tech/Samsung) — $4M prize
- 2nd Place: Trail of Bits ("Buttercup") — $3M prize
- 3rd Place: Theori
- Competition included 63 synthetic vulnerabilities
- Competitors' cyber reasoning systems (CRSs) collectively identified 54 vulnerabilities and patched 43
- Trail of Bits reported finding 28 vulnerabilities and patching 19
AIxCC demonstrated that AI systems can perform meaningful autonomous vulnerability discovery and patching at scale, but the task was specifically scoped to source-code-level analysis of open-source projects—a narrower task than full CTF competition.
### 3. 2025 CTF Circuit: AI Agents Begin Competing Directly
Hack The Box "AI vs Human" CTF (2025):
In a landmark event, AI agent teams competed directly against human teams:
- 5 of 8 AI agent teams solved 19 out of 20 challenges (95% solve rate)
- They competed against 403 human teams
- The CAI agent (from Alias Robotics/Cybersecurity AI) achieved its final flag 30 minutes before the next AI team
CAI's 2025 CTF Circuit Performance:
The CAI agent systematically competed in 5 major jeopardy-style CTF competitions throughout 2025:
- Won $50K at the Neurogrid CTF with a 91% solve rate
- Demonstrated 98% cost reduction compared to human teams
- Led researchers to argue that "jeopardy-style CTFs may be obsolete" as meaningful benchmarks for AI
CSAW 2025:
Research published in early 2026 compared autonomous agent performance against human teams in the 2025 CSAW competition, observing differences across autonomy levels and challenge categories.
### 4. Wiz Research Study (January 29, 2026)
Wiz Research, in collaboration with the AI security lab Irregular, tested Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro on 10 lab environments modeled after real-world vulnerabilities AI Agents vs Humans: Who Wins at Web Hacking in 2026?:
- Narrow scope (specific target given): Agents solved 9 of 10 challenges; costs often under $1 per success
- Broad scope (no specific target): Performance degraded significantly; costs increased 2–2.5x; agents struggled to prioritize targets and spread efforts haphazardly
- Key failure mode: Agents failed to use standard fuzzing tools unless prompted, couldn't pivot strategies when initial approaches failed
- The unsolved challenge (GitHub Secrets) required creative investigative pivoting that agents couldn't perform
- Study concluded AI agents are highly effective at executing known attack patterns but lack strategic adaptability for complex, unguided offensive operations AI Agents vs Humans: Who Wins at Web Hacking in 2026?
### 5. Tenzai Claim (March 17, 2026)
Israeli startup Tenzai announced on March 17, 2026 that its autonomous AI hacker:
- Achieved top 1% performance across six major CTF platforms
- Outperformed over 125,000 human competitors
- Was described as "the first autonomous system to rank in the top 1% of global hacking competitions"
- Covered competitions "designed for humans"
### 6. Analysis: Improvement Trajectory
The trajectory is best characterized as S-curve-like with domain-dependent saturation points:
Entry-level tasks (InterCode-CTF): Rapid improvement → saturation at 95% by late 2024. Effectively solved.
Mid-tier jeopardy challenges (HTB, standard CTFs): Steep improvement through 2025. AI agents went from struggling with basic challenges to achieving 91-95% solve rates and top-1% rankings by early 2026.
Professional-level jeopardy tasks (Cybench): Slower improvement. From ~12.5% unguided (mid-2024) to ~39% (early 2026), suggesting continued but more modest gains.
Real-world vulnerability discovery (AIxCC): AI systems demonstrated meaningful but imperfect capability—finding ~86% (54/63) of synthetic vulnerabilities and patching ~68% (43/63).
Broad, unguided offensive operations: Still significantly limited as of January 2026, with degraded performance when agents must independently identify and prioritize targets AI Agents vs Humans: Who Wins at Web Hacking in 2026?.
### 7. The Jeopardy vs. Attack-Defense Gap
Narrowing at the jeopardy end: AI agents have essentially caught up with or surpassed many human competitors on jeopardy-style CTFs by early 2026. The CAI team's 2025 performance and Tenzai's top-1% claims confirm this.
Still wide at the attack-defense end: The DEF CON CTF finals use an attack-defense format requiring:
- Simultaneous offensive and defensive operations
- Real-time adaptation to opponent strategies
- Service patching that maintains functionality
- Network traffic analysis and exploit development under time pressure
- Coordination of multiple concurrent tasks
A 2026 paper by Vilches et al. ("Evaluating Agentic Cybersecurity in Attack/Defense CTFs") represents the first empirical study of autonomous AI agents in A/D CTF scenarios, studying AI agents competing concurrently in offensive and defensive roles. This suggests the field is only beginning to formally evaluate this gap.
The Wiz Research finding that AI agents struggle with broad-scope, unguided operations AI Agents vs Humans: Who Wins at Web Hacking in 2026? is particularly relevant—attack-defense CTFs are inherently broad-scope, requiring agents to simultaneously monitor, attack, and defend multiple services without explicit targeting guidance.
Summary of the gap: While the gap is clearly narrowing for isolated challenge-solving (jeopardy), the gap for real-time, multi-service, adversarial attack-defense competition (as in DEF CON CTF finals) remains substantial. The improvement from "can't solve basic CTF challenges" to "top 1% in jeopardy CTFs" took roughly 2 years (2023–2025), but the remaining jump to "competitive in DEF CON CTF finals" requires solving qualitatively different problems in real-time coordination, strategic adaptation, and simultaneous offense/defense.
SQ4: What are the specific technical requirements of a DEF CON CTF attack-defense finals competition that make it qualitatively different from jeopardy-style CTF challenges, and which of these requirements pose the greatest challenges for current autonomous AI systems?
Summary: The DEF CON CTF finals use an attack-defense format that is qualitatively different from jeopardy-style CTFs in several critical ways, and current autonomous AI systems face significant challenges with many of these requirements. In jeopardy-style CTFs, teams solve isolated, static challenges across categories (crypto, pwn, web, reverse engineering) at their own pace with no adversarial interaction. In attack-defense, ~12-20 teams simultaneously defend their own vulnerable services while attacking identical services on opponents' machines, with rounds typically lasting minutes. This creates six intertwined sub-tasks: (1) reverse-engineering unknown binary services under time pressure, (2) finding vulnerabilities, (3) writing reliable exploits that work across many targets, (4) patching services without breaking functionality (SLA/availability checks), (5) real-time strategic adaptation as opponents evolve defenses and new services are released, and (6) managing infrastructure, network traffic analysis, and automated exploit deployment across many services at once.
The greatest challenges for current AI systems are: real-time multi-service strategic orchestration (no AI system has demonstrated the ability to simultaneously manage offense and defense across ~8-10 services with adversarial opponents adapting in real time); binary reverse engineering at competition scale (as of April 2025, Claude could not solve any challenges at PlaidCTF, a top jeopardy-style competition, and DEF CON finals binaries are typically harder); robust patching under SLA constraints (patching a binary without breaking its expected functionality requires deep understanding of both the vulnerability and the service logic—AIxCC showed progress on source-code patching but not on stripped binary patching); and adversarial real-time adaptation (responding to opponents' evolving exploits and defenses requires monitoring network traffic, identifying attack patterns, and dynamically adjusting strategy—a capability no current AI has demonstrated). While AI has shown strong performance on easier jeopardy-style challenges (e.g., Claude achieved top 3% at PicoCTF, and AI agents solved 19/20 in Hack The Box's AI vs. Human CTF in July 2025), this performance does not transfer to the attack-defense finals setting, which demands continuous real-time adversarial interaction, simultaneous offense-defense balancing, and infrastructure-level automation over a multi-day competition.
Background: The DEF CON CTF finals use an attack-defense format that is fundamentally different from the jeopardy-style challenges found on most online CTF platforms. In attack-defense, approximately 15-20 teams simultaneously: (1) reverse-engineer unknown binary services deployed at the start of each round; (2) find vulnerabilities in those services; (3) write exploits to steal flags from other teams' instances of those services; (4) patch their own services to prevent opponents from exploiting the same vulnerabilities, without breaking service functionality (which would lose SLA/availability points); (5) adapt strategies in real-time as new services are released and opponents' defenses evolve; (6) manage infrastructure, network traffic analysis, and automated exploit deployment across many services simultaneously. Additionally, the LiveCTF component may involve solving jeopardy-style challenges in a timed head-to-head format. Understanding which of these specific sub-tasks are hardest for current AI — e.g., real-time adaptation, binary reverse engineering at scale, balancing offense and defense simultaneously, or strategic decision-making — helps assess whether AI agents can close the gap to top-3 performance.
Detailed research
## Qualitative Differences: Attack-Defense Finals vs. Jeopardy-Style CTF
### Jeopardy-Style Format
In jeopardy-style CTFs (used in most online CTF platforms and in DEF CON qualifiers), teams are presented with a set of standalone challenges across categories such as cryptography, reverse engineering, binary exploitation (pwn), web, forensics, and miscellaneous. Each challenge has a single flag to capture. Teams work at their own pace, challenges are static (they don't change based on opponents' actions), and there is no adversarial interaction between teams. Success is purely a function of how many challenges a team can solve within the allotted time.
### Attack-Defense Format (DEF CON CTF Finals)
The DEF CON CTF finals, organized by Nautilus Institute (as of 2024-2025), use an attack-defense format where approximately 12 teams (per the 2025 rules) compete simultaneously. According to the 2025 DEF CON CTF finals format, the competition is described as "a reverse engineering and exploitation competition first and foremost." Key structural differences include:
1. Simultaneous offense and defense: Each team runs identical copies of vulnerable services on their own infrastructure. Teams must simultaneously attack other teams' services to steal flags AND defend their own services by patching vulnerabilities.
2. Round-based scoring: The game proceeds in timed rounds (typically 3-5 minutes each). Each round, new flags are planted in services, and teams earn attack points by stealing flags from opponents and defense points by preventing flag theft from their own services.
3. SLA/Availability requirements: Teams must keep their services running and functional. If a patch breaks the service's expected functionality, the team loses availability/SLA points. This creates a critical constraint: patches must fix the vulnerability without altering legitimate behavior.
4. Dynamic, adversarial environment: Unlike static jeopardy challenges, the competition environment evolves continuously. Opponents adapt their defenses, new services are released during the competition, and teams must monitor network traffic to detect and respond to attacks.
5. Scale of simultaneous services: Teams must manage ~8-10 or more services simultaneously over the multi-day competition, requiring significant infrastructure automation.
6. LiveCTF component: Since DEF CON 30 (2022), a LiveCTF component features 1v1 head-to-head matches where individual players solve jeopardy-style challenges in a timed format, adding another dimension to scoring.
## Analysis of Six Sub-Tasks and AI Capability
### 1. Reverse-Engineering Unknown Binary Services
Requirement: At the start of each round or when new services are deployed, teams receive compiled binary executables (often stripped of symbols, possibly obfuscated) that they must quickly reverse-engineer to understand functionality, identify vulnerabilities, and determine how to exploit and patch them.
AI capability status: As of April 2025, Claude (Anthropic's frontier model) could not solve any challenges at PlaidCTF, a top-tier jeopardy-style competition featuring binary exploitation and reverse engineering challenges. While AI agents have shown capability on easier reverse engineering tasks (e.g., Claude achieved top 3% in PicoCTF, a student-level competition), DEF CON finals binaries are significantly more complex—often custom-designed, using unusual architectures, and requiring deep understanding of low-level systems concepts. The gap between student-level reverse engineering and DEF CON finals-level binary analysis remains enormous for AI systems.
Challenge level for AI: HIGH. Binary reverse engineering requires spatial reasoning about code structure, understanding of assembly language semantics, and the ability to form and test hypotheses about program behavior—capabilities where current AI agents show inconsistent performance, especially at scale and under time pressure.
### 2. Finding Vulnerabilities
Requirement: After reverse-engineering services, teams must identify exploitable vulnerabilities (buffer overflows, format string bugs, use-after-free, logic errors, cryptographic weaknesses, etc.).
AI capability status: DARPA's AIxCC competition (finals August 8, 2025) demonstrated that autonomous Cyber Reasoning Systems (CRS) can find vulnerabilities in source code. Team Atlanta's CRS won first place, demonstrating AI-driven vulnerability detection across 54 million lines of code in C++ and Java source code. However, AIxCC operated on source code, not stripped binaries. The DEF CON CTF finals typically involve compiled binaries where vulnerability discovery is significantly harder.
Challenge level for AI: MEDIUM-HIGH. AI has shown promising results for source-code vulnerability detection, but binary-level vulnerability discovery (the DEF CON CTF requirement) remains substantially more difficult. Traditional fuzzing and symbolic execution tools can partially automate this, but integrating these with AI reasoning in real-time competition conditions is an unsolved challenge.
### 3. Writing Exploits
Requirement: Teams must write working exploits that reliably steal flags from multiple opponents' service instances. Exploits must account for potential differences in memory layout (ASLR), deployed patches, and network conditions.
AI capability status: AI agents have demonstrated basic exploit writing capability on CTF challenges. In the Hack The Box AI vs. Human CTF (July 2025), five of eight AI-agent teams solved 19 out of 20 challenges, including binary exploitation. However, these were pre-designed challenges with known solution paths. Writing reliable exploits that work across multiple targets in a live, adversarial environment with varying defenses is a qualitatively harder task. The need to modify exploits on-the-fly when opponents patch vulnerabilities adds another layer of difficulty.
Challenge level for AI: HIGH. Exploit development for competition-grade binaries requires creative problem-solving, deep understanding of memory corruption primitives, and the ability to chain multiple vulnerabilities. The additional requirement of reliability across multiple targets and adaptation to patched services makes this especially challenging.
### 4. Patching/SLA Management
Requirement: Teams must patch their own service binaries to fix vulnerabilities while preserving all legitimate functionality. If a patch breaks the service (fails SLA checks), the team loses points. This requires precise understanding of both the vulnerability and the service's intended behavior.
AI capability status: AIxCC demonstrated AI-driven patching of source code vulnerabilities. Team Atlanta's system could autonomously generate patches. However, DEF CON CTF finals require binary patching—modifying compiled executables without access to source code. Binary patching is significantly harder: teams must modify machine code directly, often with tight space constraints, while ensuring the binary passes functionality checks. As Team Atlanta noted in their post-competition analysis, "a single bug can kill a CRS entirely. The autonomous system is that brittle."
Challenge level for AI: VERY HIGH. Binary patching without breaking functionality is one of the hardest sub-tasks for AI. It requires: (a) correct identification of the vulnerability at the binary level, (b) generation of a correct fix in machine code, (c) verification that the fix doesn't break legitimate behavior, and (d) all of this under time pressure. The SLA constraint makes this especially punishing—an overly aggressive patch that breaks functionality costs the team more than leaving the vulnerability unpatched.
### 5. Real-Time Strategy Adaptation
Requirement: Teams must continuously adapt their strategy as new services are released, opponents deploy new exploits, and the competitive landscape shifts. This includes deciding which services to prioritize for offense vs. defense, when to invest resources in new exploits vs. refining existing ones, and how to respond to detected attacks.
AI capability status: No current AI system has demonstrated the ability to make real-time strategic decisions in a multi-service, multi-opponent competitive environment. This is fundamentally a multi-agent, multi-objective optimization problem with incomplete information—a domain where AI capabilities are still nascent. The 2016 DARPA Cyber Grand Challenge (CGC) at DEF CON 24 showed that autonomous systems could compete in a simplified attack-defense format, but those systems operated in a highly constrained environment (standard binary format, limited service complexity) and finished last when competing against human teams in the main DEF CON CTF.
Challenge level for AI: VERY HIGH. This requires meta-reasoning about competition dynamics, opponent modeling, resource allocation under uncertainty, and the ability to pivot strategies rapidly. It is arguably the most uniquely challenging aspect of attack-defense CTF for AI, as it requires integrating information across all other sub-tasks and making holistic decisions.
### 6. Infrastructure and Traffic Management
Requirement: Teams must manage their competition infrastructure (game servers, exploit deployment systems, traffic capture and analysis, automated flag submission), monitor network traffic to detect incoming attacks and reverse-engineer opponents' exploits, and deploy their own exploits automatically across all opponent targets every round.
AI capability status: While components of this can be automated with traditional scripting and tooling (and human teams do extensively automate this), the AI-specific challenge is in the traffic analysis component—automatically identifying novel exploit patterns in network captures and converting observed attacks into defensive patches or counter-exploits. No current AI system has demonstrated this capability in a live competition setting.
Challenge level for AI: MEDIUM-HIGH. Much of the infrastructure management can be handled by pre-built tooling rather than requiring AI reasoning. However, the traffic analysis, automated exploit detection, and dynamic infrastructure reconfiguration components require AI capabilities that haven't been demonstrated at competition scale.
## Key Evidence Points with Dates
- August 8, 2025: DARPA AIxCC finals at DEF CON 33. Team Atlanta won first place with autonomous CRS for source-code vulnerability finding and patching across 54 million lines of code. This demonstrated AI capability for source-code analysis but not binary-level analysis required by DEF CON CTF.
- August 2025: Carnegie Mellon's PPP won their fourth consecutive (and ninth overall) DEF CON CTF title, demonstrating that human teams continue to dominate the competition.
- August 2025: At DEF CON 33, Claude competed in LiveCTF at the DEF CON CTF finals (referenced in YouTube video descriptions showing "AI Solve Discovery" during Day 2 of LiveCTF).
- August 5, 2025: Axios reported that Claude had been "quietly beating human hackers" in student-level competitions, but Anthropic's own transparency page noted Claude achieved top 3% in PicoCTF (student competition), solved 19/20 in Hack The Box's AI vs. Human CTF, but scored only 15/30 in the Airbnb CTF and failed to solve any challenges at PlaidCTF (April 4, 2025).
- April 4, 2025: Claude attempted PlaidCTF, a challenging jeopardy-style competition, and could not solve any challenges, demonstrating the gap between AI capability on easy-to-medium challenges and top-tier competition challenges.
- July 2025: In Hack The Box's AI vs. Human MCP Tryout CTF, five of eight AI-agent teams solved 19/20 challenges, competing against 403 human teams. However, these were retired challenges of mixed difficulty, not at DEF CON finals level.
## Greatest Challenges Summary
The requirements that pose the greatest challenges for current autonomous AI systems are:
1. Real-time multi-service strategic orchestration: No AI has demonstrated the ability to simultaneously manage offense and defense across many services with adversarial opponents adapting in real time.
2. Binary-level patching under SLA constraints: Modifying compiled binaries without source code while preserving functionality is extremely brittle and error-prone for AI.
3. Adversarial real-time adaptation: Responding to opponents' evolving exploits and defenses requires a feedback loop of traffic analysis, attack identification, and dynamic response that no current AI system can execute.
4. Competition-grade binary reverse engineering: While AI can handle simpler reverse engineering tasks, the custom, complex, often obfuscated binaries used in DEF CON CTF finals remain beyond current AI capability, as evidenced by Claude's failure at PlaidCTF.
The combination of all six sub-tasks occurring simultaneously, under time pressure, in an adversarial environment, makes attack-defense CTF qualitatively harder than jeopardy-style CTF for AI systems. Even if an AI could solve individual sub-tasks in isolation, the integration challenge—managing all tasks concurrently with strategic coherence—represents an additional, compounding difficulty.
SQ5: Which organizations or teams are currently developing autonomous AI agents specifically aimed at competing in live CTF competitions, and what are their stated goals, timelines, and recent results as of early 2026?
Summary: As of early April 2026, several organizations are actively developing autonomous AI agents for CTF competitions, though none has yet demonstrated top-3 capability at DEF CON CTF finals:
1. SRLabs ("Nils"): SRLabs entered their autonomous AI agent "Nils" at the DEF CON 33 CTF finals in August 2025, placing 8th overall while running attack-defense operations and participating in LiveCTF. This was the first known fully autonomous AI team to compete in the DEF CON CTF finals. SRLabs is a Berlin-based security research lab. While no public confirmation of plans for DEF CON 34 (August 6–9, 2026) has been found, their investment in this space suggests continued development.
2. Tenzai: An Israeli startup founded in 2025 by former intelligence agency cyber executives. In March 2026, Tenzai announced its AI hacker achieved top-1% performance across six major CTF platforms, outperforming 125,000+ human competitors. It raised a $75 million seed round at a $330 million valuation within six months of founding. Their stated goal is enterprise penetration testing, but the CTF results demonstrate offensive capability. No specific DEF CON CTF entry plans have been publicly announced.
3. Team Atlanta (DARPA AIxCC successor): Won DARPA's AI Cyber Challenge in August 2025, earning the $4 million first prize. Led by Professor Taesoo Kim at Georgia Tech, Team Atlanta donated $2 million (50% of prize) to Georgia Tech's SSLab for ongoing autonomous cybersecurity research. Their system focused on defensive tasks (vulnerability detection and patching), not offensive CTF. The team published a "SoK" paper on AIxCC in February 2026. There is no public indication they are pivoting to offensive DEF CON CTF competition.
4. XBOW: Raised $120 million in Series C funding (valued over $1 billion) as of March 2026 to scale its autonomous hacking platform. XBOW became the #1 ranked autonomous penetration tester on HackerOne's global leaderboard in 2025, outperforming human hackers. Their focus is commercial penetration testing rather than CTF competition per se.
5. RunSybil: Co-founded by Ariel Herbert-Voss (formerly OpenAI's first research scientist), RunSybil is an automated offensive security company that received fresh funding in early 2026. It appeared in a DEF CON/MCSC 2026 panel discussion on "State of Art of AI Offence and Defence." No specific DEF CON CTF competition plans have been announced.
6. Cybersecurity AI (CAI) by Alias Robotics: An open-source framework that placed first among AI teams in Hack The Box's "AI vs Human" CTF challenge and achieved top-20 worldwide (all participants). It was 11x faster than humans overall across 54 benchmark exercises but struggled with "pwn" and "crypto" categories. Published as a 2026 paper [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf).
7. Major AI Labs: Anthropic's "Claude Mythos Preview" model (announced April 7, 2026) represents a significant step-change in cybersecurity capabilities, with the ability to surface previously unknown vulnerabilities in production codebases. However, standard Claude models solved zero challenges at both PlaidCTF and the DEF CON Qualifier as of 2025. OpenAI and Google DeepMind have invested in AI cybersecurity (Google ran AI-centric CTFs at DEF CON 33 in September 2025) but none have announced autonomous CTF competition entries.
8. Academic Teams: NYU Tandon developed "EnIGMA," an AI framework for solving cybersecurity challenges autonomously. Georgia Tech continues research through SSLab with Team Atlanta's donation. The arxiv paper on "Scalable Agentic CTF Design" (March 2026) studied autonomous AI performance in educational CTFs.
Key context: DEF CON 34 CTF qualifier is scheduled for May 22–24, 2026, with finals at DEF CON 34 on August 6–9, 2026 in Las Vegas. The 2026 International AI Safety Report noted that AI agents placed in cybersecurity competitions in 2025 but concluded that fully autonomous attacks are not yet possible at the highest tier. Current AI agents excel at easier and medium-difficulty challenges but struggle with the novel, elite-level exploitation required at DEF CON CTF finals.
Background: To forecast whether an AI agent will finish top-3 at DEF CON CTF finals by end of 2027, it's important to know who is actively building toward this goal. Known efforts include: (1) SRLabs, which entered 'Nils' at DEF CON 33 in 2025 (placing 8th) — are they continuing development and planning to compete again?; (2) Tenzai, an Israeli startup that in March 2026 claimed top-1% rankings on six CTF platforms — do they plan to enter DEF CON CTF?; (3) Any successors to the DARPA AIxCC teams (Team Atlanta won the $4M prize in 2025) that might be pivoting toward offensive CTF competition; (4) Major AI labs (OpenAI, Anthropic, Google DeepMind) or cybersecurity firms investing in autonomous CTF agents; (5) Academic teams developing CTF-playing AI systems. Understanding the competitive landscape of AI CTF agents — their funding, team sizes, technical approaches, and stated ambitions — helps assess how much effort is being directed at this specific challenge.
Detailed research
Landscape of Autonomous AI CTF Agents (as of April 2026)
The competitive landscape for autonomous AI CTF agents has expanded significantly between 2025 and early 2026, with multiple well-funded organizations and academic teams developing systems. Below is a comprehensive breakdown:
---
SRLabs / Nils
- Background: SRLabs is a Berlin-based security research lab that developed "Nils," the first known fully autonomous AI team to compete in DEF CON CTF finals.
- Results (August 2025): Nils placed 8th at DEF CON 33 CTF finals, participating in both attack-defense operations and LiveCTF.
- Current status: No public announcement has been found confirming plans for DEF CON 34 (August 2026). Their blog post documents their DEF CON 33 experience but does not explicitly state future competition plans.
- Assessment: Given their pioneering effort and the publicity gained, continued participation seems likely but is unconfirmed.
---
Tenzai
- Background: Israeli startup founded in 2025 by former intelligence agency cybersecurity executives.
- Funding (by March 2026): $75 million seed round at a $330 million valuation, raised within six months of founding.
- Results (March 2026): Announced top-1% performance across six major CTF platforms designed for humans, outperforming 125,000+ human competitors. This was widely reported in Forbes and Yahoo Finance on March 17, 2026.
- Goals: Stated focus is on enterprise security (autonomous penetration testing), with CTF results serving as validation of capability.
- DEF CON plans: No specific announcement about entering DEF CON CTF has been found.
---
Team Atlanta (DARPA AIxCC)
- Background: Won DARPA's AI Cyber Challenge in August 2025 ($4M first prize), led by Professor Taesoo Kim at Georgia Tech.
- Post-AIxCC (as of February 2026): Published SoK paper on AIxCC. Donated $2M to Georgia Tech's SSLab for ongoing autonomous cybersecurity research.
- Focus: Their CRS (Cyber Reasoning System) was designed for defensive tasks—vulnerability detection and patching in open-source software. This is fundamentally different from the offensive exploitation required in DEF CON CTF.
- Pivot to offensive CTF: No evidence of such a pivot. Taesoo Kim's team has historical DEF CON CTF experience (DEFKOR00T won DEF CON CTF 2018), but the AIxCC work was defense-oriented.
---
XBOW
- Funding (March 2026): Raised $120M Series C, valued over $1B.
- Results: Became #1 ranked autonomous penetration tester on HackerOne's global leaderboard in 2025. Ran 1,060+ autonomous attacks as documented in their blog.
- Focus: Commercial penetration testing product, not CTF competition specifically.
---
RunSybil
- Background: Automated offensive security company co-founded by Ariel Herbert-Voss (ex-OpenAI first research scientist).
- Status (2026): Received fresh funding, expanding platform and hiring. Featured in DEF CON/MCSC 2026 panel on AI offense/defense.
- DEF CON CTF: No announced plans to compete.
---
CAI (Cybersecurity AI) by Alias Robotics
- Results: First place among AI teams in Hack The Box's "AI vs Human" CTF; top-20 worldwide overall. 11x faster than humans across 54 exercises, but underperformed in "pwn" (0.77x) and "crypto" (0.47x) categories [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf).
- Framework: Open-source, agent-centric architecture supporting multiple LLMs. Claude-3.7-sonnet was top performer, solving 19/23 selected challenges [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf).
- Limitation: Struggles with harder challenge categories that are the bread-and-butter of DEF CON CTF finals.
---
Major AI Labs
- Anthropic: Claude Mythos Preview announced April 7, 2026, described as a "step change" in cybersecurity capabilities. However, standard Claude models solved zero challenges at PlaidCTF and DEF CON Qualifier (elite competitions requiring novel exploitation), as widely noted on LinkedIn in early 2026. Mythos is being shared with ~50 companies for defensive use, not for CTF competition.
- OpenAI: No specific autonomous CTF agent development announced. General cybersecurity capabilities improving with each model generation.
- Google DeepMind: Google ran AI-centric CTFs at DEF CON 33 AI Village (September 2025 blog post) focused on education/adoption rather than competition.
- None of the major AI labs have announced plans to enter an autonomous agent in DEF CON CTF.
---
Academic Teams
- NYU Tandon: Developed "EnIGMA" framework for autonomous cybersecurity challenge solving.
- Georgia Tech SSLab: Receiving $2M from Team Atlanta's prize for continued autonomous security research.
- Various universities: The March 2026 arxiv paper on "Scalable Agentic CTF Design" studied autonomous AI performance in educational CTF settings, noting limitations at higher difficulty levels.
---
Key Structural Factors
- DEF CON 34 CTF timeline: Qualifier May 22–24, 2026; Finals August 6–9, 2026 in Las Vegas.
- Current AI limitations at elite CTF: The 2026 International AI Safety Report and multiple sources note that while AI agents perform well on standard/medium CTF challenges, they struggle with the novel, multi-step exploitation chains required at elite competitions like DEF CON CTF finals.
- Gap between benchmarks and live competition: Tenzai's top-1% on static CTF platforms and XBOW's #1 on HackerOne are impressive, but DEF CON CTF finals involve real-time attack-defense dynamics, novel challenges, and time pressure that current systems handle poorly—as evidenced by Nils's 8th place finish (out of ~20 teams) at DEF CON 33.