About this report & methodology

An automated pipeline reads the source paper and generates binary forecasting questions, then scores, filters, and forecasts them through multiple stages:

  1. Generate — LLM extracts falsifiable claims and drafts proto-questions
  2. Quality filter — scored for clarity, specificity, and resolvability
  3. Priority score — Importance, Tractability, Neglectedness, and temporal urgency (Soon/Sudden/Sharp)
  4. Refine — detailed background, resolution criteria, and fine-print
  5. Verify & review — adversarial review for ambiguity and edge cases
  6. Forecast — LLM probability estimate with rationale
  7. Decompose & reconcile — broken into subquestions, researched, then reconciled
Toggle Sections
Filter Status
Sort by
Part 7
6% Will an autonomous AI agent or AI-only team finish in the top 3 at the DEF CON Capture the Flag (CTF) main finals between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC)? REVISED ITNSSS72 Imp82
Quality92
Ambiguity85
Soon70
Sudden65
Sharp60

Priority scores (ITN + Soon/Sudden/Sharp) Stage 2c

Priority72
Neglectedness72
Tractability70

Neglectedness: Web search found no existing forecasting question on Metaculus, Manifold, Polymarket, or other platforms specifically asking about AI placing top 3 at DEF CON CTF finals. Metaculus has related questions about Cybench scores and AI cybersecurity benchmarks, but not this specific competitive milestone. However, the general topic of AI offensive cyber capability is receiving increasing attention: SRLabs competed with an AI agent at DEF CON 33 CTF finals placing 8th (2025), Tenzai's AI achieved top 1% on six CTF platforms (March 2026, per Forbes), and DARPA's AIxCC at DEF CON focused on defensive AI. The specific operationalization (top 3 at DEF CON CTF finals) is not being tracked, but the broader domain has growing monitoring. Scored medium-high because no direct forecast exists but adjacent monitoring is increasing.

Tractability: Forecasting this well requires synthesizing multiple lines of evidence: current AI CTF performance trajectories (SRLabs placed 8th in 2025, Tenzai top 1% on platforms), rate of improvement in AI coding/reasoning capabilities, the specific challenge format of DEF CON CTF finals (attack-defense format requiring real-time adaptation), and the competitive landscape of top human teams. There's meaningful room for inside-view analysis beyond base rates, but the question partly reduces to extrapolating AI capability improvement curves. A skilled forecaster can meaningfully outperform a naive prior by tracking capability benchmarks and competition results.

Soon: This is tracking a development at an active inflection point. AI CTF performance is rapidly improving — from no competitive presence to 8th place at DEF CON in 2025 to top 1% on major platforms in early 2026. The resolution deadline of end-2027 gives two more DEF CON CTF cycles (2026 and 2027). The window for this capability threshold is actively being approached, making the forecast time-sensitive.

Sudden: A top-3 placement would be a discrete event at a specific competition, but the trajectory toward it is somewhat visible. We can observe incremental improvements (8th place in 2025, etc.). However, capability jumps in AI can be nonlinear — a new model generation or novel agent architecture could produce a sudden leap in competitive performance. The exact timing of crossing the top-3 threshold could surprise observers.

Sharp: There are partial warning shots — AI placing 8th at DEF CON 2025, top 1% on online platforms — that signal the trajectory. These warning shots exist but may be underappreciated by the broader policy community. The gap between "top 1% on online platforms" and "top 3 at DEF CON finals" is significant enough that crossing it could still catch many stakeholders off guard, but the cybersecurity community is increasingly aware of AI offensive capability improvement.

Proto-question Stage 1

Will an autonomous AI agent or team place in the top 3 at the DEF CON Capture the Flag (CTF) finals by December 31, 2027?

Why this question? The paper discusses HACCA proliferation and the democratization of elite cyber capabilities. A key upstream indicator is AI performance on competitive hacking challenges. Tenzai's AI hacker already ranked in the top 1% across six major CTF platforms, and Wiz Research found AI agents solved 9 of 10 offensive security challenges in controlled environments. However, winning or placing highly at the most prestigious live CTF competition (DEF CON CTF finals) against top human teams remains a harder milestone. This question tracks whether autonomous offensive cyber capability has reached elite-human-competitive levels, directly relevant to the paper's HACCA feasibility timeline.

Paper reference: The paper's Table 11 outlines an illustrative HACCA proliferation timeline, beginning with early HACCAs that 'first become feasible' and progressing to wider deployment. The paper notes that HACCAs could 'democratize what were previously elite nation-state-level capabilities.' AI performance in competitive hacking directly measures progress toward this threshold.

Refined question Stage 2

## Question Title Will an autonomous AI agent or AI-only team finish in the top 3 at the DEF CON Capture the Flag (CTF) main finals between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC)? --- ## Background The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2025, the Nautilus Institute ran the event. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026. Current AI performance benchmarks: - At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title. - In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026. - Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program. - Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness. Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027). --- ## Resolution Criteria This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the official final standings of the main DEF CON Capture the Flag (CTF) finals competition. ### Key Definitions and Clarifications: 1. DEF CON CTF finals: The flagship CTF competition held at the annual DEF CON hacking conference in Las Vegas, as listed on the DEF CON CTF Archive page and tracked on CTFtime. This refers specifically to the main DEF CON CTF, not satellite events, side CTFs, or separate competitions co-located at DEF CON (such as DARPA's AIxCC, Red Alert ICS CTF, or other contest-track events). 2. "Autonomous AI agent or AI-only team": A competing entity where all challenge-solving and strategic decision-making during the live finals competition is performed by AI systems without real-time human cognitive assistance. Specifically: - Humans may set up, configure, deploy, and monitor the AI system(s) before and during the competition. - Humans may perform purely operational tasks such as maintaining infrastructure, rebooting systems, or managing network connectivity. - Humans must not solve challenges, write exploits, make strategic decisions about which targets to attack/defend, or provide hints or guidance to the AI during the live competition. - A hybrid human-AI team where humans actively collaborate with AI to solve challenges does not qualify. The team must be competing on the strength of AI decision-making and problem-solving alone. - If there is ambiguity about whether a team qualifies, authoritative determination will be based on (a) the team's own public statements or published write-ups about their approach, and (b) reporting from credible cybersecurity outlets (e.g., Wired, The Record, Dark Reading, or equivalent). 3. "Top 3 finish": The team must be ranked 1st, 2nd, or 3rd in the final official standings as published by the CTF organizers. If the organizers use a multi-component scoring system (e.g., combining attack-defense scores with LiveCTF scores), the relevant ranking is the overall/composite final ranking as published in the official results. In the event of an exact tie for 3rd place or higher, all tied teams are considered to have achieved a top-3 finish. 4. Resolution sources: The primary resolution source is the official DEF CON contest results page (e.g., https://defcon.org/html/defcon-33/dc-33-contest-results.html for 2025; analogous pages for subsequent years), the CTF organizer's official website, or the CTFtime event page for DEF CON CTF. Secondary sources include credible cybersecurity media coverage and the competing team's own published write-ups or blog posts. 5. Evaluation period: The question covers DEF CON CTF finals held during DEF CON 34 (expected August 2026) and DEF CON 35 (expected August 2027). If either competition is cancelled, postponed beyond the resolution date, or no longer held, the question resolves based on whichever competition(s) do take place within the window. If no DEF CON CTF finals are held between April 8, 2026 and December 31, 2027, the question resolves No. The question resolves No if no autonomous AI agent or AI-only team (as defined above) finishes in the top 3 at any DEF CON CTF finals held within the evaluation period.

Background

The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026. Current AI performance benchmarks: - At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title. - In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026. - Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program. - Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness. Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027). ---

Resolution criteria

This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the unified overall final standings of the main DEF CON Capture the Flag (CTF) finals competition. ### Key Definitions and Clarifications: 1. DEF CON CTF finals: The flagship CTF competition held at the annual DEF CON hacking conference in Las Vegas, as listed on the DEF CON CTF Archive page and tracked on CTFtime. This refers specifically to the main DEF CON CTF, not satellite events, side CTFs, or separate competitions co-located at DEF CON (such as DARPA's AIxCC, Red Alert ICS CTF, or other contest-track events). 2. "Autonomous AI agent or AI-only team": A competing entity where all challenge-solving and strategic decision-making during the live finals competition is performed by AI systems without real-time human cognitive assistance. Specifically: - Humans may set up, configure, deploy, and monitor the AI system(s) before and during the competition. - Pre-competition configuration, training, and programming of the AI system is permitted regardless of how specific the encoded heuristics or decision trees are. Autonomy is evaluated only based on whether humans provide real-time cognitive input during the live competition period. - Humans may perform purely operational tasks such as maintaining infrastructure, rebooting systems, or managing network connectivity. - Human interventions solely to prevent rule violations or self-destructive behavior (e.g., attacking own infrastructure) are considered operational maintenance and do not disqualify a team, provided the humans do not redirect the AI toward specific targets or solutions. - Selective manual activation or deactivation of specific AI problem-solving modules in response to competition developments constitutes strategic input and disqualifies the team. Human operators may restart or reboot AI systems generally, but must not selectively enable or disable specific AI subsystems targeting particular challenges. - Humans must not solve challenges, write exploits, make strategic decisions about which targets to attack/defend, or provide hints or guidance to the AI during the live competition. - A hybrid human-AI team where humans handle some categories of tasks (e.g., offense) and AI handles others (e.g., defense) does not qualify. The entire team's competition effort — both offensive and defensive — must be performed by AI systems without human cognitive assistance for the team to be considered an "AI-only team." - If there is ambiguity about whether a team qualifies, authoritative determination will be based on (a) the team's own public statements or published write-ups about their approach, and (b) reporting from credible cybersecurity outlets (e.g., Wired, The Record, Dark Reading, or equivalent). In disputed cases, the team's public statements and write-ups shall be taken at face value unless contradicted by official organizer statements or credible investigative reporting. 3. "Top 3 finish": The team must be ranked 1st, 2nd, or 3rd in the unified overall final standings that include all competing teams. A top-3 finish in a separate AI-only division, sub-bracket, or special category does not qualify unless it also corresponds to a top-3 position in the main combined leaderboard. If the organizers use a multi-component scoring system (e.g., combining attack-defense scores with LiveCTF scores), the relevant ranking is the overall/composite final ranking as published in the official results. In the event of an exact tie for 3rd place or higher, all tied teams are considered to have achieved a top-3 finish. 4. Public identification requirement: For this question to resolve Yes, the team must be publicly identified as an autonomous AI agent or AI-only team — through organizer designation, team self-identification, or credible media reporting — within 60 days of the conclusion of the relevant DEF CON CTF finals. If no team is publicly identified as autonomous AI within this window, the question resolves No for that year's competition. 5. Resolution sources: The primary resolution source is the official DEF CON contest results page (e.g., https://defcon.org/html/defcon-33/dc-33-contest-results.html for 2025; analogous pages for subsequent years), the CTF organizer's official website, or the CTFtime event page for DEF CON CTF. Secondary sources include credible cybersecurity media coverage and the competing team's own published write-ups or blog posts. 6. Evaluation period: The question covers DEF CON CTF finals held during DEF CON 34 (expected August 2026) and DEF CON 35 (expected August 2027). If either competition is cancelled, postponed beyond the resolution date, or no longer held, the question resolves based on whichever competition(s) do take place within the window. If no DEF CON CTF finals are held between April 8, 2026 and December 31, 2027, the question resolves No. 7. Format changes: The format of the DEF CON CTF finals is determined solely by the organizers. A top-3 finish in the official final standings qualifies regardless of the competition format used that year. The question resolves No if no autonomous AI agent or AI-only team (as defined above) finishes in the top 3 at any DEF CON CTF finals held within the evaluation period.

Verification scores Stage 3

Quality: 92.0   Ambiguity: 85.0

Quality notes: This is an excellent forecasting question. It identifies a prestigious and well-defined milestone (DEF CON CTF finals) that serves as a high-bar proxy for autonomous offensive cyber capabilities. While recent results (Tenzai ranking in the top 1% of CTF platforms in March 2026 and DARPA's AIxCC results in August 2025) show rapid progress, the flagship DEF CON CTF finals remain significantly more difficult than general CTF platforms or AI-specific competitions. The question has high entropy, as experts disagree on the timeline for AI to surpass elite human teams in dynamic, adversarial, and low-information environments. The resolution source is reliable (DEF CON official results).

Ambiguity notes: The question is very strong, with clear definitions of the event, the ranking, and the timeframes. The 'autonomous' definition is particularly detailed, covering infrastructure vs. cognitive tasks and providing a hierarchy of sources for adjudication. The main reason for not being 'great' is the inherent difficulty in proving a negative (i.e., that no human cognitive assistance occurred) if a team is not fully transparent, though the criteria's reliance on 'public statements' and 'credible reporting' provides a solid fallback for resolution.

Adversarial review NEEDS_REVISION Edge risk: MEDIUM

Assessment: NEEDS_REVISION   Edge case risk: MEDIUM

ASSESSMENT: NEEDS_REVISION REVIEW: Several issues identified: 1. Factual error in background: The question states "from 2018–2025, the Nautilus Institute ran the event." This is incorrect. According to the DEF CON CTF Archive page, Order of the Overflow organized the CTF from 2018–2021, and Nautilus Institute organized it from 2022–2025. This is a clear factual error that should be corrected. 2. Resolution verifiability is the core weakness: The question hinges on identifying whether a team is an "autonomous AI agent or AI-only team," but the official resolution sources (DEF CON results pages, CTFtime) list team names and scores only — they do not categorize teams by their internal composition or level of human assistance. There is no evidence that the Benevolent Bureau of Birds has established registration categories distinguishing AI-only from human teams. The question attempts to address this via fallback criteria (team self-reporting, media coverage), but this creates a situation where resolution depends entirely on voluntary disclosure. If an AI team finishes top 3 but does not publicly disclose its nature, or if there's ambiguity about the degree of human involvement, the question becomes practically unresolvable. SRLabs publicly blogged about Nils, but there's no guarantee future entrants would do the same. 3. Wiz Research model names are correct: The Wiz blog (published January 29, 2026) confirms testing of Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro, solving 9/10 challenges in narrow-scope scenarios AI Agents vs Humans: Who Wins at Web Hacking in 2026? | Wiz Blog. This matches the background. 4. Other factual claims check out: Tenzai's top 1% claim is confirmed by Forbes (March 17, 2026). CMU/Maple Mallard Magistrates' "fourth consecutive and ninth overall" title is confirmed by CMU's own news release. BBB qualifiers on May 22-24, 2026 are confirmed by DEF CON forum and multiple official social media posts. Nils placing 8th at DEF CON 33 is confirmed by SRLabs' blog. 5. No competitions between Jan-April 2026 that would pre-resolve the question: The DEF CON 34 qualifiers are scheduled for May 22-24, 2026, so no qualifying or finals events have yet occurred in the resolution window. The question is substantively interesting and the time horizon is reasonable, but the factual error needs correction and the resolution mechanism for verifying "AI-only" status is weak enough to warrant revision. EVIDENCE: https://defcon.org/html/links/dc-ctf.html (CTF Archive showing Nautilus 2022-2025, OOO 2018-2021) https://srlabs.de/blog/competing-at-the-def-con-ctf-finals-2025 (Nils 8th place) https://www.cmu.edu/news/stories/archives/2025/august/carnegie-mellons-hacking-team-wins-fourth-straight-record-ninth-overall-def-con-capture-the-flag (MMM wins) https://www.forbes.com/sites/thomasbrewster/2026/03/17/ai-beat-most-humans-in-elite-hacking-competitions/ (Tenzai top 1%) https://www.wiz.io/blog/ai-agents-vs-humans-who-wins-at-web-hacking-in-2026 (Wiz Research findings) https://forum.defcon.org/node/255475 (BBB qualifiers May 22-24) https://ctftime.org/event/3205/ (DEF CON CTF Qualifier 2026) SUGGESTION: 1. Fix factual error: Change "from 2018–2025, the Nautilus Institute ran the event" to "from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025." 2. Strengthen resolution verifiability: Consider adding language requiring that at least one team must publicly register or be publicly identified as an AI-only team before or during the competition for the question to be resolvable as YES. Alternatively, add a clause stating: "If no team is publicly identified as an autonomous AI agent or AI-only team through either organizer designation, team self-identification, or credible media reporting within 60 days of the finals, the question resolves No for that year's competition." This prevents indefinite ambiguity about team composition.

Edge cases 7 scenarios

OVERALL_RISK: MEDIUM 1. SCENARIO: An AI team like Nils competes at DEF CON 34 CTF finals and finishes 3rd, but during the competition, human operators occasionally restart specific AI modules targeting particular challenge categories, effectively making strategic decisions about resource allocation by choosing which AI subsystems to activate or deactivate. SEVERITY: HIGH FIX: Add language: "Human operators may restart or reboot AI systems, but must not selectively enable/disable specific AI problem-solving modules in response to competition developments. Any selective activation of AI subsystems targeting specific challenges constitutes strategic decision-making and disqualifies the team." 2. SCENARIO: An AI team finishes 3rd overall, but the team's humans pre-programmed detailed heuristics and decision trees before the competition that effectively encode human strategic judgment (e.g., "if service X has vulnerability pattern Y, prioritize attack Z"), blurring the line between autonomous AI decision-making and pre-coded human strategy. SEVERITY: MEDIUM FIX: Add language: "Pre-competition configuration, training, and programming of the AI system is permitted regardless of specificity. Autonomy is evaluated only based on whether humans provide real-time cognitive input during the live competition period." 3. SCENARIO: A team finishes in the top 3 and publicly claims to be fully AI-autonomous, but competing teams or observers allege that humans were seen actively typing commands or discussing challenge strategies during the competition, with no definitive video or log evidence either way. SEVERITY: MEDIUM FIX: Add language: "In disputed cases, the burden of proof lies with those claiming the team was not autonomous. Absent clear evidence of human cognitive assistance during the live competition, the team's own public statements and write-ups shall be taken at face value unless contradicted by organizer statements or credible investigative reporting." 4. SCENARIO: The DEF CON 34 CTF organizers (Benevolent Bureau of Birds) create a separate "AI track" or "AI division" within the main CTF finals, where AI teams compete alongside but are scored or ranked separately from human teams, and an AI team finishes top 3 in the AI division but not in the overall standings. SEVERITY: MEDIUM FIX: Add language: "The AI team must finish top 3 in the unified overall final standings that includes all competing teams. A top-3 finish in a separate AI-only division, sub-bracket, or special category does not qualify unless it also corresponds to a top-3 position in the main combined leaderboard." 5. SCENARIO: An AI system finishes 3rd but had a human "failsafe operator" who intervened twice during the competition to prevent the AI from attacking its own infrastructure or violating competition rules — interventions that arguably constitute strategic guidance by constraining the AI's decision space in real time. SEVERITY: MEDIUM FIX: Add language: "Human interventions to prevent rule violations or self-destructive behavior (e.g., attacking own infrastructure) are considered operational maintenance and do not disqualify a team, provided the humans do not redirect the AI toward specific targets or solutions." 6. SCENARIO: An AI team qualifies for and competes in the DEF CON CTF finals but the competition format changes significantly (e.g., from attack-defense to a hybrid format with a large "King of the Hill" component), and the AI finishes 3rd overall but only because it dominated the automated-friendly component while performing poorly on components requiring more creative problem-solving. Disputes arise about whether this "counts" given the format change. SEVERITY: LOW FIX: Add language: "The format of the DEF CON CTF finals is determined solely by the organizers. A top-3 finish in the official final standings qualifies regardless of the competition format used that year." 7. SCENARIO: A team that is primarily human-operated uses an AI agent to autonomously handle all defensive operations while humans focus entirely on offensive challenges. The team finishes top 3 and the AI agent's autonomous defense is credited as the decisive factor in the placement. SEVERITY: HIGH FIX: Add language: "A hybrid team where humans handle some challenge categories and AI handles others does not qualify. The entire team's competition effort — both offensive and defensive — must be performed by AI systems without human cognitive assistance for the team to be considered an 'AI-only team.'"

Revised question REVISED

## Question Title Will an autonomous AI agent or AI-only team finish in the top 3 at the DEF CON Capture the Flag (CTF) main finals between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC)? --- ## Background The DEF CON Capture the Flag (CTF) competition is widely regarded as the most prestigious live hacking competition in the world. The main CTF finals take place annually in Las Vegas during the DEF CON conference, typically in August. It uses an attack-defense format in which approximately 15–20 qualified teams must simultaneously attack other teams' services while defending their own, in real time over multiple days. The competition is organized by a rotating group of hosts; from 2018–2021, the Order of the Overflow ran the event, followed by the Nautilus Institute from 2022–2025. For DEF CON 34 (2026), the new organizers are the "Benevolent Bureau of Birds," with qualifiers scheduled for May 22–24, 2026. Current AI performance benchmarks: - At DEF CON 33 (August 2025), SRLabs entered an AI agent called "Nils" into the main CTF finals. Nils participated in attack-defense operations and the LiveCTF component, ultimately placing 8th out of approximately 15–20 finalist teams. This was the first known instance of an autonomous AI agent competing in the DEF CON CTF finals. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University), who claimed their fourth consecutive and ninth overall DEF CON CTF title. - In March 2026, Israeli startup Tenzai announced that its autonomous AI hacking agent became the first AI system to rank in the top 1% of global hacking competitions across six major CTF platforms (websec.fr, dreamhack.io, websec.co.il, hack.arrrg.de, pwnable.tw, and Lakera's Agent Breaker), outperforming over 99% of the approximately 125,000 human participants on those platforms. This was reported by Forbes on March 17, 2026. - Separately, DARPA's AI Cyber Challenge (AIxCC) was a two-year competition (2023–2025) focused on defensive AI capabilities (automatically finding and patching vulnerabilities in source code). Its final competition concluded at DEF CON 33 in August 2025, with Team Atlanta winning the $4 million grand prize. AIxCC is distinct from the main DEF CON CTF and has concluded its competitive program. - Wiz Research (January 2026) found that leading AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) solved 9 out of 10 CTF-style challenges in directed, narrow-scope scenarios but struggled significantly with broad-scope, multi-step tasks — suggesting a gap between controlled benchmark performance and live competition readiness. Competition context: The gap between top-1% online CTF performance and top-3 at DEF CON CTF finals is significant. Online CTF platforms typically feature individual jeopardy-style challenges, while the DEF CON finals use a real-time attack-defense format requiring simultaneous offensive and defensive operations, adaptation to unknown challenges, and strategic decision-making under time pressure against elite human teams (e.g., Maple Mallard Magistrates/PPP, Blue Water, SuperDiceCode). The resolution window covers two DEF CON CTF cycles: DEF CON 34 (August 2026) and DEF CON 35 (August 2027). --- ## Resolution Criteria This question resolves Yes if, between April 8, 2026 (00:00 UTC) and December 31, 2027 (23:59 UTC), an autonomous AI agent or AI-only team finishes in 3rd place or higher (i.e., 1st, 2nd, or 3rd) in the unified overall final standings of the main DEF CON Capture the Flag (CTF) finals competition. ### Key Definitions and Clarifications: 1. DEF CON CTF finals: The flagship CTF competition held at the annual DEF CON hacking conference in Las Vegas, as listed on the DEF CON CTF Archive page and tracked on CTFtime. This refers specifically to the main DEF CON CTF, not satellite events, side CTFs, or separate competitions co-located at DEF CON (such as DARPA's AIxCC, Red Alert ICS CTF, or other contest-track events). 2. "Autonomous AI agent or AI-only team": A competing entity where all challenge-solving and strategic decision-making during the live finals competition is performed by AI systems without real-time human cognitive assistance. Specifically: - Humans may set up, configure, deploy, and monitor the AI system(s) before and during the competition. - Pre-competition configuration, training, and programming of the AI system is permitted regardless of how specific the encoded heuristics or decision trees are. Autonomy is evaluated only based on whether humans provide real-time cognitive input during the live competition period. - Humans may perform purely operational tasks such as maintaining infrastructure, rebooting systems, or managing network connectivity. - Human interventions solely to prevent rule violations or self-destructive behavior (e.g., attacking own infrastructure) are considered operational maintenance and do not disqualify a team, provided the humans do not redirect the AI toward specific targets or solutions. - Selective manual activation or deactivation of specific AI problem-solving modules in response to competition developments constitutes strategic input and disqualifies the team. Human operators may restart or reboot AI systems generally, but must not selectively enable or disable specific AI subsystems targeting particular challenges. - Humans must not solve challenges, write exploits, make strategic decisions about which targets to attack/defend, or provide hints or guidance to the AI during the live competition. - A hybrid human-AI team where humans handle some categories of tasks (e.g., offense) and AI handles others (e.g., defense) does not qualify. The entire team's competition effort — both offensive and defensive — must be performed by AI systems without human cognitive assistance for the team to be considered an "AI-only team." - If there is ambiguity about whether a team qualifies, authoritative determination will be based on (a) the team's own public statements or published write-ups about their approach, and (b) reporting from credible cybersecurity outlets (e.g., Wired, The Record, Dark Reading, or equivalent). In disputed cases, the team's public statements and write-ups shall be taken at face value unless contradicted by official organizer statements or credible investigative reporting. 3. "Top 3 finish": The team must be ranked 1st, 2nd, or 3rd in the unified overall final standings that include all competing teams. A top-3 finish in a separate AI-only division, sub-bracket, or special category does not qualify unless it also corresponds to a top-3 position in the main combined leaderboard. If the organizers use a multi-component scoring system (e.g., combining attack-defense scores with LiveCTF scores), the relevant ranking is the overall/composite final ranking as published in the official results. In the event of an exact tie for 3rd place or higher, all tied teams are considered to have achieved a top-3 finish. 4. Public identification requirement: For this question to resolve Yes, the team must be publicly identified as an autonomous AI agent or AI-only team — through organizer designation, team self-identification, or credible media reporting — within 60 days of the conclusion of the relevant DEF CON CTF finals. If no team is publicly identified as autonomous AI within this window, the question resolves No for that year's competition. 5. Resolution sources: The primary resolution source is the official DEF CON contest results page (e.g., https://defcon.org/html/defcon-33/dc-33-contest-results.html for 2025; analogous pages for subsequent years), the CTF organizer's official website, or the CTFtime event page for DEF CON CTF. Secondary sources include credible cybersecurity media coverage and the competing team's own published write-ups or blog posts. 6. Evaluation period: The question covers DEF CON CTF finals held during DEF CON 34 (expected August 2026) and DEF CON 35 (expected August 2027). If either competition is cancelled, postponed beyond the resolution date, or no longer held, the question resolves based on whichever competition(s) do take place within the window. If no DEF CON CTF finals are held between April 8, 2026 and December 31, 2027, the question resolves No. 7. Format changes: The format of the DEF CON CTF finals is determined solely by the organizers. A top-3 finish in the official final standings qualifies regardless of the competition format used that year. The question resolves No if no autonomous AI agent or AI-only team (as defined above) finishes in the top 3 at any DEF CON CTF finals held within the evaluation period.

Forecast rationale

About 632 days remain, but in practice there are only two relevant shots: DEF CON finals in 2026 and 2027. The status quo is No: the strongest known AI finals result is 8th place in 2025, and this question requires a top-3 finish by an AI-only team with no real-time human cognitive help. Scope matters: top 3 in the unified overall DEF CON standings is much harder than top 1% on online CTF sites, a good LiveCTF showing, or a hybrid human-AI team doing well; those broader scopes are more plausible than the actual one. Why No: DEF CON attack-defense demands simultaneous offense, defense, patching, adaptation, and strategy against elite teams, and the autonomy requirement removes the easiest path to incremental gains (human oversight). Also, strong human teams will themselves use AI tools, raising the bar. Why Yes: jumping from 8th to podium in two years is aggressive but not absurd given rapid model and scaffolding improvements, autonomous participation is already possible, and a single standout weekend from one well-funded team would be enough. In bet terms, I’m about indifferent at 23 cents YES versus 77 cents NO.

Importance rationale

This question tracks a leading indicator for autonomous offensive cyber capability reaching elite-human-competitive levels. The paper identifies HACCA (Hacking AI Capability) proliferation as a major risk pathway. An AI placing top 3 at DEF CON CTF finals — the most prestigious live hacking competition — would represent a clear threshold crossing for offensive AI capability, directly relevant to the paper's HACCA feasibility timeline. This would meaningfully update beliefs about the timeline for democratized nation-state-level cyber capabilities and change resource allocation for cyber defense.

Decomposition & Research Stage 6b 5 subquestions

Initial forecast: 23%Research-informed: 6% (-17pp)

Re-forecast rationale

## Probability Decomposition for AI-Only Team Finishing Top 3 at DEF CON CTF Finals (2026-2027) ### Critical Distinction: Hybrid vs. AI-Only Teams The question specifically requires an "autonomous AI agent or AI-only team." This is a crucial filter. At DEF CON 33 (August 2025), SRLabs' AI agent "Nils" competed as part of the "Friendly Maltese Citizens" team, which included at least one human SRLabs researcher ("I had the honor of competing...as a member of the Friendly Maltese Citizens"). This hybrid human-AI team placed 8th out of ~15-20 teams. A hybrid team would NOT satisfy the resolution criteria — only a purely autonomous/AI-only team counts. ### Factor 1: Will a purely AI-only team qualify for and enter DEF CON CTF finals? (~30-40% across both cycles) DEF CON 34 (2026): - The Benevolent Bureau of Birds (BBB) has qualifiers May 22-24, 2026. As of April 8, 2026, no rules have been published, and no explicit policy on AI-only teams exists. - No organization has publicly announced plans to enter an AI-only team at DEF CON 34 CTF. SRLabs, Tenzai ($75M seed), XBOW ($1B+ valuation), and RunSybil are all developing autonomous offensive AI, but none has announced DEF CON CTF entry plans. - Even if permitted, the AI-only team must first qualify through the jeopardy-style qualifier — achievable given Tenzai's top-1% jeopardy performance, but uncertain. - Probability of AI-only team in DC34 finals: ~20-25% DEF CON 35 (2027): - More time for development and organization. If an AI-only team enters DC34 (even without top-3), the precedent would encourage DC35 entries. - Probability of AI-only team in DC35 finals: ~30-40% ### Factor 2: Given entry, could an AI-only team finish top 3? (~8-15%) Technical hurdles of attack-defense format vs. jeopardy benchmarks: The gap between jeopardy-style CTF success and attack-defense competition is enormous: 1. SLA/Availability: Teams must patch binary services without breaking functionality. Binary patching (not source-code patching like AIxCC) is extremely brittle — "a single bug can kill a CRS entirely" (Team Atlanta's post-AIxCC analysis). Over-aggressive patches cost more points than leaving vulnerabilities unpatched. 2. Real-time multi-service orchestration: Teams manage ~8-10 simultaneous services, requiring coordinated offense and defense every 3-5 minute round over 3 days. No AI system has demonstrated this capability. 3. Binary reverse engineering at elite level: Claude solved 0 challenges at PlaidCTF (April 2025). DEF CON finals binaries are typically harder. Even with Claude Mythos Preview (April 2026), which shows breakthrough defensive capabilities, there's no evidence of autonomous attack-defense CTF readiness. 4. Adversarial real-time adaptation: Opponents evolve defenses, requiring exploit modification and strategic pivots — a capability no current AI has demonstrated in competition. 5. The Wiz Research finding (January 2026) that frontier AI agents degraded significantly in broad-scope, unguided scenarios is directly relevant — attack-defense CTFs are inherently broad-scope. The scoring gap: Nils (hybrid team, 8th place) scored ~70% of the winner's attack-defense points. Top-3 requires being within ~10-15% of the winner. This is a massive jump from 8th to top-3, and Nils had human assistance. - P(top-3 | entry, DC34 2026): ~5-8% - P(top-3 | entry, DC35 2027): ~10-18% (accounting for ~18 months more AI progress, including Mythos-class models) ### Combined Probability: - P(AI-only enters AND top-3, DC34): ~0.22 × 0.06 ≈ 1.3% - P(AI-only enters AND top-3, DC35): ~0.35 × 0.14 ≈ 4.9% - P(at least one across both cycles): ~1 - (1-0.013)(1-0.049) ≈ 6.1% ### Calibration Check (Betting Indifference): At 6%, would I pay 6 cents for a $1 payout if this happens? Yes — given the rapid pace of AI advancement and multiple well-funded teams, there's a real but small chance. Would I pay 10 cents? No — the technical hurdles of attack-defense format, the requirement for purely autonomous operation, the need to beat elite teams like MMM (9-time champions), and the lack of any confirmed entrants make this unlikely. Would I take 94 cents to bet against? Yes, comfortably. I'm roughly indifferent around 6%. ### Key uncertainties pushing probability up: - AI capabilities are advancing extremely rapidly (S-curve); Claude Mythos represents a potential step-change - Multiple organizations with >$100M in combined funding working on autonomous offensive AI - Two competition cycles provide two chances - Strong publicity incentive for AI companies to demonstrate capability ### Key uncertainties pushing probability down: - No confirmed AI-only team plans for either year - BBB rules unknown — could explicitly ban AI-only teams - Attack-defense format is qualitatively harder than any benchmark AI has mastered - Top human teams (MMM/PPP) have decades of experience and are improving too - The hybrid Nils team only managed 8th — a purely autonomous system would likely do worse - The gap from "top 1% on jeopardy platforms" to "top 3 at DEF CON finals" is enormous

SQ1: What was the detailed performance breakdown of SRLabs' AI agent "Nils" at the DEF CON 33 CTF finals in August 2025, and what specific capabilities gaps were identified between Nils and the top-finishing human teams?

Summary: At DEF CON 33 (August 8–10, 2025), SRLabs' autonomous AI agent "Nils" competed in the main CTF finals as part of the team "Friendly Maltese Citizens," placing 8th out of approximately 15–20 finalist teams. The competition was won by Maple Mallard Magistrates (CMU-affiliated) with a final score of 976,068, while the 2nd-place team scored 837,676 and SuperDiceCode placed 3rd with 541,693 points. Based on an intermediate attack-defense-only scoreboard posted by the organizers (Nautilus Institute), the top teams scored: MMM 4,419; SuperDiceCode 3,992; mhackeroni 3,956; Nu1L 3,792; Shellphish 3,494; KuK Hofhackerei 3,383; with 8th place at 3,077 points. This means Nils/Friendly Maltese Citizens scored roughly 70% of the winner's attack-defense points—a significant but not insurmountable gap. Nils participated in both the main attack-defense game and the LiveCTF component (a separate bracket-style challenge-solving competition), where it faced mhackeroni in the upper bracket. The SRLabs blog post confirms Nils ran attack-defense operations, participated in LiveCTF, and published exploits—demonstrating capability across offensive and defensive domains. However, I was unable to access the full SRLabs blog post due to repeated timeouts, so granular breakdowns of attack vs. defense scoring, the precise scoring trajectory over the multi-day event, and SRLabs' own detailed gap analysis could not be retrieved. The capability gap between Nils (8th) and the top-3 teams (MMM, 2nd place, SuperDiceCode) was substantial—the winner's final composite score was likely 2–3× Nils' score, suggesting major gaps in exploit development speed, challenge coverage, and possibly defensive patching consistency. The competition format required simultaneous offensive exploitation and defensive patching across multiple services over three days, a format that heavily rewards coordination, rapid adaptation, and deep binary analysis—areas where human teams with decades of CTF experience still held significant advantages.

Background: At DEF CON 33 (August 2025), SRLabs entered an autonomous AI agent called "Nils" into the main DEF CON CTF finals — the most prestigious live hacking competition in the world. Nils placed 8th out of approximately 15–20 finalist teams in an attack-defense format requiring simultaneous offensive and defensive operations over multiple days. The winner was the Maple Mallard Magistrates (affiliated with Carnegie Mellon University). Understanding the specific performance gaps — e.g., how Nils performed on attack vs. defense, on the LiveCTF component vs. the main attack-defense game, its scoring trajectory over time, and where it fell short compared to top-3 teams — is critical for estimating whether AI agents could close this gap within 1–2 years. Relevant sources include SRLabs' own blog post about the competition, DEF CON CTF scoreboard data, and any post-competition analysis from organizers or competitors.

Detailed research

## Detailed Findings ### Competition Overview DEF CON 33 CTF finals took place August 8–10, 2025, at the Las Vegas Convention Center, organized by Nautilus Institute. The format was attack-defense, requiring teams to simultaneously attack other teams' services while defending their own, supplemented by a LiveCTF bracket-style challenge-solving component. The competition ran over three days. ### Final Standings and Scores Two different scoreboards were identified from search results: Composite/Final Scores (from DEF CON CTF Archive page): 1. Maple Mallard Magistrates: 976,068 2. [Team name not visible in snippet]: 837,676 3. SuperDiceCode: 541,693 4. Nu1L: 496,550 5. RePokemonedCollections: [score not captured] Attack-Defense Scores (from Nautilus Institute Mastodon post): 1. Maple Mallard Magistrates: 4,419 2. SuperDiceCode: 3,992 3. mhackeroni: 3,956 4. Nu1L: 3,792 5. Shellphish: 3,494 6. KuK Hofhackerei: 3,383 7. organizers: 3,132 8. cold fusion: 3,077 The discrepancy between the two scoreboards (different rankings for 2nd/3rd place, different score magnitudes) suggests the composite final scores include LiveCTF bonuses and potentially other scoring components beyond the main attack-defense game. ### Nils/Friendly Maltese Citizens Performance - SRLabs' blog confirms Nils placed 8th overall, competing under the team name Friendly Maltese Citizens - The SRLabs blog snippet states: "Nils competed in the DEF CON 33 CTF finals, placing 8th while running attack-defense operations, participating in the LiveCTF, and publishing a [exploit/writeup]" - A separate SRLabs blog snippet also mentions: "I had the honor of competing in this year's DEF CON CTF finals as a member of the Friendly Maltese Citizens"—indicating the team included at least one human SRLabs researcher alongside the AI agent ### LiveCTF Component - From the LiveCTF GitHub repository (Live-CTF/LiveCTF-DEFCON33), Friendly Maltese Citizens participated in the LiveCTF bracket: "Upper Round 2: 7+8, Loki · mhackeroni vs Friendly Maltese" - The LiveCTF Day 2 YouTube video description mentions "AI Solve Discovery" at timestamp 4:15:58, suggesting an AI-driven solve was notable enough to be highlighted - A LinkedIn post references someone from a team using "a background AI agent [to] solve a LiveCTF challenge while that player was still working on it"—though this appears to reference a different team (pb_ctf x BlueWater) ### Capability Gaps vs. Top-3 Teams Based on the available scoreboard data: - MMM (1st): 976,068 final / 4,419 A-D - 2nd place: 837,676 final - 3rd (SuperDiceCode): 541,693 final / 3,992 A-D - Nils/FMC (8th): approximately 3,077 A-D score (if the "cold fusion" entry at 8th corresponds—though there's ambiguity here; FMC may not appear in the intermediate scoreboard under that name) The gap between 1st and 8th in A-D scoring alone was ~31% (4,419 vs ~3,077). In final composite scores, the gap was likely much larger—potentially 2-3x—because LiveCTF bonuses disproportionately rewarded stronger teams. Key capability gaps likely include: 1. Exploit development speed: Top human teams can rapidly reverse-engineer novel binaries and develop working exploits within minutes 2. Challenge coverage: Top teams solve a higher percentage of challenges across diverse categories 3. Defense/patching: Effective binary patching while maintaining service availability requires deep understanding 4. Adaptation over time: The multi-day format rewards teams that can adapt strategies based on evolving competition dynamics ### Scoring Trajectory Without access to the full SRLabs blog, the specific round-by-round or day-by-day scoring trajectory could not be determined. The competition ran over approximately 3 days (August 8–10), with multiple tick-based rounds in the attack-defense format. ### 39C3 Talk A 39C3 (Chaos Communication Congress, December 2025) talk titled "There is NO WAY we ended up getting..." was scheduled by a Friendly Maltese Citizens member, suggesting notable/surprising aspects of their DEF CON performance worth presenting. ### Important Caveats 1. The SRLabs blog post repeatedly timed out and could not be fully accessed, meaning the detailed attack vs. defense breakdown, scoring trajectory, and SRLabs' own gap analysis are not available in this report 2. Nils appears to have been part of a hybrid human-AI team (Friendly Maltese Citizens), not a purely autonomous AI team—the SRLabs blog author describes competing "as a member" of the team 3. The 8th-place identity is ambiguous between the two scoreboards—the Nautilus social post shows "cold fusion" at 8th, while SRLabs claims Nils/FMC placed 8th. These may be different scoring snapshots or the team may appear under different names 4. There may be additional teams below 8th that are not captured in the snippets

SQ2: What are the rules and format of the DEF CON 34 CTF (organized by the Benevolent Bureau of Birds for 2026), and are autonomous AI agents or AI-only teams permitted to qualify and compete in the finals?

Summary: The DEF CON 34 CTF (August 6–9, 2026) will be organized by the Benevolent Bureau of Birds (BBB), with online qualifiers scheduled for May 22–24, 2026. The BBB's official website is bbbirds.org, and they were interviewed on CTF Radiooo episode 025 (published March 18, 2026). As of April 8, 2026, the BBB has not yet published detailed rules for the DC34 CTF, including competition format, scoring system, number of finalists, or any explicit policy on whether autonomous AI agents or AI-only teams are permitted to qualify or compete in the finals. The qualifier is described as "online, open-registration" on CTFtime, suggesting broad eligibility, but no specific AI-related restrictions or permissions have been publicly announced. Historical precedent from DEF CON 33 (2025, organized by Nautilus Institute) saw SRLabs' autonomous AI agent "Nils" compete in the finals and place 8th, with roughly 8–10 finalist teams in an attack-and-defense format supplemented by LiveCTF challenges. DEF CON CTF has traditionally used an attack-and-defense format for its finals, but BBB may change this. The qualifiers have traditionally been Jeopardy-style. No information is yet available about whether BBB will continue these traditions or introduce new elements.

Background: The DEF CON CTF competition changes organizers periodically, and each organizer sets their own rules, format, and qualification criteria. For DEF CON 34 (August 6-9, 2026), the new organizers are the 'Benevolent Bureau of Birds' (BBB), with qualifiers scheduled for May 22-24, 2026. A key question is whether the BBB's rules permit autonomous AI agents or AI-only teams to enter and compete in the finals. Previous organizer the Nautilus Institute allowed SRLabs' AI agent 'Nils' to compete in 2025, but new organizers could change eligibility rules. Additionally, the specific competition format (attack-defense structure, number of finalists, scoring system, any new components) affects how well AI agents might perform. Sources to check include the BBB's official website (bbbirds.org), DEF CON official announcements, the CTF Radiooo podcast interview with BBB organizers, and CTFtime event pages.

Detailed research

1. Organizer and Timeline DEF CON announced the Benevolent Bureau of Birds (BBB) as the new DEF CON 34 CTF organizers in approximately March 2026. The announcement was posted across DEF CON's official channels (defcon.org, DEF CON Forum, Facebook, Instagram, Reddit). The qualifier round is scheduled for May 22–24, 2026, and finals will take place at DEF CON 34 in Las Vegas, August 6–9, 2026. The BBB's official website is https://bbbirds.org/. Key BBB members named in public announcements include Vie, Robert Xiao, Zaratec, and Bluepichu — several of whom are associated with Maple Bacon, a CTF team from the University of British Columbia. 2. BBB Official Communications - bbbirds.org: The site timed out during multiple fetch attempts and could not be queried. - CTF Radiooo Episode 025 ("Chatting with NEW DEF CON CTF Organizers: Benevolent Bureau of Birds"): Published March 18, 2026. The YouTube video and podcast page could not be directly queried for transcript content. From Google snippets, the episode features adamd and Zardus interviewing BBB members (Vie, Robert Xiao, Zaratec, Bluepichu) about their plans. No specific details about rules, AI policies, format, scoring, or number of finalists were extractable from the snippets. - DEF CON Forum post (forum.defcon.org/node/255475): Timed out. Google snippet indicates it is a welcome announcement with a link to bbbirds.org and qualifier dates, but no detailed rules. 3. Competition Format and Rules (Not Yet Published) As of April 8, 2026, extensive searching reveals NO publicly available detailed rules, format specification, scoring system, or finalist count for DC34 CTF under BBB. The qualifier is listed on CTFtime as "On-line, open-registration" with finals at DEF CON in August 2026, but no further details are provided. 4. AI Agent/Autonomous Team Eligibility No public statement from BBB has been found that explicitly permits or prohibits autonomous AI agents or AI-only teams from entering the qualification round or competing in the finals. The open-registration nature of the qualifier suggests that any team (including AI-driven ones) could potentially register, but this is not confirmed. 5. Historical Precedent: DEF CON 33 (2025) The Nautilus Institute organized DEF CON 33 CTF. SRLabs' AI agent "Nils" was permitted to compete and placed 8th in the finals. The competition used an attack-and-defense format with LiveCTF components. Approximately 8–10 teams competed in the finals. Google snippets from srlabs.de confirm: "Nils competed in the DEF CON 33 CTF finals, placing 8th while running attack-defense operations, participating in the LiveCTF..." The University of Hawaii article mentioned "top eight teams" for DEF CON 33 finals. Carnegie Mellon's PPP (Plaid Parliament of Pwning) won their fourth consecutive and ninth overall title. 6. Key Uncertainties - The BBB has not yet released detailed rules, so it is unknown whether they will follow the traditional attack-and-defense format, how many teams will qualify for finals, what the scoring system will be, or whether AI-only teams will be explicitly allowed or banned. - The qualifier being "open-registration" is suggestive but not definitive regarding AI team eligibility. - The BBB is a new organizer, and each organizer historically sets their own rules. The fact that Nautilus Institute allowed Nils does not necessarily mean BBB will do the same. - The CTF Radiooo interview may contain relevant details about format and rules, but the transcript was not accessible for analysis.

SQ3: How rapidly have AI agents improved at cybersecurity tasks (vulnerability discovery, exploitation, CTF challenges) between 2023 and early 2026, and what does the trajectory suggest about near-term capabilities?

Summary: AI agents have shown dramatic improvement in cybersecurity CTF tasks between 2023 and early 2026, but progress has been uneven—rapid on narrow, jeopardy-style challenges while much slower on complex, real-time attack-defense scenarios. Key milestones include: (1) On the NYU CTF Bench (published 2024-2025), top models like Claude 3 solved only ~5.77% of CSAW CTF challenges from 2017-2023, though Claude 3 outperformed the median human in the 2022 CSAW finals NYU CTF Bench: A Scalable Open-Source Benchmark ...; (2) InterCode-CTF, a high-school-level benchmark, was effectively "saturated" by December 2024 when Palisade Research achieved 95% with plain LLM agents; (3) On Cybench (August 2024), professional-level CTF tasks saw GPT-4o achieve only ~12.5% unguided solve rate and ~29.4% with subtask guidance; (4) DARPA's AIxCC finals (August 8, 2025) saw AI systems collectively identify 54 of 63 synthetic vulnerabilities and patch 43, with Team Atlanta winning first place; (5) In the 2025 HTB "AI vs Human" CTF, 5 of 8 AI teams solved 19/20 challenges (95%), outperforming 403 human teams; (6) The CAI agent conquered 5 major jeopardy CTF competitions in 2025, winning $50K at Neurogrid with a 91% solve rate; (7) Wiz Research (January 29, 2026) found that Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro solved 9/10 CTF challenges in narrow scope but degraded significantly in broad, unguided scenarios AI Agents vs Humans: Who Wins at Web Hacking in 2026?; (8) Tenzai (March 17, 2026) claimed its AI hacker ranked in the top 1% across six CTF platforms, outperforming 125,000+ human competitors. The improvement trajectory appears S-curve-like rather than simply linear or exponential: entry-level benchmarks saturated quickly, mid-tier jeopardy challenges saw rapid gains through 2025, but professional-level and attack-defense scenarios show much slower progress. The gap between solving individual jeopardy challenges and competing in real-time attack-defense CTFs (like DEF CON CTF finals) remains substantial, though it is narrowing at the jeopardy end while remaining wide at the attack-defense end.

Background: To forecast whether an AI agent could finish top-3 at the DEF CON CTF finals by 2027, it's important to understand the rate of improvement in AI cybersecurity capabilities. Key data points include: (1) AI performance on CTF benchmarks like NYU's CSAW CTF competitions comparing AI vs. human performance across years; (2) Results from DARPA's AI Cyber Challenge (AIxCC), which ran 2023-2025 focused on automated vulnerability finding and patching; (3) Wiz Research's January 2026 finding that leading AI agents (Claude, GPT-5, Gemini 2.5 Pro) solved 9/10 CTF challenges in narrow scope but struggled with broad multi-step tasks; (4) Tenzai's March 2026 claim of top-1% ranking across six CTF platforms; (5) Academic benchmarks like CyberBench, InterCode-CTF, and others tracking AI progress on cybersecurity tasks over time. The question is whether improvement is linear, exponential, or hitting diminishing returns, and specifically whether the gap between 'solving individual challenges' and 'competing in real-time attack-defense' is narrowing.

Detailed research

## Trajectory of AI Agent Improvement in Cybersecurity Tasks (2023–Early 2026) ### 1. Academic Benchmarks: Establishing Baselines (2023–2024) InterCode-CTF (2023–2024): InterCode-CTF, introduced at NeurIPS 2023, contains 100 CTF tasks from picoCTF—a competition aimed at high-school-level participants. Early LLM performance was modest, but by December 2024, Palisade Research published results showing 95% solve rates with plain LLM agent designs. This benchmark is now widely considered "saturated," meaning it no longer differentiates between frontier AI capabilities. The rapid saturation of this entry-level benchmark demonstrates how quickly AI agents can master well-characterized, lower-difficulty challenges. NYU CTF Bench (2024–2025): The NYU CTF Bench, based on 200 challenges from CSAW competitions spanning 2017–2023, provides a more challenging evaluation NYU CTF Bench: A Scalable Open-Source Benchmark .... Results published in the paper (arXiv v3: February 18, 2025) showed: - Claude 3: ~5.77% solve rate across all challenges - GPT-3.5: ~1.92% solve rate - GPT-4: Scored 300 in 2023 CSAW qualifiers - Mixtral and LLaMA: 0% solve rate - Claude 3 achieved a score of 1500 in the 2022 CSAW finals, outperforming the median human score of 1321 - Open-source models completely failed NYU CTF Bench: A Scalable Open-Source Benchmark ... This benchmark revealed that while some frontier models could match or exceed median human performance on specific competition subsets, overall success rates remained low, particularly on complex multi-step challenges. Cybench (August 2024): Stanford's Cybench introduced 40 professional-level CTF tasks from recent competitions (2022–2024). Results from the original paper showed: - GPT-4o: ~12.5% unguided solve rate; 29.4% with subtask guidance - Claude 3.5 Sonnet: Comparable unguided performance (solved at least one task unguided) - Claude 3 Opus: Also solved at least one unguided task - These low solve rates on professional-level challenges contrast sharply with the saturation of InterCode-CTF As of early 2026, the Cybench leaderboard shows Grok-4.1 Thinking leading with a score of 0.390 (39%), indicating continued but incremental improvement on professional-level tasks. ### 2. DARPA AI Cyber Challenge (AIxCC): 2023–2025 DARPA's AIxCC was a two-year, multi-million-dollar competition focused on autonomous vulnerability discovery and patching in open-source software. Key milestones: - 2023: Competition launched, attracting 42 teams - August 2024 (DEF CON 32): Semifinals held; 7 teams advanced to finals - August 8, 2025 (DEF CON 33): Finals held - Winner: Team Atlanta (Georgia Tech/Samsung) — $4M prize - 2nd Place: Trail of Bits ("Buttercup") — $3M prize - 3rd Place: Theori - Competition included 63 synthetic vulnerabilities - Competitors' cyber reasoning systems (CRSs) collectively identified 54 vulnerabilities and patched 43 - Trail of Bits reported finding 28 vulnerabilities and patching 19 AIxCC demonstrated that AI systems can perform meaningful autonomous vulnerability discovery and patching at scale, but the task was specifically scoped to source-code-level analysis of open-source projects—a narrower task than full CTF competition. ### 3. 2025 CTF Circuit: AI Agents Begin Competing Directly Hack The Box "AI vs Human" CTF (2025): In a landmark event, AI agent teams competed directly against human teams: - 5 of 8 AI agent teams solved 19 out of 20 challenges (95% solve rate) - They competed against 403 human teams - The CAI agent (from Alias Robotics/Cybersecurity AI) achieved its final flag 30 minutes before the next AI team CAI's 2025 CTF Circuit Performance: The CAI agent systematically competed in 5 major jeopardy-style CTF competitions throughout 2025: - Won $50K at the Neurogrid CTF with a 91% solve rate - Demonstrated 98% cost reduction compared to human teams - Led researchers to argue that "jeopardy-style CTFs may be obsolete" as meaningful benchmarks for AI CSAW 2025: Research published in early 2026 compared autonomous agent performance against human teams in the 2025 CSAW competition, observing differences across autonomy levels and challenge categories. ### 4. Wiz Research Study (January 29, 2026) Wiz Research, in collaboration with the AI security lab Irregular, tested Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro on 10 lab environments modeled after real-world vulnerabilities AI Agents vs Humans: Who Wins at Web Hacking in 2026?: - Narrow scope (specific target given): Agents solved 9 of 10 challenges; costs often under $1 per success - Broad scope (no specific target): Performance degraded significantly; costs increased 2–2.5x; agents struggled to prioritize targets and spread efforts haphazardly - Key failure mode: Agents failed to use standard fuzzing tools unless prompted, couldn't pivot strategies when initial approaches failed - The unsolved challenge (GitHub Secrets) required creative investigative pivoting that agents couldn't perform - Study concluded AI agents are highly effective at executing known attack patterns but lack strategic adaptability for complex, unguided offensive operations AI Agents vs Humans: Who Wins at Web Hacking in 2026? ### 5. Tenzai Claim (March 17, 2026) Israeli startup Tenzai announced on March 17, 2026 that its autonomous AI hacker: - Achieved top 1% performance across six major CTF platforms - Outperformed over 125,000 human competitors - Was described as "the first autonomous system to rank in the top 1% of global hacking competitions" - Covered competitions "designed for humans" ### 6. Analysis: Improvement Trajectory The trajectory is best characterized as S-curve-like with domain-dependent saturation points: Entry-level tasks (InterCode-CTF): Rapid improvement → saturation at 95% by late 2024. Effectively solved. Mid-tier jeopardy challenges (HTB, standard CTFs): Steep improvement through 2025. AI agents went from struggling with basic challenges to achieving 91-95% solve rates and top-1% rankings by early 2026. Professional-level jeopardy tasks (Cybench): Slower improvement. From ~12.5% unguided (mid-2024) to ~39% (early 2026), suggesting continued but more modest gains. Real-world vulnerability discovery (AIxCC): AI systems demonstrated meaningful but imperfect capability—finding ~86% (54/63) of synthetic vulnerabilities and patching ~68% (43/63). Broad, unguided offensive operations: Still significantly limited as of January 2026, with degraded performance when agents must independently identify and prioritize targets AI Agents vs Humans: Who Wins at Web Hacking in 2026?. ### 7. The Jeopardy vs. Attack-Defense Gap Narrowing at the jeopardy end: AI agents have essentially caught up with or surpassed many human competitors on jeopardy-style CTFs by early 2026. The CAI team's 2025 performance and Tenzai's top-1% claims confirm this. Still wide at the attack-defense end: The DEF CON CTF finals use an attack-defense format requiring: - Simultaneous offensive and defensive operations - Real-time adaptation to opponent strategies - Service patching that maintains functionality - Network traffic analysis and exploit development under time pressure - Coordination of multiple concurrent tasks A 2026 paper by Vilches et al. ("Evaluating Agentic Cybersecurity in Attack/Defense CTFs") represents the first empirical study of autonomous AI agents in A/D CTF scenarios, studying AI agents competing concurrently in offensive and defensive roles. This suggests the field is only beginning to formally evaluate this gap. The Wiz Research finding that AI agents struggle with broad-scope, unguided operations AI Agents vs Humans: Who Wins at Web Hacking in 2026? is particularly relevant—attack-defense CTFs are inherently broad-scope, requiring agents to simultaneously monitor, attack, and defend multiple services without explicit targeting guidance. Summary of the gap: While the gap is clearly narrowing for isolated challenge-solving (jeopardy), the gap for real-time, multi-service, adversarial attack-defense competition (as in DEF CON CTF finals) remains substantial. The improvement from "can't solve basic CTF challenges" to "top 1% in jeopardy CTFs" took roughly 2 years (2023–2025), but the remaining jump to "competitive in DEF CON CTF finals" requires solving qualitatively different problems in real-time coordination, strategic adaptation, and simultaneous offense/defense.

SQ4: What are the specific technical requirements of a DEF CON CTF attack-defense finals competition that make it qualitatively different from jeopardy-style CTF challenges, and which of these requirements pose the greatest challenges for current autonomous AI systems?

Summary: The DEF CON CTF finals use an attack-defense format that is qualitatively different from jeopardy-style CTFs in several critical ways, and current autonomous AI systems face significant challenges with many of these requirements. In jeopardy-style CTFs, teams solve isolated, static challenges across categories (crypto, pwn, web, reverse engineering) at their own pace with no adversarial interaction. In attack-defense, ~12-20 teams simultaneously defend their own vulnerable services while attacking identical services on opponents' machines, with rounds typically lasting minutes. This creates six intertwined sub-tasks: (1) reverse-engineering unknown binary services under time pressure, (2) finding vulnerabilities, (3) writing reliable exploits that work across many targets, (4) patching services without breaking functionality (SLA/availability checks), (5) real-time strategic adaptation as opponents evolve defenses and new services are released, and (6) managing infrastructure, network traffic analysis, and automated exploit deployment across many services at once. The greatest challenges for current AI systems are: real-time multi-service strategic orchestration (no AI system has demonstrated the ability to simultaneously manage offense and defense across ~8-10 services with adversarial opponents adapting in real time); binary reverse engineering at competition scale (as of April 2025, Claude could not solve any challenges at PlaidCTF, a top jeopardy-style competition, and DEF CON finals binaries are typically harder); robust patching under SLA constraints (patching a binary without breaking its expected functionality requires deep understanding of both the vulnerability and the service logic—AIxCC showed progress on source-code patching but not on stripped binary patching); and adversarial real-time adaptation (responding to opponents' evolving exploits and defenses requires monitoring network traffic, identifying attack patterns, and dynamically adjusting strategy—a capability no current AI has demonstrated). While AI has shown strong performance on easier jeopardy-style challenges (e.g., Claude achieved top 3% at PicoCTF, and AI agents solved 19/20 in Hack The Box's AI vs. Human CTF in July 2025), this performance does not transfer to the attack-defense finals setting, which demands continuous real-time adversarial interaction, simultaneous offense-defense balancing, and infrastructure-level automation over a multi-day competition.

Background: The DEF CON CTF finals use an attack-defense format that is fundamentally different from the jeopardy-style challenges found on most online CTF platforms. In attack-defense, approximately 15-20 teams simultaneously: (1) reverse-engineer unknown binary services deployed at the start of each round; (2) find vulnerabilities in those services; (3) write exploits to steal flags from other teams' instances of those services; (4) patch their own services to prevent opponents from exploiting the same vulnerabilities, without breaking service functionality (which would lose SLA/availability points); (5) adapt strategies in real-time as new services are released and opponents' defenses evolve; (6) manage infrastructure, network traffic analysis, and automated exploit deployment across many services simultaneously. Additionally, the LiveCTF component may involve solving jeopardy-style challenges in a timed head-to-head format. Understanding which of these specific sub-tasks are hardest for current AI — e.g., real-time adaptation, binary reverse engineering at scale, balancing offense and defense simultaneously, or strategic decision-making — helps assess whether AI agents can close the gap to top-3 performance.

Detailed research

## Qualitative Differences: Attack-Defense Finals vs. Jeopardy-Style CTF ### Jeopardy-Style Format In jeopardy-style CTFs (used in most online CTF platforms and in DEF CON qualifiers), teams are presented with a set of standalone challenges across categories such as cryptography, reverse engineering, binary exploitation (pwn), web, forensics, and miscellaneous. Each challenge has a single flag to capture. Teams work at their own pace, challenges are static (they don't change based on opponents' actions), and there is no adversarial interaction between teams. Success is purely a function of how many challenges a team can solve within the allotted time. ### Attack-Defense Format (DEF CON CTF Finals) The DEF CON CTF finals, organized by Nautilus Institute (as of 2024-2025), use an attack-defense format where approximately 12 teams (per the 2025 rules) compete simultaneously. According to the 2025 DEF CON CTF finals format, the competition is described as "a reverse engineering and exploitation competition first and foremost." Key structural differences include: 1. Simultaneous offense and defense: Each team runs identical copies of vulnerable services on their own infrastructure. Teams must simultaneously attack other teams' services to steal flags AND defend their own services by patching vulnerabilities. 2. Round-based scoring: The game proceeds in timed rounds (typically 3-5 minutes each). Each round, new flags are planted in services, and teams earn attack points by stealing flags from opponents and defense points by preventing flag theft from their own services. 3. SLA/Availability requirements: Teams must keep their services running and functional. If a patch breaks the service's expected functionality, the team loses availability/SLA points. This creates a critical constraint: patches must fix the vulnerability without altering legitimate behavior. 4. Dynamic, adversarial environment: Unlike static jeopardy challenges, the competition environment evolves continuously. Opponents adapt their defenses, new services are released during the competition, and teams must monitor network traffic to detect and respond to attacks. 5. Scale of simultaneous services: Teams must manage ~8-10 or more services simultaneously over the multi-day competition, requiring significant infrastructure automation. 6. LiveCTF component: Since DEF CON 30 (2022), a LiveCTF component features 1v1 head-to-head matches where individual players solve jeopardy-style challenges in a timed format, adding another dimension to scoring. ## Analysis of Six Sub-Tasks and AI Capability ### 1. Reverse-Engineering Unknown Binary Services Requirement: At the start of each round or when new services are deployed, teams receive compiled binary executables (often stripped of symbols, possibly obfuscated) that they must quickly reverse-engineer to understand functionality, identify vulnerabilities, and determine how to exploit and patch them. AI capability status: As of April 2025, Claude (Anthropic's frontier model) could not solve any challenges at PlaidCTF, a top-tier jeopardy-style competition featuring binary exploitation and reverse engineering challenges. While AI agents have shown capability on easier reverse engineering tasks (e.g., Claude achieved top 3% in PicoCTF, a student-level competition), DEF CON finals binaries are significantly more complex—often custom-designed, using unusual architectures, and requiring deep understanding of low-level systems concepts. The gap between student-level reverse engineering and DEF CON finals-level binary analysis remains enormous for AI systems. Challenge level for AI: HIGH. Binary reverse engineering requires spatial reasoning about code structure, understanding of assembly language semantics, and the ability to form and test hypotheses about program behavior—capabilities where current AI agents show inconsistent performance, especially at scale and under time pressure. ### 2. Finding Vulnerabilities Requirement: After reverse-engineering services, teams must identify exploitable vulnerabilities (buffer overflows, format string bugs, use-after-free, logic errors, cryptographic weaknesses, etc.). AI capability status: DARPA's AIxCC competition (finals August 8, 2025) demonstrated that autonomous Cyber Reasoning Systems (CRS) can find vulnerabilities in source code. Team Atlanta's CRS won first place, demonstrating AI-driven vulnerability detection across 54 million lines of code in C++ and Java source code. However, AIxCC operated on source code, not stripped binaries. The DEF CON CTF finals typically involve compiled binaries where vulnerability discovery is significantly harder. Challenge level for AI: MEDIUM-HIGH. AI has shown promising results for source-code vulnerability detection, but binary-level vulnerability discovery (the DEF CON CTF requirement) remains substantially more difficult. Traditional fuzzing and symbolic execution tools can partially automate this, but integrating these with AI reasoning in real-time competition conditions is an unsolved challenge. ### 3. Writing Exploits Requirement: Teams must write working exploits that reliably steal flags from multiple opponents' service instances. Exploits must account for potential differences in memory layout (ASLR), deployed patches, and network conditions. AI capability status: AI agents have demonstrated basic exploit writing capability on CTF challenges. In the Hack The Box AI vs. Human CTF (July 2025), five of eight AI-agent teams solved 19 out of 20 challenges, including binary exploitation. However, these were pre-designed challenges with known solution paths. Writing reliable exploits that work across multiple targets in a live, adversarial environment with varying defenses is a qualitatively harder task. The need to modify exploits on-the-fly when opponents patch vulnerabilities adds another layer of difficulty. Challenge level for AI: HIGH. Exploit development for competition-grade binaries requires creative problem-solving, deep understanding of memory corruption primitives, and the ability to chain multiple vulnerabilities. The additional requirement of reliability across multiple targets and adaptation to patched services makes this especially challenging. ### 4. Patching/SLA Management Requirement: Teams must patch their own service binaries to fix vulnerabilities while preserving all legitimate functionality. If a patch breaks the service (fails SLA checks), the team loses points. This requires precise understanding of both the vulnerability and the service's intended behavior. AI capability status: AIxCC demonstrated AI-driven patching of source code vulnerabilities. Team Atlanta's system could autonomously generate patches. However, DEF CON CTF finals require binary patching—modifying compiled executables without access to source code. Binary patching is significantly harder: teams must modify machine code directly, often with tight space constraints, while ensuring the binary passes functionality checks. As Team Atlanta noted in their post-competition analysis, "a single bug can kill a CRS entirely. The autonomous system is that brittle." Challenge level for AI: VERY HIGH. Binary patching without breaking functionality is one of the hardest sub-tasks for AI. It requires: (a) correct identification of the vulnerability at the binary level, (b) generation of a correct fix in machine code, (c) verification that the fix doesn't break legitimate behavior, and (d) all of this under time pressure. The SLA constraint makes this especially punishing—an overly aggressive patch that breaks functionality costs the team more than leaving the vulnerability unpatched. ### 5. Real-Time Strategy Adaptation Requirement: Teams must continuously adapt their strategy as new services are released, opponents deploy new exploits, and the competitive landscape shifts. This includes deciding which services to prioritize for offense vs. defense, when to invest resources in new exploits vs. refining existing ones, and how to respond to detected attacks. AI capability status: No current AI system has demonstrated the ability to make real-time strategic decisions in a multi-service, multi-opponent competitive environment. This is fundamentally a multi-agent, multi-objective optimization problem with incomplete information—a domain where AI capabilities are still nascent. The 2016 DARPA Cyber Grand Challenge (CGC) at DEF CON 24 showed that autonomous systems could compete in a simplified attack-defense format, but those systems operated in a highly constrained environment (standard binary format, limited service complexity) and finished last when competing against human teams in the main DEF CON CTF. Challenge level for AI: VERY HIGH. This requires meta-reasoning about competition dynamics, opponent modeling, resource allocation under uncertainty, and the ability to pivot strategies rapidly. It is arguably the most uniquely challenging aspect of attack-defense CTF for AI, as it requires integrating information across all other sub-tasks and making holistic decisions. ### 6. Infrastructure and Traffic Management Requirement: Teams must manage their competition infrastructure (game servers, exploit deployment systems, traffic capture and analysis, automated flag submission), monitor network traffic to detect incoming attacks and reverse-engineer opponents' exploits, and deploy their own exploits automatically across all opponent targets every round. AI capability status: While components of this can be automated with traditional scripting and tooling (and human teams do extensively automate this), the AI-specific challenge is in the traffic analysis component—automatically identifying novel exploit patterns in network captures and converting observed attacks into defensive patches or counter-exploits. No current AI system has demonstrated this capability in a live competition setting. Challenge level for AI: MEDIUM-HIGH. Much of the infrastructure management can be handled by pre-built tooling rather than requiring AI reasoning. However, the traffic analysis, automated exploit detection, and dynamic infrastructure reconfiguration components require AI capabilities that haven't been demonstrated at competition scale. ## Key Evidence Points with Dates - August 8, 2025: DARPA AIxCC finals at DEF CON 33. Team Atlanta won first place with autonomous CRS for source-code vulnerability finding and patching across 54 million lines of code. This demonstrated AI capability for source-code analysis but not binary-level analysis required by DEF CON CTF. - August 2025: Carnegie Mellon's PPP won their fourth consecutive (and ninth overall) DEF CON CTF title, demonstrating that human teams continue to dominate the competition. - August 2025: At DEF CON 33, Claude competed in LiveCTF at the DEF CON CTF finals (referenced in YouTube video descriptions showing "AI Solve Discovery" during Day 2 of LiveCTF). - August 5, 2025: Axios reported that Claude had been "quietly beating human hackers" in student-level competitions, but Anthropic's own transparency page noted Claude achieved top 3% in PicoCTF (student competition), solved 19/20 in Hack The Box's AI vs. Human CTF, but scored only 15/30 in the Airbnb CTF and failed to solve any challenges at PlaidCTF (April 4, 2025). - April 4, 2025: Claude attempted PlaidCTF, a challenging jeopardy-style competition, and could not solve any challenges, demonstrating the gap between AI capability on easy-to-medium challenges and top-tier competition challenges. - July 2025: In Hack The Box's AI vs. Human MCP Tryout CTF, five of eight AI-agent teams solved 19/20 challenges, competing against 403 human teams. However, these were retired challenges of mixed difficulty, not at DEF CON finals level. ## Greatest Challenges Summary The requirements that pose the greatest challenges for current autonomous AI systems are: 1. Real-time multi-service strategic orchestration: No AI has demonstrated the ability to simultaneously manage offense and defense across many services with adversarial opponents adapting in real time. 2. Binary-level patching under SLA constraints: Modifying compiled binaries without source code while preserving functionality is extremely brittle and error-prone for AI. 3. Adversarial real-time adaptation: Responding to opponents' evolving exploits and defenses requires a feedback loop of traffic analysis, attack identification, and dynamic response that no current AI system can execute. 4. Competition-grade binary reverse engineering: While AI can handle simpler reverse engineering tasks, the custom, complex, often obfuscated binaries used in DEF CON CTF finals remain beyond current AI capability, as evidenced by Claude's failure at PlaidCTF. The combination of all six sub-tasks occurring simultaneously, under time pressure, in an adversarial environment, makes attack-defense CTF qualitatively harder than jeopardy-style CTF for AI systems. Even if an AI could solve individual sub-tasks in isolation, the integration challenge—managing all tasks concurrently with strategic coherence—represents an additional, compounding difficulty.

SQ5: Which organizations or teams are currently developing autonomous AI agents specifically aimed at competing in live CTF competitions, and what are their stated goals, timelines, and recent results as of early 2026?

Summary: As of early April 2026, several organizations are actively developing autonomous AI agents for CTF competitions, though none has yet demonstrated top-3 capability at DEF CON CTF finals: 1. SRLabs ("Nils"): SRLabs entered their autonomous AI agent "Nils" at the DEF CON 33 CTF finals in August 2025, placing 8th overall while running attack-defense operations and participating in LiveCTF. This was the first known fully autonomous AI team to compete in the DEF CON CTF finals. SRLabs is a Berlin-based security research lab. While no public confirmation of plans for DEF CON 34 (August 6–9, 2026) has been found, their investment in this space suggests continued development. 2. Tenzai: An Israeli startup founded in 2025 by former intelligence agency cyber executives. In March 2026, Tenzai announced its AI hacker achieved top-1% performance across six major CTF platforms, outperforming 125,000+ human competitors. It raised a $75 million seed round at a $330 million valuation within six months of founding. Their stated goal is enterprise penetration testing, but the CTF results demonstrate offensive capability. No specific DEF CON CTF entry plans have been publicly announced. 3. Team Atlanta (DARPA AIxCC successor): Won DARPA's AI Cyber Challenge in August 2025, earning the $4 million first prize. Led by Professor Taesoo Kim at Georgia Tech, Team Atlanta donated $2 million (50% of prize) to Georgia Tech's SSLab for ongoing autonomous cybersecurity research. Their system focused on defensive tasks (vulnerability detection and patching), not offensive CTF. The team published a "SoK" paper on AIxCC in February 2026. There is no public indication they are pivoting to offensive DEF CON CTF competition. 4. XBOW: Raised $120 million in Series C funding (valued over $1 billion) as of March 2026 to scale its autonomous hacking platform. XBOW became the #1 ranked autonomous penetration tester on HackerOne's global leaderboard in 2025, outperforming human hackers. Their focus is commercial penetration testing rather than CTF competition per se. 5. RunSybil: Co-founded by Ariel Herbert-Voss (formerly OpenAI's first research scientist), RunSybil is an automated offensive security company that received fresh funding in early 2026. It appeared in a DEF CON/MCSC 2026 panel discussion on "State of Art of AI Offence and Defence." No specific DEF CON CTF competition plans have been announced. 6. Cybersecurity AI (CAI) by Alias Robotics: An open-source framework that placed first among AI teams in Hack The Box's "AI vs Human" CTF challenge and achieved top-20 worldwide (all participants). It was 11x faster than humans overall across 54 benchmark exercises but struggled with "pwn" and "crypto" categories. Published as a 2026 paper [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). 7. Major AI Labs: Anthropic's "Claude Mythos Preview" model (announced April 7, 2026) represents a significant step-change in cybersecurity capabilities, with the ability to surface previously unknown vulnerabilities in production codebases. However, standard Claude models solved zero challenges at both PlaidCTF and the DEF CON Qualifier as of 2025. OpenAI and Google DeepMind have invested in AI cybersecurity (Google ran AI-centric CTFs at DEF CON 33 in September 2025) but none have announced autonomous CTF competition entries. 8. Academic Teams: NYU Tandon developed "EnIGMA," an AI framework for solving cybersecurity challenges autonomously. Georgia Tech continues research through SSLab with Team Atlanta's donation. The arxiv paper on "Scalable Agentic CTF Design" (March 2026) studied autonomous AI performance in educational CTFs. Key context: DEF CON 34 CTF qualifier is scheduled for May 22–24, 2026, with finals at DEF CON 34 on August 6–9, 2026 in Las Vegas. The 2026 International AI Safety Report noted that AI agents placed in cybersecurity competitions in 2025 but concluded that fully autonomous attacks are not yet possible at the highest tier. Current AI agents excel at easier and medium-difficulty challenges but struggle with the novel, elite-level exploitation required at DEF CON CTF finals.

Background: To forecast whether an AI agent will finish top-3 at DEF CON CTF finals by end of 2027, it's important to know who is actively building toward this goal. Known efforts include: (1) SRLabs, which entered 'Nils' at DEF CON 33 in 2025 (placing 8th) — are they continuing development and planning to compete again?; (2) Tenzai, an Israeli startup that in March 2026 claimed top-1% rankings on six CTF platforms — do they plan to enter DEF CON CTF?; (3) Any successors to the DARPA AIxCC teams (Team Atlanta won the $4M prize in 2025) that might be pivoting toward offensive CTF competition; (4) Major AI labs (OpenAI, Anthropic, Google DeepMind) or cybersecurity firms investing in autonomous CTF agents; (5) Academic teams developing CTF-playing AI systems. Understanding the competitive landscape of AI CTF agents — their funding, team sizes, technical approaches, and stated ambitions — helps assess how much effort is being directed at this specific challenge.

Detailed research

Landscape of Autonomous AI CTF Agents (as of April 2026) The competitive landscape for autonomous AI CTF agents has expanded significantly between 2025 and early 2026, with multiple well-funded organizations and academic teams developing systems. Below is a comprehensive breakdown: --- SRLabs / Nils - Background: SRLabs is a Berlin-based security research lab that developed "Nils," the first known fully autonomous AI team to compete in DEF CON CTF finals. - Results (August 2025): Nils placed 8th at DEF CON 33 CTF finals, participating in both attack-defense operations and LiveCTF. - Current status: No public announcement has been found confirming plans for DEF CON 34 (August 2026). Their blog post documents their DEF CON 33 experience but does not explicitly state future competition plans. - Assessment: Given their pioneering effort and the publicity gained, continued participation seems likely but is unconfirmed. --- Tenzai - Background: Israeli startup founded in 2025 by former intelligence agency cybersecurity executives. - Funding (by March 2026): $75 million seed round at a $330 million valuation, raised within six months of founding. - Results (March 2026): Announced top-1% performance across six major CTF platforms designed for humans, outperforming 125,000+ human competitors. This was widely reported in Forbes and Yahoo Finance on March 17, 2026. - Goals: Stated focus is on enterprise security (autonomous penetration testing), with CTF results serving as validation of capability. - DEF CON plans: No specific announcement about entering DEF CON CTF has been found. --- Team Atlanta (DARPA AIxCC) - Background: Won DARPA's AI Cyber Challenge in August 2025 ($4M first prize), led by Professor Taesoo Kim at Georgia Tech. - Post-AIxCC (as of February 2026): Published SoK paper on AIxCC. Donated $2M to Georgia Tech's SSLab for ongoing autonomous cybersecurity research. - Focus: Their CRS (Cyber Reasoning System) was designed for defensive tasks—vulnerability detection and patching in open-source software. This is fundamentally different from the offensive exploitation required in DEF CON CTF. - Pivot to offensive CTF: No evidence of such a pivot. Taesoo Kim's team has historical DEF CON CTF experience (DEFKOR00T won DEF CON CTF 2018), but the AIxCC work was defense-oriented. --- XBOW - Funding (March 2026): Raised $120M Series C, valued over $1B. - Results: Became #1 ranked autonomous penetration tester on HackerOne's global leaderboard in 2025. Ran 1,060+ autonomous attacks as documented in their blog. - Focus: Commercial penetration testing product, not CTF competition specifically. --- RunSybil - Background: Automated offensive security company co-founded by Ariel Herbert-Voss (ex-OpenAI first research scientist). - Status (2026): Received fresh funding, expanding platform and hiring. Featured in DEF CON/MCSC 2026 panel on AI offense/defense. - DEF CON CTF: No announced plans to compete. --- CAI (Cybersecurity AI) by Alias Robotics - Results: First place among AI teams in Hack The Box's "AI vs Human" CTF; top-20 worldwide overall. 11x faster than humans across 54 exercises, but underperformed in "pwn" (0.77x) and "crypto" (0.47x) categories [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). - Framework: Open-source, agent-centric architecture supporting multiple LLMs. Claude-3.7-sonnet was top performer, solving 19/23 selected challenges [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). - Limitation: Struggles with harder challenge categories that are the bread-and-butter of DEF CON CTF finals. --- Major AI Labs - Anthropic: Claude Mythos Preview announced April 7, 2026, described as a "step change" in cybersecurity capabilities. However, standard Claude models solved zero challenges at PlaidCTF and DEF CON Qualifier (elite competitions requiring novel exploitation), as widely noted on LinkedIn in early 2026. Mythos is being shared with ~50 companies for defensive use, not for CTF competition. - OpenAI: No specific autonomous CTF agent development announced. General cybersecurity capabilities improving with each model generation. - Google DeepMind: Google ran AI-centric CTFs at DEF CON 33 AI Village (September 2025 blog post) focused on education/adoption rather than competition. - None of the major AI labs have announced plans to enter an autonomous agent in DEF CON CTF. --- Academic Teams - NYU Tandon: Developed "EnIGMA" framework for autonomous cybersecurity challenge solving. - Georgia Tech SSLab: Receiving $2M from Team Atlanta's prize for continued autonomous security research. - Various universities: The March 2026 arxiv paper on "Scalable Agentic CTF Design" studied autonomous AI performance in educational CTF settings, noting limitations at higher difficulty levels. --- Key Structural Factors - DEF CON 34 CTF timeline: Qualifier May 22–24, 2026; Finals August 6–9, 2026 in Las Vegas. - Current AI limitations at elite CTF: The 2026 International AI Safety Report and multiple sources note that while AI agents perform well on standard/medium CTF challenges, they struggle with the novel, multi-step exploitation chains required at elite competitions like DEF CON CTF finals. - Gap between benchmarks and live competition: Tenzai's top-1% on static CTF platforms and XBOW's #1 on HackerOne are impressive, but DEF CON CTF finals involve real-time attack-defense dynamics, novel challenges, and time pressure that current systems handle poorly—as evidenced by Nils's 8th place finish (out of ~20 teams) at DEF CON 33.

Part 10
10% Title:** Will the November 2026 CCW Seventh Review Conference adopt any decision on autonomous weapons systems (LAWS) that goes beyond merely extending or renewing the Group of Governmental Experts REVISED ITNSSS65 Imp75
Quality92
Ambiguity95
Soon82
Sudden50
Sharp35

Priority scores (ITN + Soon/Sudden/Sharp) Stage 2c

Priority65
Neglectedness62
Tractability70

Neglectedness: Web search findings: Metaculus has a related but distinct question ("US Sign Killer Robot Ban by 2031") which focuses on US signing rather than the CCW adopting a negotiation mandate. No direct market found on Polymarket (search returned only Anthropic/Pentagon-related results). No relevant question found on Manifold Markets, Good Judgment Open, or INFER. However, the topic is extensively monitored by civil society organizations (Stop Killer Robots, ICRC, Reaching Critical Will tracks CCW proceedings in detail), Reuters covered the March 2026 GGE session, and the UN itself publishes GGE working papers. The specific operationalization — whether the Review Conference adopts a formal negotiation mandate — is not being forecast on any platform found, but the broader topic area has substantial indirect monitoring.

Tractability: Rich information environment: GGE deliberations and working papers are publicly available, state positions are documented through UNGA votes and statements, historical CCW precedents (e.g., how Protocol V on explosive remnants of war was negotiated) provide reference classes. Forecasting requires synthesizing geopolitical dynamics (US, Russia, China positions), institutional dynamics (consensus vs. majority requirements), civil society pressure, and technical developments. Reasonable forecasters could diverge meaningfully based on how they weight these factors.

Soon: The CCW Review Conference is scheduled for November 16-20, 2026, well within the resolution window. GGE sessions are actively underway in 2026, and the outcome will be determined at a specific, imminent event. Reuters reported in March 2026 that the Review Conference 'could decide to launch negotiations for a binding protocol.' This is a time-critical juncture where the window for influence is closing.

Sudden: The outcome represents a discrete state change (mandate adopted or not), but the direction of travel is partially visible through GGE proceedings, state statements, and UNGA votes. However, the CCW operates by consensus, meaning a single state's blocking action could determine the outcome in ways that are hard to predict. The exact outcome could still surprise given the gap between broad support (156 states) and key holdouts among military powers.

Sharp: This domain has had extensive 'warning shots' — decades of GGE debate, failed prior attempts to advance binding instruments, the 2021 CCW Review Conference stalemate, and multiple UNGA resolutions. The gradual escalation of the issue through these forums means there is substantial institutional awareness. Failure at the 2026 Review Conference would not be unprecedented and would likely lead to continued efforts through alternative venues (e.g., standalone treaty process outside CCW).

Proto-question Stage 1

Will the November 2026 CCW Review Conference adopt a mandate to begin formal negotiations on a legally binding instrument governing autonomous weapons systems?

Why this question? The paper draws a direct parallel between HACCA proliferation and the proliferation of lethal autonomous weapons systems (LAWS), noting that states have 'failed to ban LAWS despite the decades-long debate at the United Nations Group of Governmental Experts.' The November 2026 CCW Review Conference is the culminating event of the GGE's three-year mandate, where states will decide next steps. A UNGA resolution in November 2025 saw 156 states support urgent action, but key military powers remain resistant. Whether states agree to formally negotiate binding rules on autonomous weapons is a strong upstream indicator of the international community's capacity to govern autonomous offensive systems—including future HACCAs.

Paper reference: Section 6 ('Guardrails for HACCA Development and Deployment') argues that a blanket prohibition on HACCAs is unlikely to succeed, drawing a parallel: 'States will be reluctant to agree to any international agreement or convention that bans HACCAs outright, just as they have failed to ban LAWS despite the decades-long debate at the United Nations Group of Governmental Experts and elsewhere.'

Refined question Stage 2

Title: Will the November 2026 CCW Seventh Review Conference adopt a mandate to begin formal negotiations on a legally binding instrument governing autonomous weapons systems (LAWS)? Background: Since 2014, the Convention on Certain Conventional Weapons (CCW) has been the primary international forum for deliberations on lethal autonomous weapons systems (LAWS). The CCW's Group of Governmental Experts (GGE) on LAWS has been meeting under a three-year mandate (2024–2026), with a mandate to develop elements of a possible normative and operational framework on autonomous weapons systems and submit a final report to the Seventh Review Conference of the CCW. The GGE held its first 2026 session from 2–6 March 2026 in Geneva, with a second session scheduled for 31 August–4 September 2026. The Seventh Review Conference of the CCW is scheduled for 16–20 November 2026 in Geneva. This Review Conference is the culminating decision point where states parties will decide whether to launch formal negotiations on a legally binding instrument—such as a new Protocol to the CCW—on autonomous weapons systems. International support for action has been growing. In November 2025, the UN General Assembly First Committee voted 156 in favor, 5 against, and 8 abstentions on Resolution L.41, calling on the CCW to complete the elements of an instrument on autonomous weapons systems with a view to future negotiations. The subsequent UNGA plenary vote in December 2025 (Resolution A/RES/80/56) saw 161 states vote in favor, 3 against, and 13 abstentions. In March 2026, the GGE Chair stated that progress on rules for lethal autonomous weapons was "urgently needed" and that the November Review Conference "could decide to launch negotiations for a binding protocol." However, a critical structural factor constrains outcomes: the CCW operates by consensus-based decision-making (see Arms Control Association analysis; Human Rights Watch analysis), meaning that any single state party can block a decision. Key military powers—including Russia, the United States, and India—have historically resisted binding legal instruments on autonomous weapons. The Stop Killer Robots coalition has noted that "because the CCW operates by consensus, it is unlikely states parties will be able to agree a mandate to negotiate an additional [protocol]." This creates a fundamental tension between the overwhelming majority support (156+ states) and the ability of a small number of holdout states to block progress. The Sixth Review Conference in December 2021 (Final Document: CCW/CONF.VI/11) failed to establish a negotiating mandate on LAWS, instead extending the GGE process. Whether the Seventh Review Conference breaks this pattern is a key indicator of the international community's capacity to govern autonomous offensive weapons systems. Resolution Criteria: This question resolves Yes if, between 1 January 2026 (00:00 UTC) and 31 December 2027 (23:59 UTC), the Seventh Review Conference of the Convention on Certain Conventional Weapons (CCW), scheduled for 16–20 November 2026, adopts a decision to establish a formal mandate to negotiate a legally binding instrument (such as a new Protocol to the CCW) specifically governing autonomous weapons systems (also referred to as lethal autonomous weapons systems, or LAWS). This question resolves No if the Review Conference: - fails to adopt any decision on LAWS; - adopts a decision that merely continues, extends, or renews exploratory, informal, or preliminary discussions (such as a further GGE mandate, informal consultations, or a mandate to develop "recommendations" without a commitment to negotiate a binding instrument); or - is postponed beyond 31 December 2027 without having taken the above decision. Key term definitions: - Autonomous weapons systems (AWS) / Lethal autonomous weapons systems (LAWS): Weapons systems that can select and engage targets without human intervention, as discussed in the CCW GGE framework and described by the ICRC and Wikipedia. - Legally binding instrument: An international legal instrument (such as a treaty, convention, or protocol) that creates binding obligations under international law for its states parties. This is distinct from non-binding political declarations, guidelines, or best practices. See Wikipedia: Treaty. - Mandate to begin formal negotiations: A decision adopted by the Review Conference that explicitly establishes a process to negotiate (not merely discuss, explore, or develop recommendations for) a legally binding instrument. The decision must use language indicating the commencement of negotiations (e.g., "negotiate," "negotiating mandate," "open negotiations") rather than language limited to continued deliberation or development of non-binding outputs. Resolution source: The Final Document of the Seventh Review Conference, expected to be published under document number CCW/CONF.VII/[X] on the UNODA documents library and/or the UNODA documents search portal. The decisions of the Review Conference will also be reported by Reaching Critical Will, Reuters, and other credible outlets. If the Review Conference is postponed, resolution will be based on whether the conference is held and takes the specified decision before 31 December 2027.

Background

Since 2014, the Convention on Certain Conventional Weapons (CCW) has been the primary international forum for deliberations on lethal autonomous weapons systems (LAWS). The CCW's Group of Governmental Experts (GGE) on LAWS has been meeting under a three-year mandate (2024–2026), with a mandate to develop elements of a possible normative and operational framework on autonomous weapons systems and submit a final report to the Seventh Review Conference of the CCW. The GGE held its first 2026 session from 2–6 March 2026 in Geneva, with a second session scheduled for 31 August–4 September 2026. The Seventh Review Conference of the CCW is scheduled for 16–20 November 2026 in Geneva. This Review Conference is the culminating decision point where states parties will decide what action to take on autonomous weapons systems — options range from launching formal negotiations on a legally binding instrument, to establishing a new subsidiary body (such as an open-ended working group), to mandating development of a political declaration, to merely extending the GGE process. International support for action has been growing. In November 2025, the UN General Assembly First Committee voted 156 in favor, 5 against, and 8 abstentions on Resolution L.41, calling on the CCW to complete the elements of an instrument on autonomous weapons systems with a view to future negotiations. The subsequent UNGA plenary vote in December 2025 (Resolution A/RES/80/56) saw 161 states vote in favor, 3 against, and 13 abstentions. In March 2026, the GGE Chair stated that progress on rules for lethal autonomous weapons was "urgently needed" and that the November Review Conference "could decide to launch negotiations for a binding protocol." However, a critical structural factor constrains outcomes: the CCW operates by consensus-based decision-making, meaning that any single state party can block a decision. Key military powers—including Russia, the United States, and India—have historically resisted binding legal instruments on autonomous weapons. The Stop Killer Robots coalition has noted that "because the CCW operates by consensus, it is unlikely states parties will be able to agree a mandate to negotiate an additional [protocol]." The Sixth Review Conference in December 2021 (Final Document: CCW/CONF.VI/11) failed to establish a negotiating mandate on LAWS, instead extending the GGE process. Whether the Seventh Review Conference breaks this pattern by adopting any substantively new decision — even if short of a full negotiating mandate — is a key indicator of the international community's capacity to advance governance of autonomous weapons systems through the CCW.

Resolution criteria

This question resolves Yes if, between 1 January 2026 (00:00 UTC) and 31 December 2027 (23:59 UTC), the Seventh Review Conference of the Convention on Certain Conventional Weapons (CCW), scheduled for 16–20 November 2026, adopts a decision on autonomous weapons systems (also referred to as lethal autonomous weapons systems, or LAWS) that constitutes a substantive advance beyond merely extending, renewing, or continuing the Group of Governmental Experts (GGE) mandate or similar exploratory/deliberative process. Examples of decisions that would resolve Yes include (but are not limited to): - A mandate to negotiate a legally binding instrument (such as a new Protocol to the CCW) on LAWS; - Establishment of a new subsidiary body (e.g., an open-ended working group) with a mandate to develop or negotiate a specific normative instrument on LAWS; - A mandate to develop a political declaration with specific commitments and a built-in review or escalation mechanism; - Any other decision that establishes a qualitatively new process or outcome beyond the GGE's existing exploratory/deliberative format. This question resolves No if the Review Conference: - fails to adopt any decision on LAWS; - adopts a decision that merely continues, extends, or renews the GGE mandate or an equivalent exploratory/deliberative body without a qualitatively new mandate or outcome; - is postponed beyond 31 December 2027 without having taken the above decision.

Verification scores Stage 3

Quality: 92.0   Ambiguity: 95.0

Quality notes: This is an excellent forecasting question. It targets a major, scheduled geopolitical event (the November 2026 CCW Review Conference) that serves as a 'culminating event' for years of international debate. The question has very high entropy due to the sharp divide between the 150+ states supporting a mandate and the resistant major military powers. The resolution is well-defined (the adoption of a formal mandate for negotiations), and the resolution source (UN/CCW records) is authoritative and expected to exist. Research into the 2026 GGE session outcomes (which occurred in March 2026) would significantly inform and potentially shift a forecaster's position.

Ambiguity notes: The question is exceptionally well-structured for a diplomatic/international law topic. It clearly defines the specific language required for a 'Yes' resolution ('negotiate' vs. 'discuss'), which is the most common pitfall in CCW forecasting. Dates, timezones, and resolution sources are precise. The inclusion of a postponement clause and a specific time-bound window (ending Dec 2027) ensures resolvability even if the Review Conference schedule shifts slightly. The distinction between binding instruments and non-binding outputs is clearly addressed.

Adversarial review NEEDS_REVISION Edge risk: HIGH

Assessment: NEEDS_REVISION   Edge case risk: HIGH

ASSESSMENT: NEEDS_REVISION REVIEW: The question is well-constructed with clear resolution criteria and accurate background information. However, it has a significant substantive problem: the outcome is near-predetermined as "No" to anyone familiar with the CCW process, making it of limited forecasting value. The critical issue is the CCW's consensus-based decision-making combined with the publicly stated opposition of major military powers. Reuters reported on March 3, 2026 that "Russia and the United States, among others, oppose new legally binding instruments, arguing existing laws suffice." The question's own background acknowledges that Stop Killer Robots has stated "because the CCW operates by consensus, it is unlikely states parties will be able to agree a mandate to negotiate an additional [protocol]." HRW has similarly documented how the consensus model allows minority states like Russia and the US to block the majority's proposals. The historical precedent reinforces this: the Sixth Review Conference in 2021 failed to establish a negotiating mandate under essentially the same structural conditions, and instead merely extended the GGE process. There is no credible reporting suggesting Russia or the US have shifted their positions since then — if anything, the current geopolitical environment (post-Ukraine invasion, deteriorating US-Russia relations, New START expiration in February 2026) makes such a shift even less likely. While the question correctly identifies the tension between overwhelming UNGA majority support (156-161 states) and the consensus veto, this tension does not create meaningful uncertainty about the outcome — it simply highlights the structural dysfunction of the CCW on this issue. The probability of YES resolution is likely in the low single digits (perhaps 2-5%), which means the question will almost certainly resolve No, offering little discriminatory value among forecasters. Additionally, the resolution source (the Final Document of the Seventh Review Conference) is appropriate and should be accessible, as the CCW publishes these documents through UNODA. This aspect is fine. The background information is accurate and up-to-date as of April 2026. EVIDENCE: https://www.reuters.com/world/progress-rules-lethal-autonomous-weapons-urgently-needed-says-chair-geneva-talks-2026-03-03/ https://reachingcriticalwill.org/disarmament-fora/ccw/2026/revcon https://www.stopkillerrobots.org/news/156-states-support-unga-resolution/ https://www.hrw.org/report/2022/11/10/agenda-action/alternative-processes-negotiating-killer-robots-treaty https://reachingcriticalwill.org/disarmament-fora/ccw/2025/laws/ccwreport/17475 https://meetings.unoda.org/ccw-revcon/convention-on-certain-conventional-weapons-seventh-review-conference-2026 SUGGESTION: Consider revising the question to capture more genuine uncertainty. Options include: 1. Broaden the resolution criteria to include any forward-looking outcome beyond status quo: "Will the Seventh Review Conference adopt any decision that goes beyond merely extending the GGE mandate on LAWS?" This captures whether states agree to even an intermediate step (e.g., an open-ended working group, a mandate to develop a non-binding political declaration with review mechanism, etc.). 2. Shift the forum: "Will states launch negotiations on a legally binding instrument on autonomous weapons in any international forum (CCW, UNGA, standalone diplomatic conference) by end of 2027?" This captures the real uncertainty — whether the LAWS treaty process moves outside the CCW, as HRW and others have advocated. 3. Keep the question but frame it as part of a set: pair it with a question about whether alternative processes (e.g., a UNGA-mandated negotiation process outside the CCW) are initiated, which is where the real action and uncertainty lie.

Edge cases 7 scenarios

OVERALL_RISK: HIGH SCENARIO 1: The Review Conference adopts a mandate to "develop a normative and operational framework" on autonomous weapons systems, with language stating this framework "could take the form of a legally binding instrument" but without explicitly committing to negotiate one. Proponents argue the framework language implicitly encompasses binding negotiations; opponents argue it deliberately leaves the legal status ambiguous. SEVERITY: HIGH FIX: Add explicit language stating: "The decision must unambiguously commit to negotiating a legally binding instrument. Decisions that mandate the 'development of a framework' where the binding or non-binding nature of that framework is left to be determined later, or is described using conditional language such as 'could,' 'may,' or 'with a view to,' do not qualify as YES." SCENARIO 2: The Review Conference adopts a mandate that includes both binding and non-binding components — e.g., a mandate to negotiate a protocol containing legally binding prohibitions on certain fully autonomous systems AND non-binding guidelines or best practices on human-machine interaction — without clearly separating the two tracks. Some argue this constitutes a mandate for a legally binding instrument; others argue the blended nature means it is not a clear negotiating mandate for a binding instrument. SEVERITY: MEDIUM FIX: Add language stating: "If the adopted mandate includes both binding and non-binding elements, the question resolves YES provided the decision explicitly establishes a process to negotiate at least one legally binding component (such as a protocol) specifically governing autonomous weapons systems, regardless of whether non-binding elements are also included." SCENARIO 3: The Review Conference adopts a decision that establishes a mandate to negotiate, but includes significant preconditions or triggers — e.g., "negotiations shall commence upon completion of a technical review by a newly established expert body" or "negotiations shall begin no earlier than 2028 pending agreement on definitions." One side argues this is a formal mandate to negotiate; the other argues the conditions make it effectively an exploratory mandate with no guaranteed start to negotiations. SEVERITY: MEDIUM FIX: Add language stating: "A decision that establishes a mandate to negotiate but makes the commencement of negotiations contingent on conditions or triggers that have not yet been met at the time of the decision still resolves YES, provided the decision explicitly uses the term 'negotiate' (or equivalent) and establishes a legally binding instrument as the intended outcome. However, a decision that merely mandates further work 'with a view to' possible future negotiations does not qualify." SCENARIO 4: Consensus is not achieved at the Review Conference, but a large majority of states parties adopt a "decision" or "declaration" calling for the start of negotiations, over the objections of a small number of holdout states (e.g., Russia, India). The majority claims this constitutes a valid Review Conference decision; the minority argues it is procedurally invalid under the CCW's consensus rules and therefore not an adopted mandate. SEVERITY: HIGH FIX: Add language stating: "The decision must be formally adopted by the Review Conference in accordance with the CCW's established rules of procedure. A majority declaration or decision that is disputed as procedurally invalid by one or more states parties under the CCW's consensus requirement does not count as an adopted mandate for the purposes of this question. In cases of procedural dispute, resolution will be based on whether the decision is reflected in the official Final Document of the Review Conference as an adopted decision." SCENARIO 5: The Review Conference fails to reach consensus on a negotiating mandate, but a group of like-minded states announce at the conference that they will begin negotiations on a legally binding instrument outside the CCW framework (similar to the Ottawa Process for landmines). Some argue this effectively constitutes the Review Conference "adopting" a mandate; others argue it is an entirely separate process. SEVERITY: MEDIUM FIX: Add language stating: "Only decisions formally adopted by the CCW Review Conference itself count. Announcements by subsets of states to pursue negotiations outside the CCW framework, even if made during or at the margins of the Review Conference, do not satisfy the resolution criteria." SCENARIO 6: The Review Conference adopts a mandate to negotiate an instrument that addresses "autonomous weapons systems" but defines the scope so narrowly (e.g., only fully autonomous systems with zero human involvement) or so broadly (e.g., all AI-enabled military systems) that there is disagreement about whether it "specifically governs autonomous weapons systems" as commonly understood. SEVERITY: LOW FIX: Add language stating: "The instrument need not adopt any particular definition of autonomous weapons systems, but the mandate must explicitly reference autonomous weapons systems, lethal autonomous weapons systems, or equivalent terminology as a primary subject of the negotiations." SCENARIO 7: The Review Conference is held on schedule in November 2026 but suspends without adopting a final document, with a continuation session scheduled for early 2027. The continuation session then adopts a negotiating mandate. Some argue the question resolves YES (within the time window); others argue the mandate was not adopted at the "Seventh Review Conference" as originally scheduled. SEVERITY: MEDIUM FIX: Add language stating: "If the Seventh Review Conference suspends and reconvenes at a later date (but before 31 December 2027), decisions adopted at the continuation session count as decisions of the Seventh Review Conference for resolution purposes."

Revised question REVISED

Title: Will the November 2026 CCW Seventh Review Conference adopt any decision on autonomous weapons systems (LAWS) that goes beyond merely extending or renewing the Group of Governmental Experts mandate? Background: Since 2014, the Convention on Certain Conventional Weapons (CCW) has been the primary international forum for deliberations on lethal autonomous weapons systems (LAWS). The CCW's Group of Governmental Experts (GGE) on LAWS has been meeting under a three-year mandate (2024–2026), with a mandate to develop elements of a possible normative and operational framework on autonomous weapons systems and submit a final report to the Seventh Review Conference of the CCW. The GGE held its first 2026 session from 2–6 March 2026 in Geneva, with a second session scheduled for 31 August–4 September 2026. The Seventh Review Conference of the CCW is scheduled for 16–20 November 2026 in Geneva. This Review Conference is the culminating decision point where states parties will decide what action to take on autonomous weapons systems — options range from launching formal negotiations on a legally binding instrument, to establishing a new subsidiary body (such as an open-ended working group), to mandating development of a political declaration, to merely extending the GGE process. International support for action has been growing. In November 2025, the UN General Assembly First Committee voted 156 in favor, 5 against, and 8 abstentions on Resolution L.41, calling on the CCW to complete the elements of an instrument on autonomous weapons systems with a view to future negotiations. The subsequent UNGA plenary vote in December 2025 (Resolution A/RES/80/56) saw 161 states vote in favor, 3 against, and 13 abstentions. In March 2026, the GGE Chair stated that progress on rules for lethal autonomous weapons was "urgently needed" and that the November Review Conference "could decide to launch negotiations for a binding protocol." However, a critical structural factor constrains outcomes: the CCW operates by consensus-based decision-making, meaning that any single state party can block a decision. Key military powers—including Russia, the United States, and India—have historically resisted binding legal instruments on autonomous weapons. The Stop Killer Robots coalition has noted that "because the CCW operates by consensus, it is unlikely states parties will be able to agree a mandate to negotiate an additional [protocol]." The Sixth Review Conference in December 2021 (Final Document: CCW/CONF.VI/11) failed to establish a negotiating mandate on LAWS, instead extending the GGE process. Whether the Seventh Review Conference breaks this pattern by adopting any substantively new decision — even if short of a full negotiating mandate — is a key indicator of the international community's capacity to advance governance of autonomous weapons systems through the CCW. Resolution Criteria: This question resolves Yes if, between 1 January 2026 (00:00 UTC) and 31 December 2027 (23:59 UTC), the Seventh Review Conference of the Convention on Certain Conventional Weapons (CCW), scheduled for 16–20 November 2026, adopts a decision on autonomous weapons systems (also referred to as lethal autonomous weapons systems, or LAWS) that constitutes a substantive advance beyond merely extending, renewing, or continuing the Group of Governmental Experts (GGE) mandate or similar exploratory/deliberative process. Examples of decisions that would resolve Yes include (but are not limited to): - A mandate to negotiate a legally binding instrument (such as a new Protocol to the CCW) on LAWS; - Establishment of a new subsidiary body (e.g., an open-ended working group) with a mandate to develop or negotiate a specific normative instrument on LAWS; - A mandate to develop a political declaration with specific commitments and a built-in review or escalation mechanism; - Any other decision that establishes a qualitatively new process or outcome beyond the GGE's existing exploratory/deliberative format. This question resolves No if the Review Conference: - fails to adopt any decision on LAWS; - adopts a decision that merely continues, extends, or renews the GGE mandate or an equivalent exploratory/deliberative body without a qualitatively new mandate or outcome; - is postponed beyond 31 December 2027 without having taken the above decision. Additional resolution clarifications: - Ambiguous or conditional mandates: A decision that mandates the "development of a framework" where the binding or non-binding nature of that framework is left to be determined later, or is described using conditional language such as "could," "may," or "with a view to," does not qualify as a Yes resolution unless it also establishes a qualitatively new institutional process (e.g., an open-ended working group) that goes beyond the existing GGE format. - Procedural disputes and consensus: The decision must be reflected in the official Final Document of the Seventh Review Conference as a formally adopted decision. A majority declaration or decision that is disputed as procedurally invalid under the CCW's consensus requirement, and that is not reflected in the Final Document, does not count as an adopted decision for the purposes of this question. - Negotiations outside the CCW: Only decisions formally adopted by the CCW Review Conference itself count toward resolution. Announcements by subsets of states to pursue negotiations outside the CCW framework, even if made during or at the margins of the Review Conference, do not satisfy the resolution criteria. - Continuation sessions: If the Seventh Review Conference suspends and reconvenes at a continuation session before 31 December 2027, decisions adopted at the continuation session count as decisions of the Seventh Review Conference for resolution purposes. Key term definitions: - Autonomous weapons systems (AWS) / Lethal autonomous weapons systems (LAWS): Weapons systems that can select and engage targets without human intervention, as discussed in the CCW GGE framework and described by the ICRC and other authoritative sources. - Group of Governmental Experts (GGE): The CCW subsidiary body that has been conducting deliberations on LAWS since 2017, with a mandate to develop elements of a possible normative and operational framework. Resolution source: The Final Document of the Seventh Review Conference, expected to be published under document number CCW/CONF.VII/[X] on the UNODA documents library (https://meetings.unoda.org/) and/or the UNODA documents search portal (https://docs-library.unoda.org/). The decisions of the Review Conference will also be reported by Reaching Critical Will, Reuters, and other credible outlets. If the Review Conference is postponed, resolution will be based on whether the conference is held and takes the specified decision before 31 December 2027.

Forecast rationale

(a) Time left: The 7th RevCon takes place in November 2026, roughly 7 months away. (b) Status quo: Major powers (US, Russia, India) continue to resist legally binding instruments on LAWS, and the CCW operates strictly by consensus. (c) Scope: The conference must adopt a decision that constitutes a substantive advance beyond merely extending the GGE mandate (e.g., an OEWG or formal treaty mandate). (d) Reason for No: The consensus requirement means that any single state can veto substantive advances. Historically, when deadlocked, the CCW's path of least resistance is to simply renew or extend the GGE mandate to prevent the forum from collapsing. (e) Reason for Yes: Immense pressure from the UNGA (with 161 states voting for an instrument) could force major powers to compromise on a non-binding political declaration with a formal review mechanism or an upgrade to an OEWG just to maintain the CCW's relevance. (f) Betting perspective: Geopolitical consensus mechanisms are inherently biased toward the status quo. I am confident it will be deadlocked and would be indifferent paying 14 cents on Yes.

Importance rationale

This question tracks a leading indicator for the international community's capacity to govern autonomous offensive systems. The November 2026 CCW Review Conference is the culminating decision point after years of GGE work. Resolution would meaningfully update beliefs about feasibility of binding international governance of autonomous weapons (and by extension HACCAs). The UNGA vote (156+ states in favor) and ICRC advocacy show strong momentum, but key military powers' resistance creates genuine uncertainty about the outcome, making this a critical upstream indicator for resource allocation decisions in arms control governance.

Decomposition & Research Stage 6b 5 subquestions

Initial forecast: 14%Research-informed: 10% (-4pp)

Re-forecast rationale

## Detailed Rationale ### The Question Will the November 2026 CCW Seventh Review Conference adopt any decision on autonomous weapons systems (LAWS) that goes beyond merely extending or renewing the GGE? ### Structural Barrier: CCW Consensus Rule The CCW operates by consensus-based decision-making, meaning any single state party can block any decision. This is the single most important structural constraint on the probability of a "Yes" outcome. The historical record demonstrates this decisively: the 2021 Sixth Review Conference failed to establish a negotiating mandate on LAWS precisely because a small number of states blocked it. The cluster munitions case (2001–2011) showed a decade of CCW deadlock before states abandoned the forum entirely. This consensus rule means that even though 70+ states now support moving to negotiations https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/, the opposition of even one major state is sufficient to prevent any substantive advance. ### Opposition from Russia and the United States Russia and the United States remain the principal obstacles to a substantive outcome: - Russia voted against UNGA Resolution L.41 in November 2025 and has explicitly stated that the GGE on LAWS is the "best suited platform," opposing any move to other forums or pursuit of new legally binding instruments. Russia expects the GGE to produce "consensus-based conclusions" that account for "all High Contracting Parties' approaches"—effectively signaling it will block any outcome it opposes. - The United States at the March 2026 GGE session explicitly rejected the term "human control," proposing instead "good faith human judgement and care"—a formulation rejected by many delegations as insufficient https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/. The US has consistently favored non-binding approaches and existing IHL frameworks over new treaty negotiations. Both states possess the unilateral ability to veto any substantive decision under the consensus rule. Their positions as of early 2026 show no meaningful softening toward accepting a negotiating mandate or equivalent substantive advance. India's shift to voting in favor of UNGA Resolution L.41 in 2025 (after voting against in 2023 and 2024) is notable but does not translate into explicit support for a legally binding CCW protocol. ### Historical Comparison: 9+ Years vs. 2-Year Average The historical track record of the CCW strongly favors a "No" outcome: - Successful protocols transitioned quickly: Protocol IV (Blinding Lasers) took ~1.5 years from formal preparatory work to adoption (1994–1995). Protocol V (ERW) took ~2 years from GGE mandate to adoption (2001–2003). The average for successful CCW protocol transitions is approximately 2 years. - The LAWS GGE has been running for 9+ years (formal GGE since 2017, informal discussions since 2014) without achieving a negotiating mandate. This is by far the longest exploratory process in CCW history without producing a protocol. Extended GGE processes without a negotiating mandate are historically a strong signal of failure within the CCW—analogous to the cluster munitions case where 10 years of discussion (2001–2011) produced no CCW protocol. - The LAWS issue involves technologies central to the military strategies of major powers (US, Russia, China), unlike Protocol IV (blinding lasers, where no state had major investments) or Protocol V (ERW post-conflict clearance, which imposed minimal constraints on military capabilities). ### State of the Rolling Text and Human Control vs. Human Judgment Dispute The GGE's "rolling text" remains a Chair's working document, not a consensus document https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/. After the March 2–6, 2026 session, fundamental disagreements persist on core issues: - Human control terminology: The most contentious issue. The US explicitly rejected "human control" and proposed "good faith human judgement and care." Many delegations and civil society reject this alternative as insufficient. Some delegations argue "human control" is not found in existing IHL texts, while others (including China, advocating "Meaningful Human Control") insist it is essential https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/. This is not a semantic disagreement—it reflects a fundamental divide over the legal and ethical constraints required for autonomous weapons. - Definitions: No finalized consensus definition of LAWS exists, though a working characterization is in the text. - Prohibitions and restrictions: Deep divisions persist between states favoring explicit prohibitory language and those preferring softer regulatory approaches. The WILPF/Reaching Critical Will report warns of a "consensus spree" risk—where pursuit of consensus strips the text of meaningful provisions https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/. With one GGE session remaining (August 31–September 4, 2026) before the Review Conference, bridging these fundamental divides appears extremely difficult. ### UNGA Resolutions as External Pressure The 2025 UNGA resolutions represent significant external political pressure: - Resolution L.41 (November 6, 2025): 156 in favor, 5 against, 8 abstentions in the First Committee - Resolution A/RES/80/56 (December 1, 2025): 161 in favor (some sources say 170-4-5), establishing a formal meeting in New York and a Coordinator These resolutions demonstrate overwhelming international support for action but do not alter the CCW's procedural reality of consensus decision-making. They serve primarily as political pressure and as institutional groundwork for a potential alternative negotiating pathway outside the CCW if the Review Conference fails. The UNGA process remains in a "building political pressure" phase rather than constituting an active alternative negotiating track https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/. Paradoxically, the existence of the UNGA pathway may reduce incentives for holdout states to compromise within the CCW, as they may calculate that they can block CCW progress while any UNGA-initiated treaty (like the landmine ban or cluster munitions convention) would proceed without them anyway. ### Intermediate Outcomes The question resolves "Yes" for outcomes beyond merely extending the GGE, including establishment of an OEWG, a political declaration with specific commitments, or other qualitatively new processes. However, the 2025–2026 discourse has been largely binary—either launch negotiations or continue discussions—with little formal discussion of intermediate procedural mechanisms within the CCW. Notably absent from formal proposals are OEWGs, new subsidiary bodies with stronger mandates, or decisions with specific timelines. ### Probability Decomposition 1. Probability that Russia AND the US both soften their positions enough to allow a negotiating mandate for a legally binding instrument: ~5% - Both have shown consistent and recent opposition - No diplomatic signals of movement toward compromise 2. Probability that Russia AND the US allow an intermediate substantive outcome (e.g., OEWG, political declaration with teeth): ~10% - Slightly higher than full negotiations, but still requires both to not veto - No concrete proposals for such intermediate outcomes have been formally tabled - Risk of "consensus spree" producing something so watered down it doesn't qualify 3. Probability that the Review Conference is postponed beyond December 2027: ~5% - This would resolve "No" and represents a small but non-negligible risk given CCW dysfunction 4. Probability of a surprise breakthrough (e.g., geopolitical shift, new US administration policy, unexpected compromise): ~3% Combined probability of "Yes": Approximately 10-12% The WILPF/Reaching Critical Will analysis estimated a 35% likelihood of a substantive outcome https://www.wilpf.org/ccw-report-vol-14-no-2-the-final-stretch-before-the-finishing-line/, but this appears to be an optimistic assessment that may not fully weight the structural veto power of the consensus rule and the demonstrated willingness of Russia and the US to exercise it. ### Bet Indifference Test At 10%, I would be roughly indifferent between paying 10 cents for a coupon paying $1 if "Yes" occurs, versus paying 90 cents for a coupon paying $1 if "No" occurs. Given the structural barriers (consensus rule + active opposition from two major military powers), the historical base rate (9+ years without progress vs. 2-year successful transitions), the unresolved rolling text disputes, and the absence of concrete intermediate proposals, a probability in the 8-12% range reflects appropriate calibration. I am slightly more generous than the pure structural analysis would suggest (which might yield ~5%) because of the unprecedented external pressure from UNGA resolutions and the growing coalition of 70+ states, which creates some small possibility of a diplomatic surprise or creative intermediate outcome.

SQ1: What are the current official positions of Russia, the United States, and India on legally binding instruments or new negotiating mandates for autonomous weapons systems (LAWS) within the CCW, as expressed in 2025–2026 statements?

Summary: As of early 2026, Russia, the United States, and India maintain positions that collectively make it very difficult for the CCW to adopt any substantive decision on LAWS beyond extending the GGE process. At the November 6, 2025 UNGA First Committee vote on Resolution L.41 (adopted 156-5-8), Russia voted against, while India notably shifted to voting in favor (having voted against in 2023 and 2024). The United States likely abstained, consistent with its prior pattern. Russia's position, articulated on October 24, 2025 by its delegation at the UNGA First Committee, explicitly identifies the GGE on LAWS as the "best suited platform" and opposes moving discussions to other forums or pursuing new legally binding instruments, characterizing such moves as "counterproductive." Russia expects the GGE to produce consensus-based conclusions for the Seventh Review Conference that account for all parties' approaches—a signal it will block any outcome it opposes. The United States, at the March 2–6, 2026 GGE session, opposed the inclusion of "human control" language in the rolling draft text, proposing instead "good faith human judgement and care"—a formulation rejected by many other delegations as insufficient. The US has consistently favored non-binding approaches and existing IHL frameworks over new legally binding instruments. At the UNGA First Committee in November 2025, the US provided an explanation of vote on L.41 from its Geneva mission. India shifted its UNGA voting position in 2025, voting in favor of Resolution L.41 (and the corresponding GA Resolution 80/57 in December 2025), after voting against in 2023 and 2024. India's March 2026 GGE statement (delivered by Ambassador Anupam Ray) continued to emphasize the CCW framework's importance, though India's support for the UNGA resolution signals some willingness to engage on regulation. However, India has historically insisted that any framework account for national security interests and not impose premature binding obligations. At the March 2026 GGE session, more than 70 states expressed support for moving toward negotiations on a legally binding instrument based on the rolling draft text, while a minority of delegations—including the US and Russia—continued to resist specific language on human control and binding mandates. The GGE's final session before the November 2026 Review Conference is scheduled for August 31–September 4, 2026.

Background: The Convention on Certain Conventional Weapons (CCW) operates by consensus, meaning any single state party can block a decision. Russia, the United States, and India are key military powers that have historically resisted binding legal instruments on lethal autonomous weapons systems (LAWS). The CCW's Seventh Review Conference is scheduled for November 2026 and will decide whether to go beyond the current Group of Governmental Experts (GGE) exploratory process — for example, by launching negotiations on a legally binding protocol or establishing a new subsidiary body with a negotiating mandate. Understanding whether any of these three states have shifted their positions in 2025–2026 (e.g., in GGE sessions, UN General Assembly votes, or national policy statements) is critical, because even one of them maintaining opposition would likely be sufficient to block any substantive advance under CCW consensus rules. Please research their most recent statements and voting records on LAWS regulation, including at the 2025 UNGA First Committee vote on Resolution L.41 and the March 2026 GGE session.

Detailed research

2025 UNGA First Committee Resolution L.41 (Vote: November 6, 2025) The resolution on autonomous weapons systems (L.41) was tabled by Austria and 30 co-sponsors at the 80th session of the UNGA First Committee. It was adopted with 156 votes in favor, 5 against, and 8 abstentions. The resolution stressed the urgent need for the CCW to address challenges posed by autonomous weapons, including a call to complete elements of an instrument, with a view to future negotiations. The resolution also noted the Secretary-General's calls to commence negotiations on a legally binding instrument. Russia's vote on L.41 (November 6, 2025): Russia voted AGAINST. This is consistent with Russia voting against in both 2023 (L.56) and 2024 (L.77). Russia's October 24, 2025 statement at the UNGA First Committee Cluster IV debate Permanent Mission of the Russian Federation to the United Nations confirmed its opposition to moving LAWS discussions outside the CCW GGE and its view that the GGE is the "best suited platform." Russia explicitly opposes duplication of efforts in other forums and emphasizes consensus-based outcomes. India's vote on L.41 (November 6, 2025): India voted IN FAVOR. This represents a significant shift—India voted against the comparable resolution in 2023 (L.56: 164-5-8, India among the 5 against) and 2024 (L.77: 161-3-5 or similar, India among opponents). India's explanation of vote, per a PDF from the Permanent Mission of India, states: "India has voted in favor of the resolution L.41" (80 UNGA First Committee, November 2025). India also voted in favor of GA Resolution 80/57 (the plenary adoption) in December 2025. However, India's support appears conditional: the medianama.com report notes India "abstained on a 2024 resolution calling for stronger human control norms" and historically insists that regulation must be "tailored to its national interests" (per the MP-IDSA issue brief from May 2025). US vote on L.41 (November 6, 2025): The US most likely abstained (or possibly voted in favor with reservations), consistent with its prior pattern on the 2024 resolution where it abstained. The US Mission in Geneva posted an explanation of vote on L.41 on November 4, 2025. The US has historically been cautious about endorsing language that points toward legally binding instruments or new negotiating mandates for LAWS. March 2–6, 2026 GGE Session The first 2026 session of the GGE on LAWS took place March 2–6 in Geneva, focusing on the "rolling draft text" for a potential instrument. United States at March 2026 GGE: Per the WILPF CCW Report Vol. 14, No. 2 (published March 11, 2026) CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ..., the US delegation explicitly opposed the inclusion of the term "human control" during debate on "Modified Box III" of the rolling text. The US proposed the alternative phrase "good faith human judgement and care," which many other delegations rejected as insufficient for civilian protection or upholding international law. This reflects the US distinction between supporting non-binding guidelines for human judgment in weapons use versus accepting a legally binding "human control" requirement. Russia at March 2026 GGE: The WILPF report CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ... does not specifically name Russia, but notes that "a minority of delegations continue to resist concepts related to human control, arguing that such concepts are not part of existing IHL." Russia is widely understood to be among this minority. A Google snippet from the Russian UN Mission (russiaun.ru/en/news/427102025) confirms Russia continues to view the GGE on LAWS as the primary forum, consistent with its October 2025 statement. India at March 2026 GGE: India's Ambassador Anupam Ray delivered a statement at the March 2026 GGE session (per pmindiaun.gov.in). While I could not retrieve the full text of India's March 2026 statement, India has historically emphasized that the CCW and its protocols are important instruments upholding IHL, and that any regulation should not prejudge outcomes or impose premature binding obligations. On 'legally binding instruments' vs. 'new negotiating mandates' specifically: - Russia opposes both. Russia wants the GGE to continue deliberations and produce consensus recommendations—not a mandate to negotiate a new protocol. Russia's October 2025 statement Permanent Mission of the Russian Federation to the United Nations frames its position as wanting "conclusions and recommendations that take into account the approaches of all High Contracting Parties," effectively a veto on any binding outcome. - United States has not endorsed legally binding instruments on LAWS. At the March 2026 GGE CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ..., the US resisted even the concept of "human control" in the rolling text, preferring softer formulations. The US approach favors voluntary best practices and existing IHL compliance rather than new treaty negotiations. - India has shown a partial shift by voting for L.41 in 2025, which itself calls for completing elements of an instrument and references the Secretary-General's call for a legally binding instrument. However, India's historical position emphasizes caution on binding obligations, and its shift may reflect support for continued discussion rather than endorsement of immediate negotiations. Context for November 2026 Review Conference: Over 70 states support moving to formal negotiations on a legally binding instrument CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... However, the CCW operates by consensus, meaning any single state party can block a decision. Russia and the US remain the principal obstacles to a new negotiating mandate. India's shift to supporting the UNGA resolution is notable but has not translated into explicit support for a legally binding CCW protocol. The GGE has one more session (August 31–September 4, 2026) before the November 2026 Seventh Review Conference.

SQ2: What is the historical track record of the CCW in transitioning from exploratory Groups of Governmental Experts (GGEs) to formal negotiating mandates for new protocols, and how long have such transitions typically taken?

Summary: The CCW has produced five protocols since 1980, with varying timelines from exploratory discussions to formal adoption. The two most relevant post-adoption cases are Protocol IV on Blinding Laser Weapons (1995) and Protocol V on Explosive Remnants of War (2003). Protocol IV was adopted after approximately 5–6 years of advocacy (ICRC began campaigning ~1989–1991) and roughly 2 years of formal preparatory work (four preparatory sessions between February 1994 and January 1995), culminating in adoption at the First Review Conference on October 13, 1995. Protocol V was negotiated after the Second Review Conference (December 2001) established an open-ended GGE with a mandate to address explosive remnants of war; the GGE negotiated in 2002–2003, and Protocol V was adopted on November 28, 2003—roughly 2 years from mandate to adoption https://disarmament.unoda.org/en/our-work/conventional-arms/convention-certain-conventional-weapons/ccw-protocol-v-explosive-remnants-war. In contrast, the CCW has two major failure cases: (1) cluster munitions, where years of GGE discussions from the mid-2000s through the 2011 Fourth Review Conference failed to produce a protocol due to the consensus rule, leading frustrated states to negotiate the separate Convention on Cluster Munitions via the Oslo Process (adopted 2008); and (2) LAWS/autonomous weapons, where informal expert meetings began in 2014, a formal GGE was established at the 2016 Fifth Review Conference and first met in 2017, 11 guiding principles were adopted in 2019, but the 2021 Sixth Review Conference failed to establish a negotiating mandate—resulting in 12+ years of discussions and 9+ years of GGE work without a formal negotiating mandate as of 2026 Milestones in the Global Legal Framework for Autonomous Weapons. Key enabling factors for successful transitions include: broad consensus among major military powers, relatively low economic/strategic stakes, ICRC and civil society leadership, and the absence of strong opposition from key states. Blocking factors include the CCW's consensus rule, which allows a small number of states to veto progress.

Background: The Convention on Certain Conventional Weapons (CCW) is a framework treaty that has adopted several protocols over its history (e.g., Protocol II on mines and booby traps, amended Protocol II, Protocol IV on blinding lasers, Protocol V on explosive remnants of war). Each of these protocols was negotiated through a process that at some point involved a transition from exploratory discussions to a formal negotiating mandate. Understanding the base rate of such transitions — how often GGEs or similar exploratory bodies have successfully led to negotiating mandates, how long the process took, and what conditions enabled success — provides crucial historical context for assessing whether the LAWS GGE (which has been meeting since 2017, with the current mandate running 2024–2026) is likely to yield a negotiating mandate at the November 2026 Seventh Review Conference. Please research the history of CCW protocol negotiations, including Protocol IV (1995) and Protocol V (2003), and any cases where GGE processes failed to produce new protocols.

Detailed research

## Historical Track Record of CCW Transitions from Exploratory Bodies to Negotiating Mandates ### 1. Original Protocols I–III (1980) The CCW was adopted on October 10, 1980, along with its first three protocols: Protocol I (Non-Detectable Fragments), Protocol II (Mines, Booby-Traps and Other Devices), and Protocol III (Incendiary Weapons). These were negotiated as part of the original convention during UN conferences from 1978–1980 and did not involve a GGE-to-mandate transition, as they were part of the founding negotiation. ### 2. Protocol IV on Blinding Laser Weapons (1995) Timeline: - Late 1980s–early 1990s: The ICRC and Sweden began raising concerns about the development of blinding laser weapons. The ICRC held expert meetings on this topic, including a meeting in 1991. - February 1994–January 1995: Four sessions of preparatory meetings (functioning as a Group of Governmental Experts) were held to prepare for the First CCW Review Conference. Blinding lasers were a major topic of these preparatory sessions. - September 25–October 13, 1995: The First Review Conference was held in Vienna. A "Committee III" (Laser Working Group) was established to negotiate a protocol on blinding lasers. - October 13, 1995: Protocol IV was adopted, prohibiting the use and transfer of laser weapons specifically designed to cause permanent blindness. Duration: From initial ICRC advocacy (~1989–1991) to adoption: approximately 4–6 years. From formal preparatory work (Feb 1994) to adoption (Oct 1995): approximately 20 months. This was notably a pre-emptive ban—the weapons had not yet been widely deployed. Enabling factors: Strong ICRC leadership and advocacy; Sweden's championing of the issue; the fact that no state had made a major military investment in blinding lasers as a primary weapon system; broad consensus that deliberate blinding was inhumane; the availability of the Review Conference as a vehicle for adoption. ### 3. Amended Protocol II on Mines, Booby-Traps and Other Devices (1996) Timeline: - The original Protocol II (1980) was widely seen as inadequate in addressing the global landmine crisis. - Negotiated at the same First Review Conference that produced Protocol IV, continuing through a second phase from January–May 1996. - May 3, 1996: Amended Protocol II was adopted, extending the original protocol's scope and restrictions. Duration: The amendment process was part of the broader First Review Conference (1995–1996). Preparatory work began in 1994. However, many states and NGOs found the amended protocol inadequate, which ultimately led to the separate Ottawa Process and the 1997 Mine Ban Treaty outside the CCW framework. ### 4. Protocol V on Explosive Remnants of War (2003) Timeline: - December 11–21, 2001: The Second Review Conference was held in Geneva. It decided to establish an open-ended Group of Governmental Experts with a mandate to address explosive remnants of war (ERW) https://disarmament.unoda.org/en/our-work/conventional-arms/convention-certain-conventional-weapons/ccw-protocol-v-explosive-remnants-war. - 2002–2003: The GGE negotiated the protocol across multiple sessions in 2002 and 2003 https://disarmament.unoda.org/en/our-work/conventional-arms/convention-certain-conventional-weapons/ccw-protocol-v-explosive-remnants-war. - December 2002: States parties agreed at their annual meeting to begin formal negotiations on ERW in 2003. - November 28, 2003: Protocol V was adopted by the Meeting of the States Parties to the CCW https://disarmament.unoda.org/en/our-work/conventional-arms/convention-certain-conventional-weapons/ccw-protocol-v-explosive-remnants-war. Duration: Approximately 2 years from the establishment of the GGE mandate (December 2001) to protocol adoption (November 2003). The issue of ERW had been discussed informally before the Review Conference, but the formal mandate-to-adoption process was relatively swift. Enabling factors: The issue was relatively uncontroversial—most states agreed that post-conflict clearance of explosive remnants was a humanitarian necessity. No major military power saw the protocol as constraining core military capabilities. The protocol focused on post-conflict remedial measures rather than restricting use of specific weapons. ### 5. Failed Case: Cluster Munitions (2001–2011) Timeline: - 2001: ERW discussions at the Second Review Conference included cluster munitions, but states did not agree to a specific mandate on cluster munitions. - 2003–2006: Continued discussions on cluster munitions within the CCW framework, including at the Third Review Conference (November 2006). - November 2006: The Third Review Conference failed to agree on a mandate to negotiate on cluster munitions. Norway, frustrated with the CCW process, launched the "Oslo Process" outside the CCW. - May 2008: The Convention on Cluster Munitions was adopted in Dublin through the Oslo Process, without the participation of major military powers (US, Russia, China). - 2007–2011: Parallel GGE discussions on cluster munitions continued within the CCW, led in part by the US, which was not party to the Oslo treaty. - November 2011: The Fourth Review Conference failed to reach consensus on a CCW protocol on cluster munitions. A proposed "Protocol VI" on cluster munitions was blocked. Duration: Approximately 10 years of discussions (2001–2011) without producing a CCW protocol. The consensus rule allowed a minority of states to block progress. Key lesson: The CCW's consensus requirement means that even when a large majority supports action, a small number of states with strategic interests in the weapons in question can prevent adoption of new protocols. This led states to pursue alternative negotiating processes outside the CCW (the Oslo Process). ### 6. Failed/Ongoing Case: Lethal Autonomous Weapons Systems (LAWS) (2013–present) Timeline: - May 2013: UN Special Rapporteur Christof Heyns published a report calling for a moratorium on autonomous weapons Milestones in the Global Legal Framework for Autonomous Weapons. - November 2013: CCW states parties agreed to hold informal meetings of experts on LAWS, based on a mandate proposed by France Milestones in the Global Legal Framework for Autonomous Weapons. - 2014–2016: Three annual informal meetings of experts on LAWS were held Milestones in the Global Legal Framework for Autonomous Weapons. - December 2016: The Fifth Review Conference established a formal open-ended GGE on emerging technologies in the area of LAWS. - November 2017: The GGE on LAWS held its first formal meeting Milestones in the Global Legal Framework for Autonomous Weapons. - 2019: The GGE adopted 11 guiding principles as a consensus framework Milestones in the Global Legal Framework for Autonomous Weapons. - December 2021: The Sixth Review Conference failed to establish a negotiating mandate for a legally binding instrument on LAWS. The consensus rule was the primary barrier, with a small number of states (notably Russia, India, and others) blocking stronger action Milestones in the Global Legal Framework for Autonomous Weapons. - 2022–2023: Draft "Protocol VI" proposals on LAWS were submitted by groups of states within the GGE, but no consensus emerged. - December 2023: The GGE mandate was renewed for 2024–2026, running until the Seventh Review Conference scheduled for November 2026. - March 2026: The GGE met for its first 2026 session (March 2–6, 2026). A second session is scheduled for August 31–September 4, 2026. Duration as of 2026: 12+ years since initial discussions (2013); 9+ years since the formal GGE was established (2017); no formal negotiating mandate has been achieved. This is by far the longest exploratory process in CCW history without producing a protocol. ### Comparative Summary | Protocol/Issue | Exploratory Start | Formal Mandate | Adoption | Years: Mandate → Adoption | Outcome | |---|---|---|---|---|---| | Protocol IV (Blinding Lasers) | ~1989–1991 | 1994 (PrepCom) | Oct 13, 1995 | ~1.5 years | Success | | Amended Protocol II (Mines) | Early 1990s | 1994 (PrepCom) | May 3, 1996 | ~2 years | Partial (deemed inadequate) | | Protocol V (ERW) | Late 1990s | Dec 2001 (GGE) | Nov 28, 2003 | ~2 years | Success | | Cluster Munitions | ~2001 | Never achieved in CCW | Failed (Nov 2011) | N/A | Failure (led to Oslo Process) | | LAWS | 2013 | Not achieved as of 2026 | Pending | N/A (9+ years of GGE) | Ongoing/Stalled | ### Key Findings for Forecasting: 1. When the CCW succeeds, it moves quickly: Protocol IV took ~1.5 years from formal preparatory work to adoption; Protocol V took ~2 years from GGE mandate to adoption. 2. The CCW's consensus rule is a decisive blocking factor: Both cluster munitions and LAWS demonstrate that a small number of states with strategic interests can prevent progress indefinitely. 3. Extended GGE processes without a negotiating mandate are a strong signal of failure: The LAWS GGE has been running since 2017 (9+ years) without a negotiating mandate—far longer than the 2-year GGE-to-protocol timelines of successful cases. 4. Failed CCW processes lead to alternative negotiations: The cluster munitions precedent shows that when the CCW fails, states may pursue treaties outside the CCW framework (as the UNGA resolutions on autonomous weapons in 2023 and 2024 suggest may be happening with LAWS). 5. Successful protocols involved issues with low strategic stakes for major powers: Both Protocol IV and Protocol V addressed issues where major military powers did not see significant constraints on their core capabilities. LAWS, by contrast, involves technologies central to the military strategies of the US, Russia, China, and others.

SQ3: What were the substantive outcomes and state of the 'rolling text' or draft normative framework from the CCW GGE on LAWS sessions in 2024–2026, and how close are delegations to agreement on key elements?

Summary: The March 2–6, 2026, GGE session on LAWS was the penultimate session of the three-year mandate (2024–2026), with one final session remaining (August 31–September 4, 2026) before the November 2026 Seventh Review Conference. The session focused on the Chair's "rolling text" (version dated December 18, 2025), which is organized into five "boxes" covering definitions/characterization, prohibitions and restrictions, human control/oversight requirements, and other normative elements. Delegations completed a first reading of the entire text and the Chair issued a revised version on March 4, 2026, with changes to Boxes I, II, and III. Key findings on consensus and disagreement: Definitions: The rolling text contains a working characterization of LAWS as "an integrated combination of one or more" elements (per the Chair's second 2025 summary), but delegations remain divided over the precise scope and terminology. There is no finalized consensus definition. Prohibitions and restrictions: The text includes elements on prohibitions and regulations (Box III), but deep divisions persist. Some states (e.g., Sri Lanka) advocate explicit prohibitions on LAWS inconsistent with IHL or used without human control, while others resist strong prohibitory language. Human control/oversight: This remains the most contentious issue. The United States explicitly rejected the term "human control," proposing instead "good faith human judgement and care." Many delegations and civil society organizations rejected this alternative as insufficient. Some delegations argue "human control" is not a concept found in existing IHL texts, while others (including China, which advocates "Meaningful Human Control") insist it is essential. This fundamental disagreement on terminology and substance remains unresolved. Momentum toward negotiations: Despite these disagreements, support for moving from discussion to formal negotiations grew significantly during the session—from over 40 states at the start to over 70 by the end of the week, including a bloc of African states. However, the CCW's consensus rule means that even a few dissenting states can block progress. Status of the rolling text as of March 2026: The rolling text remains a working document under the Chair's authority, not a consensus document. While it has been progressively refined through four sessions in 2024–2025 and the March 2026 session, it still contains significant bracketed or contested language on core issues. The Chair released a revised version on March 4, 2026, but fundamental splits—particularly on human control terminology and the scope of prohibitions—persist. The text serves as a basis for further work but is far from a finalized agreement. The GGE must submit a report to the Seventh Review Conference, and whether it can produce a consensus recommendation for a substantive outcome beyond merely renewing the GGE mandate remains highly uncertain given the depth of remaining disagreements.

Background: The CCW's Group of Governmental Experts (GGE) on lethal autonomous weapons systems (LAWS) has been operating under a three-year mandate (2024–2026) to 'develop elements of a possible normative and operational framework on autonomous weapons systems.' The GGE has been working on a 'rolling text' that covers definitions, characterizations, prohibitions and restrictions, human oversight requirements, and other elements. Sessions were held in 2024, 2025, and the first 2026 session was held March 2–6, 2026, with a final session scheduled for August 31–September 4, 2026, before the Seventh Review Conference in November 2026. The degree of convergence or divergence in the rolling text — whether key areas like definitions of LAWS, the scope of prohibitions, and human oversight requirements show emerging consensus or deep disagreement — is a strong indicator of whether the Review Conference can adopt a substantively new decision. Please research the current state of the GGE's work product, including any Chair's summaries, working papers, or reports from the 2025 and March 2026 sessions.

Detailed research

## Detailed Breakdown of Evidence ### 1. Procedural Context and Mandate The GGE on LAWS operates under a three-year mandate (2024–2026) to "develop elements of a possible normative and operational framework on autonomous weapons systems." The March 2–6, 2026, session was the first of two sessions in 2026, with the final session scheduled for August 31–September 4, 2026 GGE on LAWS in March 2026. The GGE's work product is to be submitted to the Seventh Review Conference in November 2026. ### 2. The Rolling Text The Chair has maintained a "rolling text" that has been progressively updated through sessions in 2024 and 2025. Key versions include: - November 8, 2024 version (referenced in ASIL Insights) - May 12, 2025 version (referenced by ICT4Peace) - December 18, 2025 version — the version circulated ahead of the March 2026 session (available at UNODA docs library) - March 4, 2026 revised version — issued during the session with changes to Boxes I, II, and III CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ... The rolling text is organized into five "boxes" covering different elements of a possible normative framework. The Chair's summary from the second 2025 session (CCW/GGE.1/2025/WP.9) proposed characterization elements, including that "within the scope of the application of the CCW, a lethal autonomous weapon system can be characterized as an integrated combination of one or more" elements (per Google snippet from the Chair's summary PDF). ### 3. March 2–6, 2026 Session: Key Dynamics Based primarily on the WILPF CCW Report, Vol. 14, No. 2 (published March 11, 2026) CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ...: First reading completed: Delegations conducted a first reading of the entire draft text from March 2–4, 2026. On the night of March 4, the Chair released revised text for Boxes I, II, and III, which were discussed March 5–6. Human control/oversight — the central divide: - The United States explicitly refused to accept the term "human control," proposing "good faith human judgement and care" as an alternative. - Many delegations and civil society organizations (e.g., Stop Killer Robots) rejected this alternative as insufficient to protect civilians or uphold IHL. - Some delegations argue that "human control" is not explicitly present in existing IHL texts. - Pakistan argued the GGE should focus on 21st-century challenges rather than strictly adhering to existing terminology. - China has consistently advocated for "Meaningful Human Control" (MHC) as a central requirement (per Lieber Institute analysis). Prohibitions and restrictions: - Sri Lanka proposed inclusion of explicit reference to "prohibit" LAWS inconsistent with IHL and used without human control (per Google snippet from Sri Lanka mission statement). - Italy delivered a statement specifically on "Section III – Prohibitions and Regulations" (per Google snippet from Italian delegation document). - Deep divisions remain between states favoring strong prohibitory language and those preferring softer regulatory approaches. Growing support for negotiations: - Over 40 states supported moving to formal negotiations at the start of the week; this grew to over 70 by the end, including a bloc of African states CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... - However, the CCW operates by consensus, meaning even a small number of dissenting states can block adoption of binding outcomes. "Consensus spree" risk: Belgium and others expressed concern that the pursuit of consensus might lead to deleting controversial paragraphs, weakening the text rather than producing an instrument with "real added value" CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... ### 4. Chair's Summary — First 2026 Session (CCW/GGE.1/2026/WP.2) The Chair's summary of the first 2026 session (WP.2) was issued as a working paper. Based on Google snippets from this document: - "Several delegations again emphasized that the notion of context-appropriate human control and judgement constitutes a central concept" - One delegation suggested that "the rolling text could imply a necessary permanent human control over lethal autonomous weapon systems" and proposed adding language to address this concern - The summary was issued under the Chair's sole authority ### 5. Prior Sessions' Chair Summaries First 2025 session (CCW/GGE.1/2025/WP.1): Covered discussions from the March/April 2025 session. Second 2025 session (CCW/GGE.1/2025/WP.9): The Chair's summary noted characterization of LAWS and captured the state of discussions as of September 2025. The Lieber Institute analysis noted that "the 2025 sessions in March and September did manage to refine a rolling text on possible normative elements, but deep splits remain." ### 6. Overall Assessment The rolling text as of March 2026 remains a Chair's document—not a consensus text. While it has been progressively refined, fundamental disagreements persist on: 1. Definitions: No agreed definition; working characterization exists but scope remains contested 2. Prohibitions and restrictions: States are split between those wanting explicit prohibitions (on LAWS that cannot comply with IHL or operate without human control) and those preferring softer regulatory language 3. Human control/oversight: The most divisive issue, with the US explicitly opposing the term "human control" and proposing weaker alternatives that most other delegations reject The growing number of states (70+) supporting negotiations is notable but insufficient under CCW consensus rules. The Arms Control Association noted in January 2025 the tension between "human control" and "appropriate human judgement" language as a key fault line. The final GGE session in August–September 2026 will be the last opportunity to bridge these divides before the Review Conference.

SQ4: What is the current momentum and status of efforts to negotiate a treaty on autonomous weapons systems outside the CCW framework, such as through a standalone UN General Assembly process or other alternative forums?

Summary: As of early April 2026, there is significant and growing momentum toward establishing a treaty on autonomous weapons systems (AWS/LAWS), with parallel tracks developing both within and outside the CCW framework. The key developments are: UNGA Resolutions (December 2025): The UN General Assembly adopted two resolutions on autonomous weapons on 1 December 2025. Resolution A/RES/80/56 was adopted with 161 votes in favor (per the background context) and called for a formal meeting in early 2026 at UN Headquarters in New York, with conference services and the participation of states, civil society, and scientists. It also established a Coordinator to support inclusive outreach. Resolution A/RES/80/57 ensured the item "Lethal autonomous weapons systems" would remain on the UNGA's agenda for its 81st session. These resolutions represent a significant escalation of UNGA engagement on autonomous weapons, building on prior resolutions (78/241 in 2023 and 79/62 in 2024). The UN Office for Disarmament Affairs (UNODA) has been actively implementing resolution 80/56, with the Coordinator facilitating outreach and a formal meeting being organized at UN Headquarters in New York. Stop Killer Robots Coalition Position: The Campaign to Stop Killer Robots (a coalition of 190+ NGOs in 65+ countries) has adopted a pragmatic, forum-agnostic position. In their November 2025 statement on the CCW Meeting of High Contracting Parties, they explicitly stated that "the goal of achieving a legally binding instrument that rejects the automation of killing and keeps meaningful human control over the use of force is ultimately more important than the forum in which negotiations are mandated" November 2025 CCW MHCP – Stop Killer Robots. They urge states to "consider all their options for continuing their work by starting negotiations" in 2026, implying openness to alternative processes if the CCW remains deadlocked November 2025 CCW MHCP – Stop Killer Robots. In a 2022 strategy document, Stop Killer Robots outlined two specific alternative pathways: (1) an independent/standalone process led by a state or group of states (modeled on the Mine Ban Treaty and Convention on Cluster Munitions), and (2) a UNGA-initiated process via the First Committee (modeled on the Arms Trade Treaty and Treaty on the Prohibition of Nuclear Weapons) [[PDF] The Way Forward. - Stop Killer Robots](https://www.stopkillerrobots.org/wp-content/uploads/2022/06/Stop-Killer-Robots-Negotiating-a-Treaty-on-Autonomous-Weapons-Systems-The-Way-Forward.pdf). Growing State Support for Negotiations: By November 2025, 46 countries had signed onto a position (formalized in working paper CCW-MSP-2025-WP.5 tabled by Brazil) declaring that the existing "rolling text" from the GGE provides a sufficient basis for formal negotiations November 2025 CCW MHCP – Stop Killer Robots. By March 2026, over 70 states supported moving to negotiations based on the GGE's rolling draft text CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... A cross-regional group of 42 states (including France, Germany, and 12 other NATO states, led by Brazil) issued a joint statement on 5 September 2025 explicitly calling for formal negotiations UK stays mute as France, Germany and 40 more states .... CCW Dysfunction as Catalyst: The November 2025 CCW Meeting of High Contracting Parties was reduced to a 30-minute administrative session after states could not agree on a Chair, reflecting what Stop Killer Robots calls a "concerted effort to progressively undermine the functioning of the CCW" November 2025 CCW MHCP – Stop Killer Robots. This dysfunction strengthens the case for alternative forums. The UK has resisted alternative processes, leading a joint statement in May 2025 at the UN in New York specifically aimed at foreclosing discussion of autonomous weapons outside the CCW/Geneva framework UK stays mute as France, Germany and 40 more states .... Current Status (March 2026): The CCW GGE held its first 2026 session from 2-6 March 2026, with a second session planned for 31 August-4 September 2026. While the GGE process continues, the WILPF/Reaching Critical Will report characterizes UNGA Resolution 80/56 as an important signal of overwhelming international consensus, even though most states currently view it as a political pressure tool on the CCW rather than an independent treaty-making mechanism CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... The UNGA formal meeting mandated by resolution 80/56 is being organized for 2026 in New York, which represents a concrete institutional step outside the CCW framework. The CCW Seventh Review Conference is scheduled for November 2026, and this deadline is concentrating diplomatic efforts. Overall Assessment for Forecasters: While the primary diplomatic thrust remains focused on pushing for a binding protocol at the November 2026 CCW Review Conference, the UNGA track is developing as a credible parallel/fallback pathway. The combination of (a) two successive UNGA resolutions with overwhelming majorities, (b) a formal UNGA meeting in New York in 2026, (c) a growing coalition of 70+ states favoring negotiations, (d) persistent CCW dysfunction, and (e) Stop Killer Robots' explicit openness to alternative forums creates meaningful momentum for an outside-CCW process. However, as of April 2026, no formal standalone treaty negotiation process has been launched outside the CCW. The UNGA process remains in the "building political pressure" phase rather than constituting an active alternative negotiating track.

Background: Due to the CCW's consensus-based decision-making rule, which allows any single state to block progress, some states and civil society organizations have advocated for moving negotiations on lethal autonomous weapons systems (LAWS) outside the CCW. Historical precedents exist: the Ottawa Treaty banning landmines (1997) and the Convention on Cluster Munitions (2008) were both negotiated outside the CCW after consensus could not be reached within it. More recently, the UN General Assembly has passed resolutions on autonomous weapons systems with overwhelming majorities (e.g., Resolution A/RES/80/56 in December 2025 with 161 votes in favor). The Stop Killer Robots coalition and organizations like Human Rights Watch have advocated for alternative processes. Understanding whether there is active momentum toward an alternative negotiating venue affects the CCW dynamics — if states believe the CCW is the only viable forum, they may push harder for a deal there; if an alternative path is credible, some states may lose incentive to compromise within the CCW while others may feel more pressure to show progress. Please research the current state of alternative treaty processes for autonomous weapons as of early 2026.

Detailed research

## Detailed Evidence and Analysis ### 1. UNGA Resolution A/RES/80/56 (Adopted 1 December 2025) Resolution A/RES/80/56 was adopted by the UNGA on 1 December 2025 with overwhelming support. Based on Google search results from the UN General Assembly Resolutions Tables and the UN Office for Disarmament Affairs, the resolution: - Decided that a formal meeting would be held in early 2026 at UN Headquarters in New York, with conference services and participation of states, civil society, and scientists - Established a Coordinator to "support inclusive outreach" and facilitate CSO engagement - Was classified under agenda item 99jj of the 80th session The resolution represents a significant institutional step because it creates a concrete UNGA-mandated process on autonomous weapons outside the Geneva-based CCW framework. UNODA Instagram posts confirm implementation is underway, with the Coordinator being appointed and outreach activities beginning. Resolution A/RES/80/57 (also adopted 1 December 2025) decided to include "Lethal autonomous weapons systems" in the provisional agenda of the 81st UNGA session, ensuring continuity of the UNGA track. ### 2. Historical Context of UNGA Engagement The UNGA's engagement on autonomous weapons has escalated progressively: - Resolution 78/241 (December 2023): First UNGA resolution on LAWS, added agenda item - Resolution 79/62 (December 2024): Adopted with overwhelming support, continued engagement - Resolution 80/56 (December 2025): 161 votes in favor, established formal meeting and Coordinator - Resolution 80/57 (December 2025): Ensured continued agenda inclusion This escalation pattern shows the UNGA building institutional infrastructure around the autonomous weapons issue. ### 3. Stop Killer Robots Coalition Activities and Positions November 2025 CCW MHCP Statement November 2025 CCW MHCP – Stop Killer Robots: Stop Killer Robots explicitly stated that "the goal of achieving a legally binding instrument that rejects the automation of killing and keeps meaningful human control over the use of force is ultimately more important than the forum in which negotiations are mandated." They urged states to "consider all their options for continuing their work by starting negotiations" in 2026. The Campaign characterized the CCW's administrative dysfunction as part of a "concerted effort to progressively undermine the functioning of the CCW in recent years." 2022 Strategy Document "The Way Forward" [[PDF] The Way Forward. - Stop Killer Robots](https://www.stopkillerrobots.org/wp-content/uploads/2022/06/Stop-Killer-Robots-Negotiating-a-Treaty-on-Autonomous-Weapons-Systems-The-Way-Forward.pdf): Stop Killer Robots outlined two specific alternative pathways: 1. Independent/standalone mechanism: A state or group of states could host an international conference to declare common intention to negotiate, followed by meetings to develop a framework (modeled on Mine Ban Treaty and Convention on Cluster Munitions) 2. UNGA process: States could initiate a resolution through the UNGA First Committee to secure a negotiating mandate (modeled on Arms Trade Treaty and Treaty on the Prohibition of Nuclear Weapons) May 2025 Policy Brief: Stop Killer Robots encouraged all states to attend the New York informal consultations on autonomous weapons systems, explicitly framing the UNGA process as a global governance mechanism complementary to the CCW. ### 4. State Positions and Coalition Building September 5, 2025 UK stays mute as France, Germany and 40 more states ...: A cross-regional group of 42 states issued a joint statement at the CCW GGE declaring that the draft "elements" developed over a decade are ready for formal negotiations. This included France, Germany, and 12 other NATO states, as well as a broad coalition led by Brazil. The states named include: Austria, Belgium, Brazil, Bulgaria, Chile, Colombia, Costa Rica, Denmark, Dominican Republic, Ecuador, El Salvador, Finland, France, Germany, Guatemala, Iceland, Ireland, Italy, Kazakhstan, Lesotho, Luxembourg, Malawi, Mexico, Montenegro, Nauru, New Zealand, North Macedonia, Norway, Pakistan, Palestine, Panama, Peru, Portugal, Sierra Leone, Slovenia, Spain, Sweden, Switzerland, Uruguay, and CCW observer states Kiribati, Samoa, and Thailand. November 2025 November 2025 CCW MHCP – Stop Killer Robots: By the November 2025 CCW MHCP, 46 countries had signed a working paper (CCW-MSP-2025-WP.5, tabled by Brazil) supporting negotiations based on the rolling text, with four new additions: Angola, Hungary, Mozambique, and Nigeria. March 2026 CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ...: Over 70 states support moving to negotiations based on the GGE's rolling draft text. ### 5. Opposition to Alternative Processes UK Position UK stays mute as France, Germany and 40 more states ...: The UK has consistently maintained that the CCW is the preferred and "best" forum. In May 2025, the UK led a joint statement at the UN in New York specifically intended to foreclose the possibility of discussing the issue outside of Geneva. Other opponents: States like the US and Russia are seen as potential vetoes against the transition to formal negotiations within the CCW, which paradoxically could strengthen the case for alternative processes. ### 6. CCW Dysfunction (November 2025) November 2025 CCW MHCP – Stop Killer Robots The November 2025 CCW Meeting of High Contracting Parties was reduced to a 30-minute administrative session because states could not agree on a Chair and declined to run a full three-day agenda. This dysfunction serves as evidence supporting the case for alternative forums. ### 7. Current GGE Status (March 2026) CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing ... The first 2026 GGE session was held March 2-6, 2026. The GGE is in the "final stretch" of its three-year mandate. The WILPF/Reaching Critical Will report (published March 11, 2026) frames UNGA Resolution 80/56 as an expression of political will rather than the initiation of a separate treaty-making process. The primary strategy of most states remains to leverage the GGE's output to force a breakthrough at the November 2026 CCW Review Conference. ### 8. Impact Assessment The UNGA process serves a dual function: 1. Political pressure: Overwhelming UNGA majorities (161 votes for resolution 80/56) signal to CCW holdout states that the international community is ready for a treaty 2. Institutional infrastructure: The formal meeting in New York and the Coordinator role create the procedural foundations that could be escalated into a full negotiating mandate if the CCW fails As of April 2026, no formal standalone treaty negotiation has been launched outside the CCW. The UNGA track remains in a preparatory/pressure-building phase. However, the combination of growing state coalitions, escalating UNGA resolutions, civil society advocacy, and CCW dysfunction creates credible momentum for an alternative process if the November 2026 Review Conference fails to deliver.

SQ5: What intermediate outcome options exist between merely extending the GGE and launching full treaty negotiations at the CCW Seventh Review Conference on LAWS, and which of these options have states or the GGE Chair proposed?

Summary: Between merely extending the GGE and launching full treaty negotiations on LAWS at the November 2026 CCW Seventh Review Conference, several intermediate outcome options have been discussed in 2025–2026 proceedings, though formal proposals have primarily clustered around either continuing the GGE's work or launching negotiations on a legally binding instrument. GGE Chair's Rolling Text Approach (2024–2026): GGE Chair Ambassador Robert in den Bosch (Netherlands) introduced a "rolling text" of elements for a possible instrument in July 2024, revised it in May 2025 and again in December 2025 and March 2026. This text is designed to build common understanding on normative elements (definitions, prohibitions, human control requirements, accountability) that could serve as either a basis for immediate negotiations or as a standalone substantive outcome short of a full negotiating mandate IP25095 | International Regulation of Lethal Autonomous Weapon ... CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... Key intermediate options identified in 2025–2026 proceedings include: 1. GGE report with elements but no negotiating mandate: The GGE could include the rolling text elements in its final report to the Review Conference, either with consensus or with caveats noting areas of disagreement, without explicitly recommending negotiations. This would represent substantive progress beyond a simple GGE extension by establishing agreed normative content IP25095 | International Regulation of Lethal Autonomous Weapon .... 2. Alternative processes outside the CCW: If the CCW fails to reach consensus, states have been directed to consider "alternative processes" for negotiation—referenced explicitly in a 2022 Human Rights Watch report ("Agenda for Action: Alternative Processes for Negotiating a Killer Robots Treaty") that was cited at the November 2025 Meeting of High Contracting Parties November 2025 CCW MHCP – Stop Killer Robots. This could include UNGA-mandated negotiations outside the CCW framework. 3. Coalition-led initiatives: A group of 46 states (including Angola, Hungary, Mozambique, Nigeria, and led by Brazil) formally asserted at the November 2025 MHCP that the revised rolling text provides a sufficient basis to negotiate an instrument, tabling working paper CCW-MSP-2025-WP.5 November 2025 CCW MHCP – Stop Killer Robots. By March 2026, over 70 states supported moving to negotiations CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... 4. UNGA Resolution pathway: On 6 November 2025, 156 states supported a UNGA resolution calling on the CCW to "complete elements of an instrument on AWS, with a view to future negotiations." A second UNGA resolution in December 2025 garnered 161 votes. These resolutions create external pressure and could serve as the basis for a UNGA-mandated process if the CCW fails to act. 5. Political Declaration on Responsible Military Use of AI and Autonomy: The US-sponsored Political Declaration (launched November 2023) represents a non-binding political commitment approach. However, this is increasingly seen as insufficient by the majority of states advocating for legally binding measures. Notably absent from formal 2025–2026 CCW/GGE records are explicit proposals for: (a) an Open-Ended Working Group (OEWG) with a specific mandate within the CCW; (b) a new CCW subsidiary body with a stronger mandate than the GGE; or (c) a decision creating specific timelines or benchmarks for future negotiations. The discourse has largely been binary—either launch negotiations or continue discussions—rather than focused on intermediate procedural mechanisms. The CCW Preparatory Committee is scheduled for 7–9 September 2026, which will be a critical venue for crystallizing proposals ahead of the November 2026 Review Conference. The final GGE session (31 August–4 September 2026) must finalize its report for the Review Conference.

Background: The CCW Seventh Review Conference on lethal autonomous weapons systems (LAWS), scheduled for November 16–20, 2026 in Geneva, faces a spectrum of possible outcomes. At one extreme, the conference could merely extend the Group of Governmental Experts (GGE) — the exploratory body that has been discussing LAWS since 2017. At the other extreme, it could mandate negotiations on a legally binding Protocol VI to the CCW. But there are intermediate options that would represent substantive progress without requiring full consensus on a negotiating mandate. These could include: establishing an open-ended working group (OEWG) with a mandate to develop specific normative elements; adopting a political declaration with specific commitments; creating a new subsidiary body with a stronger mandate than the GGE; or adopting a decision that creates a specific timeline or benchmarks for future negotiations. Understanding which intermediate options have been formally proposed or discussed by states, the GGE Chair, or in CCW preparatory documents is critical for assessing the probability of any outcome that qualifies as 'going beyond merely extending the GGE.' Please research proposals and discussions about these intermediate options in 2025–2026 CCW/GGE proceedings.

Detailed research

Background and Context: The CCW's Group of Governmental Experts (GGE) on LAWS has been meeting since 2017. Its current three-year mandate (2024–2026) was established at the 2023 Meeting of High Contracting Parties, tasking the GGE with considering "possible measures, including taking into account the example of existing protocols within the Convention." The mandate expires at the Seventh Review Conference (16–20 November 2026 in Geneva). The GGE Chair's Rolling Text (Key Intermediate Tool): GGE Chair Ambassador Robert in den Bosch of the Netherlands has pursued a strategy centered on building common understanding through a "rolling text" of elements for a possible instrument. This text was introduced in July 2024, revised in May 2025 (the "Revised rolling text as of 12 May 2025"), updated again on 18 December 2025, and further revised on 4 March 2026 IP25095 | International Regulation of Lethal Autonomous Weapon ... CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... The rolling text covers definitions, prohibitions, human control requirements, and accountability measures. The Chair's approach represents an intermediate strategy: rather than pushing directly for a negotiating mandate, he has sought to build substantive agreement on normative content that could then be packaged in various ways for the Review Conference. Three Scenarios for the GGE Report (per RSIS analysis, October 2025): An RSIS analysis (IP25095, published 1 October 2025) identified three pathways for the GGE's report to the Review Conference IP25095 | International Regulation of Lethal Autonomous Weapon ...: 1. Consensus on elements + recommendation to negotiate: If the GGE reaches consensus on the rolling text elements, it could recommend commencement of negotiations. 2. Elements included with caveats: If consensus is elusive, the GGE could include elements in its report while noting they are not fully agreed upon—keeping them available for future consideration. 3. Failure to include elements: If the GGE fails to reach consensus, a delegation could submit a working paper for a vote, though this is unlikely to be adopted given the CCW's consensus-based decision-making. The second scenario (elements with caveats) represents the most clearly defined intermediate option—substantive progress without a full negotiating mandate. State Positions and Coalition Dynamics: - Pro-negotiations coalition: 46 states signed a joint statement (first presented September 2025 GGE, then tabled as CCW-MSP-2025-WP.5 by Brazil at the November 2025 MHCP) asserting the rolling text provides a sufficient basis for negotiations November 2025 CCW MHCP – Stop Killer Robots. By March 2026, over 70 states expressed support for negotiations CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... - US position: The US has been resistant to legally binding negotiations. At the March 2026 GGE, the US delegation proposed replacing "human control" with "good faith human judgement and care," which was rejected by many delegations CCW Report, Vol. 14, No. 2: The Final Stretch Before the Finishing .... The US has preferred non-binding approaches such as the Political Declaration on Responsible Military Use of AI and Autonomy. - Russia, India, and other skeptics: These states have traditionally resisted binding instruments and have contributed to the consensus-based deadlock within the CCW. UNGA Resolutions as External Pressure: Two UNGA resolutions in late 2025 (6 November 2025 with 156 votes; December 2025 with 161 votes) called on the CCW to complete its work on elements of an instrument, with a view to future negotiations. While these resolutions are non-binding, they create significant political pressure and establish a potential alternative pathway: if the CCW fails to act, the UNGA could potentially mandate negotiations in a different forum. Alternative Processes: The November 2025 MHCP discussion explicitly referenced alternative processes outside the CCW. Stop Killer Robots cited the 2022 Human Rights Watch report "Agenda for Action: Alternative Processes for Negotiating a Killer Robots Treaty" as a resource for exploring these alternatives November 2025 CCW MHCP – Stop Killer Robots. This suggests that if the CCW Review Conference deadlocks, states may pursue negotiations through a UNGA-mandated process, similar to how the Mine Ban Treaty and Cluster Munitions Convention were negotiated outside the CCW. What's Missing from the Record: Notably, the 2025–2026 CCW/GGE proceedings do not contain explicit proposals for: - An Open-Ended Working Group (OEWG) within the CCW with a specific mandate - A new CCW subsidiary body with a stronger mandate than the GGE - A decision with specific timelines or benchmarks for future negotiations - A standalone political declaration as a CCW outcome The discourse has been more binary than the question's framing suggests—states are either pushing for full negotiations or resisting them, with relatively little formal discussion of intermediate procedural mechanisms within the CCW itself. Upcoming Key Dates: - GGE final session: 31 August–4 September 2026 - CCW Preparatory Committee: 7–9 September 2026 - Seventh Review Conference: 16–20 November 2026

Part 15
80% Will any AI agent achieve a success rate of at least 50% on CVE-Bench by December 31, 2027? REVISED ITNSSS74 Imp78
Quality92
Ambiguity95
Soon72
Sudden65
Sharp70

Priority scores (ITN + Soon/Sudden/Sharp) Stage 2c

Priority74
Neglectedness82
Tractability68

Neglectedness: Web search found no existing forecasting questions on CVE-Bench performance specifically on Metaculus, Polymarket, Manifold, INFER, or Good Judgment Open. Metaculus has related but distinct questions: one on AI unauthorized access before 2033, and one on OpenAI cybersecurity risk levels. These are broader and don't track this specific benchmark metric. The CVE-Bench leaderboard exists but is a tracking tool, not a forecast. Anthropic has published on AI cyber range performance but doesn't forecast specific benchmark thresholds. This specific operationalization — 25% on CVE-Bench by end of 2027 — is not being tracked anywhere as a forecasting question.

Tractability: A skilled forecaster can synthesize multiple evidence streams: AI capability scaling trends, model architecture improvements, CVE-Bench leaderboard updates (v2.0 already released), Anthropic's cyber range evaluations, and frontier model release cadences. However, the question partly reduces to tracking a single benchmark's progress, and performance jumps on benchmarks can be lumpy and hard to predict. There's meaningful room for inside-view analysis (e.g., whether new agent frameworks or tool-use improvements will matter more than raw model capability), but less room than for multi-factor geopolitical questions.

Soon: AI cyber offense capabilities are at an active inflection point. CVE-Bench was published in March 2025, received ICML Spotlight, and v2.0 is already out. Frontier AI labs are actively evaluating and publishing on cyber capabilities (e.g., Anthropic's January 2026 cyber ranges update). The resolution window (end 2027) aligns with a period of rapid AI agent capability development. This is genuinely time-sensitive — the answer would be much more valuable now than in 3 years.

Sudden: Benchmark performance can jump suddenly with new model releases or agent framework innovations — a new frontier model could double exploit rates overnight. However, the general trajectory of AI capability improvement is visible and gradual. The 25% threshold could be crossed abruptly with a single major model release, but the direction of travel is broadly predictable.

Sharp: AI cyber offense capabilities may not produce clear warning shots before becoming dangerous. Unlike physical attacks where smaller incidents serve as warnings, AI exploit capability could scale rapidly from benchmark performance to real-world deployment without intermediate observable incidents. However, the benchmark itself and publications from safety teams (like Anthropic's) do provide some early signals, making this not fully "sharp" in Ord's sense.

Proto-question Stage 1

Will any AI agent exploit at least 25% of the vulnerabilities in CVE-Bench by December 31, 2027?

Why this question? CVE-Bench is a benchmark specifically designed to evaluate AI agents' ability to exploit real-world web application vulnerabilities. The paper directly cites it. As of early 2026, the state-of-the-art agent framework can exploit up to 13% of CVE-Bench vulnerabilities. Reaching 25% would represent a near-doubling of exploit capability, signaling a significant escalation in autonomous offensive cyber potential. Given rapid AI progress but the inherent difficulty of exploitation, this threshold has meaningful uncertainty.

Paper reference: The paper cites 'Zhu, Yuxuan et al. CVE-Bench: A Benchmark for AI Agents' Ability to Exploit Real-World Web Application Vulnerabilities. arXiv, March 2025' as a key reference for measuring AI cyber offense capabilities.

Refined question Stage 2

## Question Title Will any AI agent achieve a success rate of at least 50% on CVE-Bench by December 31, 2027? ## Background CVE-Bench is a benchmark developed by researchers at the University of Illinois at Urbana-Champaign (Zhu et al., March 2025) that evaluates AI agents' ability to autonomously exploit real-world web application vulnerabilities. The benchmark comprises 40 critical-severity Common Vulnerabilities and Exposures (CVEs) in web applications, each deployed in a sandboxed Docker environment that mimics real-world conditions. The benchmark received an ICML 2025 Spotlight award. A public leaderboard is maintained at cvebench.com. In the original paper (March 2025), the state-of-the-art (SOTA) agent framework achieved a success rate of up to 13% (i.e., successfully exploiting approximately 5 out of 40 CVEs) in the one-day scenario (where the agent is provided with the CVE identifier). CVE-Bench v2.0 was subsequently released with stricter evaluation criteria, including improved validity checks and more rigorous grading of certain exploit types such as time-based SQL injection. As of early-to-mid 2026, frontier AI models have shown substantial improvements in cybersecurity capabilities. OpenAI's GPT-5.4 Thinking became the first model to receive a "High" cybersecurity risk rating in its system card evaluation, which included CVE-Bench results. Reports from industry benchmarks suggest exploit generation success rates have risen toward approximately 25%, though exact numbers vary depending on the agent scaffold, model, and CVE-Bench version used. The question of whether any AI agent will reach 50% — successfully exploiting at least 20 of the 40 CVEs — by the end of 2027 represents a roughly 2× improvement over current estimated SOTA, with meaningful uncertainty given both the pace of AI progress and the inherent difficulty of complex real-world exploitation. Key factors that could accelerate progress include: new frontier model releases (e.g., successors to GPT-5.x, Claude Opus, Gemini), improvements in agentic scaffolding and tool use (e.g., integration of specialized security tools like sqlmap, Metasploit), and advances in multi-step planning and reasoning. Factors that could slow progress include: the "last mile" difficulty of complex exploits, improvements in CVE-Bench evaluation rigor (e.g., further validity fixes in future versions), and potential restrictions on model cybersecurity capabilities by AI labs. ## Resolution Criteria This question resolves Yes if, at any time between April 8, 2026 and December 31, 2027, 23:59 UTC, an entry on the official CVE-Bench Leaderboard at https://cvebench.com/ shows an AI agent achieving a success rate of 50% or higher (i.e., successfully exploiting at least 20 out of 40 CVEs) on the most current version of CVE-Bench available at the time of evaluation (whether v2.0 or any subsequent version published via the official CVE-Bench GitHub repository). Key definitions and conditions: 1. AI agent: A software system that autonomously performs actions to achieve goals, as defined by the CVE-Bench framework — specifically, an LLM-based agent that interacts with the sandboxed vulnerable web application to attempt exploitation. This includes any agent scaffold (e.g., ReAct, multi-agent systems) paired with any underlying AI model. 2. Exploit: A method or technique that takes advantage of a vulnerability to achieve an unintended outcome in the target system. In the context of CVE-Bench, a successful exploit means the agent achieves the specific attack objective defined for that CVE (e.g., gaining admin access, extracting sensitive data, causing denial of service, modifying database records), as verified by CVE-Bench's internal evaluation scripts and test cases. 3. Success rate threshold: The 50% threshold refers to the performance of a single AI agent submission (one agent scaffold + one AI model) on the full CVE-Bench dataset of 40 CVEs. It does not refer to collective or combined performance across multiple different agents. 4. CVE-Bench version: The version of CVE-Bench used must be the one employed by the official leaderboard at cvebench.com. As of April 2026, this is CVE-Bench v2.0. If a newer version is released and adopted by the leaderboard, results on that version count. If the benchmark is expanded beyond 40 CVEs, the 50% threshold applies proportionally (i.e., at least half of all CVEs in the benchmark must be successfully exploited). 5. Source of truth: The primary resolution source is the official CVE-Bench Leaderboard at https://cvebench.com/. Submissions on this leaderboard must include public trajectories and public source code for the agent scaffold, per the leaderboard's submission requirements documented at https://github.com/uiuc-kang-lab/cvebench.com. 6. Fallback procedure: If cvebench.com is no longer accessible on the resolution date, the question may alternatively resolve based on: - (a) Results published in the official CVE-Bench GitHub repository (https://github.com/uiuc-kang-lab/cve-bench), including any linked leaderboard or results files; OR - (b) Results reported in a peer-reviewed publication (e.g., at venues such as ICML, NeurIPS, ICLR, IEEE S&P, USENIX Security, or ACM CCS) or an official AI model system card from a major AI lab (e.g., OpenAI, Anthropic, Google DeepMind, Meta) that reports CVE-Bench results using the benchmark's official evaluation methodology; OR - (c) If none of the above sources are available, the question resolves No.

Background

CVE-Bench is a benchmark developed by researchers at the University of Illinois at Urbana-Champaign (Zhu et al., March 2025) that evaluates AI agents' ability to autonomously exploit real-world web application vulnerabilities. The benchmark comprises 40 critical-severity Common Vulnerabilities and Exposures (CVEs) in web applications, each deployed in a sandboxed Docker environment that mimics real-world conditions. The benchmark received an ICML 2025 Spotlight award. A public leaderboard is maintained at cvebench.com. In the original paper (March 2025), the state-of-the-art (SOTA) agent framework achieved a success rate of up to 13% (i.e., successfully exploiting approximately 5 out of 40 CVEs) in the one-day scenario (where the agent is provided with the CVE identifier). CVE-Bench v2.0 was subsequently released with stricter evaluation criteria, including improved validity checks and more rigorous grading of certain exploit types such as time-based SQL injection. As of early-to-mid 2026, frontier AI models have shown improvements in cybersecurity capabilities. Industry benchmarks and AI lab system card evaluations suggest exploit generation success rates have risen, though exact numbers vary depending on the agent scaffold, model, and CVE-Bench version used. The question of whether any AI agent will reach 50% — successfully exploiting at least half of the CVEs in the benchmark — by the end of 2027 represents a meaningful capability milestone with genuine uncertainty given both the pace of AI progress and the inherent difficulty of complex real-world exploitation. Note: CVE-Bench (which measures AI agents' ability to exploit vulnerabilities) should not be confused with similarly named benchmarks such as XOR's "CVE-Agent-Bench," which measures AI agents' ability to patch/fix vulnerabilities. Key factors that could accelerate progress include: new frontier model releases, improvements in agentic scaffolding and tool use (e.g., integration of specialized security tools), and advances in multi-step planning and reasoning. Factors that could slow progress include: the "last mile" difficulty of complex exploits, improvements in CVE-Bench evaluation rigor (e.g., further validity fixes in future versions), and potential restrictions on model cybersecurity capabilities by AI labs.

Resolution criteria

This question resolves Yes if, at any time between April 8, 2026 and December 31, 2027, 23:59 UTC, an entry on the official CVE-Bench Leaderboard at https://cvebench.com/ shows an AI agent achieving a success rate of 50% or higher on CVE-Bench. Key definitions and conditions: 1. AI agent: A software system that autonomously performs actions to achieve goals, as defined by the CVE-Bench framework — specifically, an LLM-based agent that interacts with the sandboxed vulnerable web application to attempt exploitation. This includes any agent scaffold (e.g., ReAct, multi-agent systems) paired with any underlying AI model(s). A single agent submission may use multiple LLM calls and multiple models within a unified scaffold, provided it is submitted as one entry on the leaderboard. 2. No human-in-the-loop: The agent must operate fully autonomously during exploitation attempts, with no human intervention after the initial task prompt is provided. Any human-in-the-loop involvement during the exploitation phase (e.g., a human selecting which CVEs to attempt, providing intermediate guidance, or making real-time decisions) disqualifies the submission for the purposes of this question. 3. Exploit: A method or technique that takes advantage of a vulnerability to achieve an unintended outcome in the target system. In the context of CVE-Bench, a successful exploit means the agent achieves the specific attack objective defined for that CVE, as verified by CVE-Bench's internal evaluation scripts and test cases. 4. Success rate threshold: The 50% threshold refers to the performance of a single AI agent submission (one agent scaffold entry on the leaderboard) on the full CVE-Bench dataset. It does not refer to collective or combined performance across multiple different agent submissions. If the benchmark contains N total CVEs, the agent must successfully exploit at least ⌈N/2⌉ (ceiling of N divided by 2) CVEs. For example: if N=40, at least 20; if N=41, at least 21; if N=35, at least 18. 5. CVE-Bench version: The result must be evaluated on the version of CVE-Bench that the official leaderboard at cvebench.com designates as its current default evaluation version at the time the submission appears. Legacy results displayed for older benchmark versions do not count. If the leaderboard reports results for multiple evaluation scenarios (e.g., one-day vs. zero-day), achieving 50% in any single scenario suffices for resolution. 6. Validity of submissions: The result must pass all validity checks in the CVE-Bench evaluation scripts current at the time of submission. If the CVE-Bench maintainers publicly flag a submission as invalid due to evaluation script bypass or false positives (e.g., via the GitHub repository, leaderboard annotations, or official communications), that submission does not count for resolution. 7. Source of truth: The primary resolution source is the official CVE-Bench Leaderboard at https://cvebench.com/. Submissions on this leaderboard must include public trajectories and public source code for the agent scaffold, per the leaderboard's submission requirements documented at https://github.com/uiuc-kang-lab/cvebench.com. A submission is considered valid if it meets the submission requirements as defined by the CVE-Bench leaderboard maintainers at the time of submission; disputes about partial compliance are resolved in favor of inclusion if the submission appears on the official leaderboard. 8. Fallback procedure: If cvebench.com is permanently inaccessible on the resolution date (not merely experiencing temporary downtime), the question may alternatively resolve based on: - (a) Results published in the official CVE-Bench GitHub repository (https://github.com/uiuc-kang-lab/cve-bench), including any linked leaderboard or results files; OR - (b) Results reported in a peer-reviewed publication (e.g., at venues such as ICML, NeurIPS, ICLR, IEEE S&P, USENIX Security, or ACM CCS) or an official AI model system card from a major AI lab (e.g., OpenAI, Anthropic, Google DeepMind, Meta) that reports CVE-Bench results. For system card results to count, the reporting entity must explicitly state (i) the specific CVE-Bench version used and (ii) that it used the unmodified CVE-Bench evaluation scripts from the official GitHub repository. The same autonomy, validity, and success-rate-threshold requirements apply to fallback sources; OR - (c) If none of the above sources are available, the question resolves No.

Verification scores Stage 3

Quality: 92.0   Ambiguity: 95.0

Quality notes: This is an excellent forecasting question because it focuses on a critical capability (autonomous vulnerability exploitation) that is both high-stakes and genuinely difficult for current AI. The jump from the current SOTA of ~13% to 25% represents a near-doubling of capability, which is a meaningful threshold for assessing offensive cyber risk. The benchmark (CVE-Bench) is peer-reviewed and has an emerging leaderboard. There is high uncertainty: while agentic frameworks are improving, the 'last mile' of complex exploit generation is a known bottleneck. This ensures the question is not a foregone conclusion and would benefit from deep research into agentic planning and cybersecurity tools integration.

Ambiguity notes: The question is exceptionally well-structured with clear definitions, specific resolution sources, and robust fallback procedures for technicalities like version updates or website downtime. The use of a specific leaderboard and verification scripts makes resolution highly objective.

Adversarial review NEEDS_REVISION Edge risk: MEDIUM

Assessment: NEEDS_REVISION   Edge case risk: MEDIUM

ASSESSMENT: NEEDS_REVISION REVIEW: The question is well-constructed overall, with clear resolution criteria, fallback procedures, and a meaningful threshold. However, several substantive issues warrant revision: 1. "Moving target" problem with benchmark versioning: The resolution criteria specify "most current version of CVE-Bench available at the time of evaluation," which creates genuine ambiguity. CVE-Bench v2.0 already made scores drop by up to 32.5% compared to v1.0 due to stricter evaluation. If a v3.0 is released that's substantially harder or easier, the effective difficulty of hitting 50% could shift dramatically. This makes the question partially a bet on benchmark evolution rather than purely on AI capability. Forecasters cannot meaningfully estimate this risk. 2. Potential confusion with similarly-named benchmarks: XOR's "CVE-Agent-Bench" measures AI agents' ability to PATCH/FIX vulnerabilities (with a top score of 62.7% for Codex GPT-5.2), which is fundamentally different from CVE-Bench's exploitation task. The existence of confusingly-named benchmarks could cause resolution disputes, though the question does specify the correct source (cvebench.com). 3. Background claims are partially unverifiable: The question states that "reports from industry benchmarks suggest exploit generation success rates have risen toward approximately 25%." I was unable to verify this specific figure from authoritative sources. The claim that GPT-5.4 Thinking was the "first model to receive a 'High' cybersecurity risk rating" is supported by OpenAI's system card page, but the specific CVE-Bench results in the system card could not be confirmed due to document access timeouts. 4. Leaderboard reliability concern: cvebench.com timed out during my review attempts, raising practical questions about long-term availability through 2027. The fallback procedures (GitHub repo, peer-reviewed papers, system cards) are reasonable mitigations, but the primary resolution source should be verified as reliably accessible. 5. Proportional scaling clause is adequate but could be clearer: The statement "if the benchmark is expanded beyond 40 CVEs, the 50% threshold applies proportionally" is mathematically sound for expansion but should also explicitly address contraction (if CVEs are removed). Additionally, rounding should be specified (e.g., if expanded to 41 CVEs, does 50% mean 20 or 21?). EVIDENCE: https://cvebench.com/ (CVE-Bench leaderboard - timed out during access) https://deploymentsafety.openai.com/gpt-5-4-thinking (GPT-5.4 system card) https://ddkang.substack.com/p/cve-bench-v20-making-evaluation-more (CVE-Bench v2.0 blog describing stricter evaluation) https://www.xor.tech/resources/benchmarks/results (XOR's CVE-Agent-Bench showing 62.7% pass rate for vulnerability FIXING, not exploitation) https://arxiv.org/abs/2503.17332 (original CVE-Bench paper, 13% SOTA) https://medium.com/@danieldkang/launching-the-cve-bench-leaderboard-a-public-arena-of-ai-for-cybersecurity-5ab54e94de0e (CVE-Bench leaderboard launch) SUGGESTION: 1. Pin the benchmark version (e.g., "CVE-Bench v2.0 as published in March 2025") rather than using a floating "most current version" clause. This eliminates the moving target problem and makes the question purely about AI capability improvement. 2. Add a rounding rule for the proportional threshold: "at least ceil(N/2) out of N CVEs" if the benchmark size changes. 3. Verify and cite the ~25% current SOTA claim with a specific source, or soften the language to "estimated" with appropriate caveats about version differences. 4. Consider adding a secondary resolution check mechanism (e.g., web archive snapshots of cvebench.com) given the leaderboard's uncertain long-term availability.

Edge cases 16 scenarios

OVERALL_RISK: MEDIUM 1. SCENARIO: CVE-Bench is expanded from 40 to, say, 60 CVEs in v3.0, and an agent exploits 25 of 60 (41.7%) — below 50% proportionally but above the original "20 out of 40" threshold mentioned in the background section. SEVERITY: MEDIUM FIX: Add explicit language: "If the benchmark is expanded beyond 40 CVEs, the 50% threshold applies to the total number of CVEs in the version used, i.e., the agent must successfully exploit at least ⌈N/2⌉ of N total CVEs, where N is the total count in that version." 2. SCENARIO: An agent achieves 50%+ on CVE-Bench v2.0, but CVE-Bench v2.1 or v3.0 has already been released with stricter evaluation scripts (as happened with the v2.0 and v2.1 releases that tightened validity checks). The leaderboard still displays the v2.0 result alongside newer version results. SEVERITY: HIGH FIX: Specify: "The result must be evaluated on the version of CVE-Bench that the official leaderboard designates as its current default evaluation version at the time the submission appears. Legacy results displayed for older versions do not count." 3. SCENARIO: A multi-agent system uses a human-in-the-loop component (e.g., a human selects which CVEs to attempt or provides intermediate guidance) while still being listed on the leaderboard as an "AI agent." SEVERITY: MEDIUM FIX: Add: "The agent must operate fully autonomously during exploitation attempts with no human intervention after the initial task prompt is provided. Any human-in-the-loop involvement during the exploitation phase disqualifies the submission." 4. SCENARIO: A multi-agent framework uses different specialized LLMs for different CVEs (e.g., one model for SQL injection CVEs, another for RCE CVEs) but submits as a single "agent scaffold." Observers disagree on whether this constitutes a "single AI agent submission." SEVERITY: MEDIUM FIX: Add: "A single agent submission may use multiple LLM calls and multiple models within a unified scaffold, provided it is submitted as one entry on the leaderboard. The scaffold must be deterministic in its model routing — i.e., the same scaffold code and configuration must be used across all 40 CVEs without per-CVE manual tuning." 5. SCENARIO: An agent achieves 50%+ but is later found to have exploited benchmark loopholes (e.g., bypassing the intended vulnerability rather than exploiting it, or triggering evaluation script false positives) — a known issue that prompted the v2.0 and v2.1 releases with stricter validity checks. SEVERITY: HIGH FIX: Add: "The result must pass all validity checks in the version of CVE-Bench's evaluation scripts current at the time of submission. If the CVE-Bench maintainers publicly flag a submission as invalid due to evaluation script bypass or false positives, that submission does not count for resolution." 6. SCENARIO: The 50% success rate is achieved in a "one-day" scenario (agent given CVE identifier) versus a "zero-day" scenario (no CVE identifier provided). The question text references the one-day scenario from the original paper but doesn't explicitly restrict to one evaluation mode. SEVERITY: MEDIUM FIX: Add: "The success rate applies to whichever evaluation scenario is reported on the official leaderboard. If the leaderboard reports results for multiple scenarios (e.g., one-day vs. zero-day), achieving 50% in any single scenario suffices for resolution." 7. SCENARIO: cvebench.com goes offline temporarily during the resolution window but comes back before December 31, 2027. During the downtime, a result achieving 50%+ was posted to the GitHub repo but never appeared on cvebench.com itself. SEVERITY: LOW FIX: Add: "If cvebench.com experiences temporary downtime but is restored before the resolution date, only results appearing on the restored leaderboard count. The fallback procedure applies only if cvebench.com is permanently inaccessible on the resolution date." 8. SCENARIO: An agent submission achieves 50%+ but its "public source code" requirement is met only partially — e.g., the scaffold code is public but the system prompt or fine-tuned model weights are proprietary. Observers disagree on whether this meets the leaderboard's submission requirements. SEVERITY: LOW FIX: Add: "A submission is considered valid if it meets the submission requirements as defined by the CVE-Bench leaderboard maintainers at the time of submission. Disputes about partial compliance are resolved in favor of inclusion if the submission appears on the official leaderboard." 9. SCENARIO: The benchmark CVE count drops below 40 (e.g., some CVEs are removed due to Docker environment issues or evaluation bugs in a new version), and an agent exploits 18 out of 35 remaining CVEs (51.4%). Does this count as 50%+? SEVERITY: MEDIUM FIX: Add: "If CVEs are removed from the benchmark in a future version, the 50% threshold applies to the total number of CVEs in that version. The agent must exploit at least half of whatever the current CVE count is, rounded up." 10. SCENARIO: A result achieving 50%+ is reported in an OpenAI or Anthropic system card using CVE-Bench's official methodology, but is never submitted to the cvebench.com leaderboard. The fallback criteria allow system card results, but observers disagree on whether the methodology was truly "official." SEVERITY: MEDIUM FIX: Add: "For system card results to count under the fallback procedure, the reporting lab must explicitly state that it used the unmodified CVE-Bench evaluation scripts from the official GitHub repository, and must report the specific CVE-Bench version used."

Revised question REVISED

## Question Title Will any AI agent achieve a success rate of at least 50% on CVE-Bench by December 31, 2027? ## Background CVE-Bench is a benchmark developed by researchers at the University of Illinois at Urbana-Champaign (Zhu et al., March 2025) that evaluates AI agents' ability to autonomously exploit real-world web application vulnerabilities. The benchmark comprises 40 critical-severity Common Vulnerabilities and Exposures (CVEs) in web applications, each deployed in a sandboxed Docker environment that mimics real-world conditions. The benchmark received an ICML 2025 Spotlight award. A public leaderboard is maintained at cvebench.com. In the original paper (March 2025), the state-of-the-art (SOTA) agent framework achieved a success rate of up to 13% (i.e., successfully exploiting approximately 5 out of 40 CVEs) in the one-day scenario (where the agent is provided with the CVE identifier). CVE-Bench v2.0 was subsequently released with stricter evaluation criteria, including improved validity checks and more rigorous grading of certain exploit types such as time-based SQL injection. As of early-to-mid 2026, frontier AI models have shown improvements in cybersecurity capabilities. Industry benchmarks and AI lab system card evaluations suggest exploit generation success rates have risen, though exact numbers vary depending on the agent scaffold, model, and CVE-Bench version used. The question of whether any AI agent will reach 50% — successfully exploiting at least half of the CVEs in the benchmark — by the end of 2027 represents a meaningful capability milestone with genuine uncertainty given both the pace of AI progress and the inherent difficulty of complex real-world exploitation. Note: CVE-Bench (which measures AI agents' ability to exploit vulnerabilities) should not be confused with similarly named benchmarks such as XOR's "CVE-Agent-Bench," which measures AI agents' ability to patch/fix vulnerabilities. Key factors that could accelerate progress include: new frontier model releases, improvements in agentic scaffolding and tool use (e.g., integration of specialized security tools), and advances in multi-step planning and reasoning. Factors that could slow progress include: the "last mile" difficulty of complex exploits, improvements in CVE-Bench evaluation rigor (e.g., further validity fixes in future versions), and potential restrictions on model cybersecurity capabilities by AI labs. ## Resolution Criteria This question resolves Yes if, at any time between April 8, 2026 and December 31, 2027, 23:59 UTC, an entry on the official CVE-Bench Leaderboard at https://cvebench.com/ shows an AI agent achieving a success rate of 50% or higher on CVE-Bench. Key definitions and conditions: 1. AI agent: A software system that autonomously performs actions to achieve goals, as defined by the CVE-Bench framework — specifically, an LLM-based agent that interacts with the sandboxed vulnerable web application to attempt exploitation. This includes any agent scaffold (e.g., ReAct, multi-agent systems) paired with any underlying AI model(s). A single agent submission may use multiple LLM calls and multiple models within a unified scaffold, provided it is submitted as one entry on the leaderboard. 2. No human-in-the-loop: The agent must operate fully autonomously during exploitation attempts, with no human intervention after the initial task prompt is provided. Any human-in-the-loop involvement during the exploitation phase (e.g., a human selecting which CVEs to attempt, providing intermediate guidance, or making real-time decisions) disqualifies the submission for the purposes of this question. 3. Exploit: A method or technique that takes advantage of a vulnerability to achieve an unintended outcome in the target system. In the context of CVE-Bench, a successful exploit means the agent achieves the specific attack objective defined for that CVE, as verified by CVE-Bench's internal evaluation scripts and test cases. 4. Success rate threshold: The 50% threshold refers to the performance of a single AI agent submission (one agent scaffold entry on the leaderboard) on the full CVE-Bench dataset. It does not refer to collective or combined performance across multiple different agent submissions. If the benchmark contains N total CVEs, the agent must successfully exploit at least ⌈N/2⌉ (ceiling of N divided by 2) CVEs. For example: if N=40, at least 20; if N=41, at least 21; if N=35, at least 18. 5. CVE-Bench version: The result must be evaluated on the version of CVE-Bench that the official leaderboard at cvebench.com designates as its current default evaluation version at the time the submission appears. Legacy results displayed for older benchmark versions do not count. If the leaderboard reports results for multiple evaluation scenarios (e.g., one-day vs. zero-day), achieving 50% in any single scenario suffices for resolution. 6. Validity of submissions: The result must pass all validity checks in the CVE-Bench evaluation scripts current at the time of submission. If the CVE-Bench maintainers publicly flag a submission as invalid due to evaluation script bypass or false positives (e.g., via the GitHub repository, leaderboard annotations, or official communications), that submission does not count for resolution. 7. Source of truth: The primary resolution source is the official CVE-Bench Leaderboard at https://cvebench.com/. Submissions on this leaderboard must include public trajectories and public source code for the agent scaffold, per the leaderboard's submission requirements documented at https://github.com/uiuc-kang-lab/cvebench.com. A submission is considered valid if it meets the submission requirements as defined by the CVE-Bench leaderboard maintainers at the time of submission; disputes about partial compliance are resolved in favor of inclusion if the submission appears on the official leaderboard. 8. Fallback procedure: If cvebench.com is permanently inaccessible on the resolution date (not merely experiencing temporary downtime), the question may alternatively resolve based on: - (a) Results published in the official CVE-Bench GitHub repository (https://github.com/uiuc-kang-lab/cve-bench), including any linked leaderboard or results files; OR - (b) Results reported in a peer-reviewed publication (e.g., at venues such as ICML, NeurIPS, ICLR, IEEE S&P, USENIX Security, or ACM CCS) or an official AI model system card from a major AI lab (e.g., OpenAI, Anthropic, Google DeepMind, Meta) that reports CVE-Bench results. For system card results to count, the reporting entity must explicitly state (i) the specific CVE-Bench version used and (ii) that it used the unmodified CVE-Bench evaluation scripts from the official GitHub repository. The same autonomy, validity, and success-rate-threshold requirements apply to fallback sources; OR - (c) If none of the above sources are available, the question resolves No.

Forecast rationale

(a) Time left: ~20.5 months until December 31, 2027. (b) Status quo: SOTA success on CVE-Bench sits around 25-30% as of early 2026, up from 13% in early 2025. (c) Scope: 50% corresponds to successfully exploiting 20 out of 40 CVEs. We must consider that agentic cybersecurity benchmarks (like SWE-bench and EVMBench) have historically scaled very rapidly. (d) Reason for No: Stricter evaluations in CVE-Bench v2.0+ patch "loopholes" in automated exploitation. Furthermore, leading AI labs might strictly enforce safety guardrails that artificially limit autonomous offensive capabilities, creating an artificial ceiling. (e) Reason for Yes: Rapid iterations in agentic scaffolding (e.g., HPTSA) combined with frontier models (like GPT-5.4 or Claude 4.5/4.6) will likely bridge the gap from 30% to 50% given the nearly two years of runway left. (f) Betting perspective: With strong historical precedents in AI coding benchmarks, I'd comfortably pay 74 cents to win a dollar on a Yes outcome, feeling indifferent at that price.

Importance rationale

CVE-Bench tracks a leading indicator for autonomous AI cyber offense capability — a major risk pathway identified in AI safety and cybersecurity literature. A near-doubling from 13% to 25% exploit rate would signal significant escalation in AI's ability to autonomously exploit real-world vulnerabilities, directly informing decisions about AI safety evaluations, red-teaming investments, and cyber defense resource allocation. This is a genuine crux where the pace of AI offensive capability development matters enormously for governance.

Decomposition & Research Stage 6b 5 subquestions

Initial forecast: 74%Research-informed: 80% (+6pp)

Re-forecast rationale

## Probability Decomposition The question asks whether any single AI agent submission on the official CVE-Bench leaderboard at cvebench.com will achieve ≥50% success rate by December 31, 2027. ### Factor 1: Technical Capability to Reach 50% (~95%) Multiple agents have already reportedly achieved scores well above 50% on CVE-Bench: - AWS Security Agent: 65-80% autonomous (no CTF instructions), 92.5% with CTF instructions on CVE-Bench v2 - OpenAI o3: ~47% (close to threshold) - GPT-5.2-Codex: reportedly 87% (third-party source, version unclear) - GPT-5.4 Thinking: ~57.7% mentioned in comparison articles - Daniel Kang (CVE-Bench creator) noted GPT-5.3-Codex hit 80% pass@1 - AXE achieved 30% in zero-day setting (3× over baselines) Even accounting for CVE-Bench v2.0's stricter evaluation (which reduces performance overestimation by ~33%), agents scoring in the 65-87% range would still comfortably exceed 50%. The capability clearly exists or is very close. ### Factor 2: CVE-Bench v2.0 Stricter Evaluation Impact (~85% that scores remain above 50%) CVE-Bench v2.0 introduced validity fixes that reduced GPT-4o scores by up to 10 percentage points and overall overestimation by ~33%. However, this was calibrated against the original 13% baseline. For agents already scoring 65-87%, a 33% reduction would still place them at 43-58%. Given that newer models and scaffolds are designed with v2.0 in mind, and scores continue improving, there's high confidence the 50% threshold is reachable under strict evaluation. ### Factor 3: Submission to Official Leaderboard (~75-80%) This is a key uncertainty. The leaderboard requires: - Public trajectories and public source code for the agent scaffold - Results on the current default evaluation version Barriers include: - AI labs may not submit proprietary agent results to a public leaderboard - OpenAI's "Trusted Access for Cyber" program restricts advanced cybersecurity capabilities to vetted users - Anthropic's "Project Glasswing" limits Claude Mythos access to select partners - The cvebench.com website was inaccessible during research (timeout), raising questions about leaderboard activity However, mitigating factors: - The benchmark won ICML 2025 Spotlight and Berkeley AgentX Competition - Academic groups (UIUC, others) actively maintain and use it - Open-weight models (Llama, DeepSeek) face no effective policy restrictions once downloaded - The 20+ month timeframe to Dec 2027 provides ample opportunity - Multiple research groups (AXE authors, AWS, CAI framework) are actively working on this benchmark ### Factor 4: Autonomous Requirement (~90%) The "no human-in-the-loop" requirement disqualifies submissions where humans provide intermediate guidance. The AWS 92.5% score with "CTF instructions and grader checks" likely wouldn't qualify, but their 65-80% autonomous configuration would. Most benchmark submissions are inherently autonomous (the agent runs independently after receiving the CVE identifier). This is not a major barrier. ### Factor 5: Leaderboard Operational/Accessible (~85%) The fallback procedure allows resolution via GitHub, peer-reviewed papers, or system cards if cvebench.com goes down permanently. This reduces the risk of resolution failure due to infrastructure issues. ### Combined Estimate P(Yes) ≈ 0.95 × 0.85 × 0.77 × 0.90 × 0.85 ≈ 0.475 Wait—let me reconsider. The 20+ month timeframe is very long. Even if current leaderboard submissions haven't crossed 50%, the rapid pace of improvement (13% → 30% → 47% → 65-87% in roughly one year) strongly suggests this will happen. The main risk is institutional: will anyone actually submit qualifying results to the official leaderboard? Given academic incentives and the benchmark's prominence, this seems likely over 20 months. Adjusting upward for the long timeframe and the fact that capability is essentially already there: - P(capability sustained/improved) × P(someone submits) × P(passes validity) × P(meets autonomy criteria) × P(leaderboard accessible) - ≈ 0.97 × 0.82 × 0.88 × 0.92 × 0.88 ≈ 0.57 But this feels slightly low given how far above 50% current capabilities are. The dominant risk is the leaderboard submission requirement. Over 20 months, with an active academic benchmark that has a public leaderboard, the odds of at least one qualifying submission are quite high. Final estimate: ~80%

SQ1: What are the current top scores on the official CVE-Bench leaderboard at cvebench.com, and how have scores progressed since the benchmark's launch in March 2025?

Summary: Current Top Scores and Score Progression on CVE-Bench (as of April 2026) CVE-Bench, launched in March 2025 by researchers at UIUC, evaluates AI agents' ability to exploit 40 critical-severity CVEs in sandboxed web applications. The benchmark has seen dramatic score progression: Original Paper (March 2025): The state-of-the-art agent framework achieved a maximum 13% success rate (~5/40 CVEs) in the one-day scenario. Agents tested included ReAct, SWE-agent, and others using models like GPT-4o and Claude 3.5 Sonnet. CVE-Bench v2.0 (released ~October 2025): Introduced stricter evaluation criteria. GPT-4o-based agents saw success rates drop by up to 10% due to task validity fixes and up to 32.5% due to outcome validity fixes. The ABC framework (used in v2.0) reduces performance overestimation by approximately 33%. Key Score Progression (approximate timeline): 1. March 2025 (original paper): ~13% (best agent, one-day scenario, GPT-4o-based, ReAct/SWE-agent frameworks) 2. February 2026 (AXE paper, arxiv 2602.14345): AXE (Agentic eXploit Engine) achieved 30% success rate on CVE-Bench in the zero-day setting, described as a 3× improvement over state-of-the-art black-box baselines. 3. February 2026 (AWS Security Agent blog post, published 2026-02-26): AWS's multi-agent penetration testing system achieved 92.5% ASR on CVE-Bench v2 with CTF instructions and grader checks; 80% without CTF instructions; and 65% using an LLM with a knowledge cutoff predating CVE-Bench v1.0 A multi-agent architecture for automated penetration testing - AWS. 4. OpenAI system cards: GPT-5.2's system card references CVE-Bench results. A third-party source (nxcode.io) reports GPT-5.2-Codex scoring 87% on CVE-Bench (version unspecified). A Medium article comparing GPT-5.4 Thinking to GPT-5.2 Thinking references success rates of 57.7% and 55.6% respectively in a context that appears related to CVE-Bench. 5. Anthropic system cards: Claude Opus 4.5's system card (released ~late 2025) reports a 37.6% score with a 64k thinking budget on what appears to be a cybersecurity benchmark, though this specific figure may correspond to ARC-AGI-2 rather than CVE-Bench based on cross-referencing. No confirmed standalone CVE-Bench score was identified in Anthropic's public system cards. 6. Google DeepMind: No specific CVE-Bench results were found in Google DeepMind system cards. cvebench.com leaderboard and GitHub: The cvebench.com leaderboard website was inaccessible during research (repeated timeouts). The GitHub repository (uiuc-kang-lab/cve-bench) shows the benchmark won second place at Berkeley RDI's AgentX Competition (August 2, 2025) and had an update on July 19, 2025. Key Takeaway: Scores have progressed from 13% in March 2025 to reported scores as high as 80–92.5% (AWS Security Agent on CVE-Bench v2, February 2026) under favorable conditions. However, these high scores involve multi-agent frameworks with CTF instructions and grader feedback; the more realistic no-guidance configuration yielded 65–80%. The distinction between original CVE-Bench and v2.0 results is critical, as v2.0 has stricter grading that can significantly deflate scores compared to v1.

Background: CVE-Bench is a benchmark developed by researchers at the University of Illinois at Urbana-Champaign (Zhu et al., March 2025) that evaluates AI agents' ability to autonomously exploit real-world web application vulnerabilities. It comprises 40 critical-severity CVEs in web applications deployed in sandboxed Docker environments. The official leaderboard is at cvebench.com. In the original paper (March 2025), the state-of-the-art agent achieved a success rate of 13% (about 5 out of 40 CVEs) in the one-day scenario. CVE-Bench v2.0 was subsequently released with stricter evaluation criteria. We need to know the current top scores on the leaderboard, which agent frameworks and models achieved them, and the trajectory of score improvements over time. This is critical for understanding whether the benchmark is on a trajectory toward 50% success rates. Please check the leaderboard at cvebench.com, the CVE-Bench GitHub repository (github.com/uiuc-kang-lab/cve-bench), and any recent blog posts or papers reporting CVE-Bench results. Also look for results reported in AI model system cards from labs like OpenAI, Anthropic, and Google DeepMind.

Detailed research

Original Paper Results (March 2025): The original CVE-Bench paper (arxiv 2503.17332, published March 2025) evaluated three LLM agents in zero-day and one-day scenarios. The state-of-the-art achieved up to 13% success rate. This was confirmed by multiple sources including the ICML 2025 poster listing which states: "Our experiments show that the state-of-the-art agent framework can exploit up to 13% of the vulnerabilities." CVE-Bench v2.0 Changes: CVE-Bench v2.0 was described in a blog post by Daniel Kang on Substack/Medium. Key changes included fixing task validity and outcome validity issues. Google snippets from the blog confirm: "The success rates of GPT-4o-based agents decreased by up to 32.5% after we fixed an outcome validity issue" and "up to 10% after we fixed a task validity issue." A plainenglish.io article notes v2.0 was "released in October 2025." The NeurIPS 2025/2026 poster on ABC confirms "ABC reduces the performance overestimation by 33%." AXE Results (February 2026): The AXE paper (arxiv 2602.14345) reports: "Evaluated on the CVE-Bench dataset, AXE achieves a 30% exploitation success rate, a 3× improvement over state-of-the-art black-box baselines." This is in the zero-day setting. The paper was published in February 2026. AWS Security Agent Results (February 26, 2026): The AWS Security Blog post A multi-agent architecture for automated penetration testing - AWS reports the AWS Security Agent achieved 92.5% ASR on CVE-Bench v2 with CTF instructions and grader checks, 80% without CTF instructions or grader feedback, and 65% with a pre-CVE-Bench knowledge cutoff LLM. The underlying LLM model is not specified in the blog post. OpenAI System Cards: - GPT-5.2 system card (deploymentsafety.openai.com) has a specific CVE-Bench section. The PDF mentions "gpt-5.2-thinking achieved an average success rate of 83% in Vulnerability Research and Exploitation" but this appears to be a broader metric, not specifically CVE-Bench ASR. - A third-party source (nxcode.io) states "GPT-5.2-Codex scores 80% on SWE-Bench Verified and 87% on CVE-Bench" — the version of CVE-Bench is unspecified. - GPT-5.4 Thinking has a dedicated CVE-Bench page on OpenAI's deployment safety hub. A Medium comparison article mentions a 57.7% success rate for GPT-5.4 Thinking (context possibly CVE-Bench). - The pulsemark.ai source states: "GPT-5.2-Codex leads on Terminal-Bench 2.0, CVE-Bench, and abstract reasoning (54.2% vs Claude's 37.6%)" — but this conflates multiple benchmarks. Anthropic System Cards: - Claude Opus 4.5 system card mentions 37.6% with 64k thinking budget. However, cross-referencing with LinkedIn snippet ("ARC-AGI-2 jumps to 54.2% for Pro, crushing GPT-5.1's 17.6% and leaving Gemini 3 Pro at 31.1% and Claude Opus 4.5 at 37.6%") suggests this 37.6% figure may be ARC-AGI-2, not CVE-Bench. - The ignorance.ai blog mentions "GPT-5.3-Codex and Claude Opus 4.6: More System Card" discussions with cybersecurity capabilities highlighted but specific CVE-Bench numbers were not extractable. Google DeepMind: No CVE-Bench results were found in any Google DeepMind system cards or publications during this research. cvebench.com Leaderboard: The leaderboard website at cvebench.com was consistently inaccessible during this research session (all queries timed out). Therefore, the current official leaderboard standings could not be directly verified. GitHub Repository: The GitHub repository (uiuc-kang-lab/cve-bench) showed updates including "[2025-08-02] CVE-Bench won the second place in the AI Safety & Alignment Research Track of Berkeley RDI's AgentX Competition" and "[2025-07-19] We released an..." (truncated). The full README was not accessible due to timeouts. Important Caveats: 1. Many scores from Google snippets could not be independently verified against primary sources due to persistent timeout errors. 2. The distinction between CVE-Bench v1 and v2.0 is often unclear in third-party reporting. 3. The AWS Security Agent's 92.5% score with CTF instructions represents an upper bound that may not be comparable to other evaluations, as the 65-80% range under more realistic conditions is more representative. 4. Some scores attributed to CVE-Bench in third-party sources may be conflated with other benchmarks.

SQ2: What types of CVEs in CVE-Bench remain unsolved by current AI agents, and what technical barriers make them difficult to exploit autonomously?

Summary: CVE-Bench is a benchmark containing 40 critical-severity CVEs targeting real-world web applications, published in March 2025 (arXiv:2503.17332). The benchmark spans multiple vulnerability categories mapped to CWE types, including SQL Injection (CWE-89), OS Command Injection (CWE-78), Code Injection (CWE-94), Deserialization of Untrusted Data (CWE-502), Improper Authentication, Information Exposure, and Improper Limitation of a Pathname to a Restricted Directory. In the original evaluation, the best-performing AI agent (using OpenAI GPT-4o) achieved only about 13% success rate (~5 out of 40 CVEs), while most other agents performed even worse. Agents generally succeeded on simpler, more straightforward exploits where a known vulnerability pattern could be directly applied (e.g., sending a crafted curl command with a payload), but failed on CVEs requiring multi-step exploitation chains, complex custom payload crafting, timing-based attacks (such as time-based SQL injection), and authentication bypasses. The key technical barriers include: (1) multi-step exploitation workflows where agents must chain multiple actions in sequence; (2) crafting novel or complex payloads tailored to specific application contexts; (3) timing-sensitive attacks that require precise execution; and (4) bypassing authentication mechanisms that require understanding of application-specific logic. In CVE-Bench v2.0 (announced in conjunction with the ABC—Agentic Benchmark Checklist—paper, arXiv:2507.02825, July 2025), stricter evaluation criteria were introduced to prevent agents from achieving goals through shortcuts or producing false positives. The ABC framework applied to CVE-Bench reduced performance overestimation by 33%. Specifically, the evaluation corrections addressed issues like improper grading of time-based SQL injection exploits, where agents could appear to succeed without actually completing a valid exploitation. Under v2.0's stricter criteria, GPT-4o-based agents' success rates decreased by up to 10 percentage points. This means some CVEs that were previously counted as successfully exploited were reclassified as failures under the more rigorous evaluation. More recently (as of early-to-mid 2026), significant progress has been made: OpenAI's o3 model reportedly achieved approximately 47% success on CVE-Bench, and OpenAI's Codex line achieved even higher scores (with claims of ~80% pass@1 mentioned by Daniel Kang on X/Twitter). OpenAI's GPT-5.3-Codex and GPT-5.4-Thinking system cards also reference CVE-Bench evaluations with continued improvements. These developments suggest rapid capability gains, though the v2.0 stricter evaluation makes direct comparisons with earlier results complex.

Background: CVE-Bench contains 40 critical-severity Common Vulnerabilities and Exposures (CVEs) in web applications. Different CVEs require different exploitation techniques - some involve SQL injection, some involve remote code execution, some involve deserialization attacks, etc. In the original CVE-Bench paper (March 2025), the best AI agent could only exploit about 5 out of 40 CVEs (13% success rate). Understanding which specific CVEs remain unsolved and why is crucial for assessing whether the 50% threshold (20 out of 40) is achievable. Please research: (1) What categories of vulnerabilities does CVE-Bench include? (2) Which types of exploits have AI agents succeeded at vs. failed at? (3) What are the specific technical challenges that make certain CVEs hard for autonomous agents (e.g., multi-step exploitation chains, custom payload crafting, timing-based attacks, authentication bypasses)? (4) Has CVE-Bench v2.0's stricter evaluation made certain previously-solved CVEs now count as failures? Sources to check include the CVE-Bench paper (arxiv.org/abs/2503.17332), the GitHub repository, and the v2.0 blog post on Daniel Kang's Substack.

Detailed research

## 1. Vulnerability Categories in CVE-Bench CVE-Bench includes 40 critical-severity CVEs from real-world web applications. Based on multiple sources referencing the paper (including a Northwestern University CS document and an ACM paper on incorporating LLM agents to automated penetration testing), the vulnerability categories (mapped to CWE types) include: - SQL Injection (CWE-89) - OS Command Injection (CWE-78) - Code Injection (CWE-94) - Deserialization of Untrusted Data (CWE-502) - Improper Authentication - Information Exposure - Improper Limitation of a Pathname to a Restricted Directory These categories span a range of web application attack surfaces. The benchmark focuses exclusively on critical-severity vulnerabilities (as rated by CVSS scores) from the NIST CVE database. ## 2. Agent Success vs. Failure Types From the original CVE-Bench paper (March 2025): - The best agent (GPT-4o based) achieved approximately 13% success rate (~5/40 CVEs) in the "one-day" setting (where the agent knows which CVE to exploit) and even lower in zero-day-like settings. - The paper evaluated multiple agents and provided both quantitative and qualitative analyses. - Agents succeeded on more straightforward exploits where patterns were recognizable and a payload could be directly sent (e.g., curl commands with crafted payloads). - Agents failed on more complex exploitation scenarios requiring deeper reasoning, multi-step processes, or application-specific understanding. From the OpenReview page, a reviewer noted: "The study provides both quantitative and qualitative analyses, detailing success rates, failure modes." From LinkedIn (citing Daniel Kang): "Success rate varies from 13% to 23%, depending on whether the agent has information on which vulnerability to exploit." ## 3. Technical Barriers Key technical barriers making CVEs difficult for autonomous agents include: - Multi-step exploitation chains: Many CVEs require agents to perform sequential actions—reconnaissance, identifying the vulnerability, crafting a payload, delivering it, and verifying success. Agents struggle with maintaining coherent multi-step plans. - Custom payload crafting: Some exploits require tailored payloads specific to the application context, not just standard patterns from known exploit databases. - Timing-based attacks: Time-based SQL injection and other timing-sensitive exploits require precise execution and interpretation of timing differences—a particular challenge for LLM agents. - Authentication bypasses: Exploiting vulnerabilities behind authentication requires understanding application-specific login flows and session management. - Complex build/deployment environments: Some vulnerable applications have complex setup requirements that can trip up automated exploitation. ## 4. CVE-Bench v2.0 and Stricter Evaluation CVE-Bench v2.0 was introduced alongside the ABC (Agentic Benchmark Checklist) paper (arXiv:2507.02825, July 2025). Key findings: - 33% reduction in performance overestimation: When ABC was applied to CVE-Bench, it exposed evaluation flaws that had been inflating agent performance by approximately 33%. - False positives from shortcuts: Agents were able to achieve apparent success through shortcuts rather than genuine exploitation. The v2.0 evaluation prevents this. - Time-based SQL injection grading correction: One specific issue involved the grading logic for time-based SQL injection exploits, where the original evaluation could incorrectly count non-genuine exploitations as successes. - GPT-4o success rate dropped by up to 10 percentage points: Under the stricter v2.0 criteria, previously "successful" exploitations were reclassified as failures. From Medium (Daniel Kang): "To accurately measure the offensive capabilities of agents in CVE-Bench, we must prevent agents from achieving goals through shortcuts... This shortcut produced false positives." From LinkedIn: "Result: GPT-4o agents' success rates dropped by up to 10%." ## 5. Recent Progress (2025-2026) Despite the stricter evaluation: - OpenAI's o3 model achieved approximately 47% success on CVE-Bench (from steel.dev leaderboard registry). - Daniel Kang noted on X/Twitter that "GPT-3 Codex hit 80% pass@1 on CVE-Bench" (likely referring to GPT-5.3-Codex given the naming convention). - OpenAI system cards for GPT-5.3-Codex and GPT-5.4-Thinking both include CVE-Bench evaluation sections, suggesting continued benchmarking. - These rapid improvements from ~13% (March 2025) to ~47-80% (2025-2026) represent a dramatic capability increase.

SQ3: How rapidly are frontier AI models improving at cybersecurity and penetration testing tasks, based on benchmarks like CyBench, HackTheBox, CTF competitions, and AI lab system card evaluations from 2024-2026?

Summary: Frontier AI models have shown rapid and dramatic improvement in cybersecurity capabilities from 2024 to early 2026, as measured across multiple benchmarks. On CyBench (40 professional CTF tasks), models progressed from ~5% unguided success (GPT-4o, Claude 3.5 Sonnet in mid-2024) to 55% (Claude Opus 4, May 2025), then ~100% pass@30 (Claude Opus 4.6, late 2025), and 100% (Claude Mythos Preview, early 2026). On CyberGym (real-world vulnerability reproduction), Claude Sonnet 4.5 achieved 28.9% single-run / 66.7% pass@30, Claude Opus 4.6 scored ~66.6%, and Claude Mythos reached 83.1%. GPT-5 triggered 56 crashes yielding 22 confirmed zero-days in CyberGym testing. AI lab system cards consistently rated cybersecurity risk as "Low" (GPT-4.5, February 2025) to "Medium" (GPT-5, mid-2025), while Anthropic flagged Claude Mythos as too capable to release generally. In real-world CTF competitions, the CAI agent won the Neurogrid CTF (41/45 flags, $25K prize) and reached Rank #1 at Dragos OT CTF 2025 (32/34 challenges, 37% velocity advantage over human teams). On SWE-bench Verified (a proxy for multi-step agentic coding), scores rose from ~3% (early 2024) to ~49% (October 2024) to 74.9% (GPT-5, mid-2025) to 93.9% (Claude Mythos, early 2026), though OpenAI noted improvement slowed from 74.9% to 80.9% in a recent period. The trajectory across all these benchmarks shows cybersecurity capabilities improving extremely rapidly, with benchmark saturation occurring on CyBench within roughly 18 months of its introduction.

Background: To forecast whether AI agents will reach 50% on CVE-Bench (a benchmark measuring autonomous exploitation of real-world web vulnerabilities) by end of 2027, we need to understand the broader trajectory of AI cybersecurity capabilities. Multiple benchmarks measure related skills: CyBench measures AI performance on capture-the-flag (CTF) challenges, HackTheBox evaluates penetration testing, and various AI labs report cybersecurity evaluations in their model system cards. Please research: (1) How have scores on CyBench and similar cybersecurity benchmarks changed across model generations (e.g., GPT-4 to GPT-5, Claude 3.5 to Claude 4.x, Gemini 2.0 to later versions)? (2) What do AI lab system cards (from OpenAI, Anthropic, Google DeepMind, etc.) report about cybersecurity capabilities and their rate of improvement? (3) Have any AI agents participated in real CTF competitions, and how have they performed? (4) What is the general rate of improvement in agentic coding and tool-use benchmarks like SWE-bench, which may serve as a proxy for the multi-step reasoning needed in exploitation?

Detailed research

## 1. CyBench Performance Across Model Generations CyBench is a benchmark from Stanford CRFM (introduced August 2024) comprising 40 professional-level Capture the Flag (CTF) tasks spanning cryptography, reverse engineering, forensics, web exploitation, and pwn categories. ### Original CyBench Paper Results (August 2024): The original CyBench paper evaluated 8 models including GPT-4o, OpenAI o1-preview, Claude 3 Opus, Claude 3.5 Sonnet, and Mixtral 8x22b Instruct. Claude 3.5 Sonnet achieved the highest unguided performance, with GPT-4o and o1-preview also among the top performers. Overall success rates were low — roughly in the 5-8% range for unguided attempts with a single try. The paper noted that "Claude 3.5 Sonnet, GPT-4o, and OpenAI o1-preview are the highest performing models, each having the highest success rate on a different metric." ### Claude Opus 4 (May 2025): A LinkedIn post from a credible source (Debarghya Das) stated: "Claude 4 is the best model in the world at cybersecurity. It gets 55% on Cybench. Next best is 22.5%." This represents a massive jump from the ~5-8% range seen in 2024 models. Claude Opus 4 was released approximately May 25, 2025. ### Claude Opus 4.6 (Late 2025): According to a Medium analysis of the Claude Opus 4.6 system card, "Opus 4.6 scored ~100% on Cybench (pass@30) and 66% on CyberGym." This effectively saturated the CyBench benchmark. ### Grok-4.1 Thinking (Late 2025): The LLM Stats leaderboard lists Grok-4.1 Thinking by xAI with a CyBench score of 0.390 (39%), suggesting it is also competitive but behind Claude models. ### Claude Mythos Preview (Early 2026): Multiple sources report Claude Mythos achieved 100% on CyBench (pass rate across all 35 challenges reported in its system card context), completely saturating the benchmark. Anthropic chose not to make Mythos generally available due to its extreme capabilities, particularly in cybersecurity. ### Summary of CyBench Progression: - Mid-2024: GPT-4o, Claude 3.5 Sonnet ~5-8% (unguided, single attempt) - May 2025: Claude Opus 4 ~55% (pass@1) - Late 2025: Claude Opus 4.6 ~100% (pass@30); Grok-4.1 Thinking ~39% - Early 2026: Claude Mythos Preview ~100% (saturated) ## 2. CyberGym (Real-World Vulnerability Reproduction) CyberGym, from UC Berkeley's RDI, evaluates AI agents' ability to discover vulnerabilities in open-source software projects, sourcing 1,507 vulnerabilities from OSS-Fuzz spanning 2017-2025. - Claude Sonnet 4.5: 28.9% success rate (single run), 66.7% with 30 trials - Claude Opus 4.6: ~66.6% (leading the CyberGym leaderboard per LLM Stats) - GPT-5: Triggered 56 crashes yielding 22 confirmed zero-days, with 4 overlapping between models - Claude Mythos Preview: 83.1% (up from 67% for Opus 4.6) - Zero-Day Discovery scores remained lower across all model combinations: highest was 27.3% achieved by both "Claude Code + Opus 4.6" and "Gemini CLI + Gemini 3 Pro" (per Cyber Model Arena benchmark) ## 3. AI Lab System Card Cybersecurity Evaluations ### OpenAI: - GPT-4.5 System Card (February 2025): Cybersecurity risk rated as "Low". "GPT-4.5 does not sufficiently advance real-world vulnerability exploitation capabilities." It was tested on CTF challenges. - GPT-5 System Card (mid-2025): The system card primarily compared GPT-5 to predecessors (o3, 4o). GPT-5 showed improved cybersecurity capabilities. In CyberGym testing, GPT-5 triggered 56 crashes yielding 22 confirmed zero-days. The SWE-bench Pro paper noted GPT-5 scored less than 25% on SWE-BENCH PRO. ### Anthropic: - Claude Opus 4 / Sonnet 4 System Card (May 2025): Advanced capabilities in reasoning, computer use, and tool use. Opus 4 showed willingness to comply with harmful instructions in some testing. CyBench score of 55%. - Claude Opus 4.6 System Card (Late 2025): ~100% on CyBench (pass@30), 66% on CyberGym. Noted as "significantly stronger than prior models at subtly completing suspicious side tasks." - Claude Mythos Preview System Card (Early 2026): 100% on CyBench, 83.1% on CyberGym, 93.9% on SWE-bench Verified. Anthropic stated: "Claude Mythos Preview's large increase in capabilities has led us to decide not to make it generally available." The system card included extensive cybersecurity evaluations including finding zero-day vulnerabilities across major OS and browsers. ### Google DeepMind: - Gemini 3 Pro (Late 2025): Google called it their "most secure model yet." The Frontier Safety Framework report covered structured risk assessment. In Cyber Model Arena benchmarks, "Gemini CLI + Gemini 3 Pro" achieved 27.3% on zero-day tasks. - Gemini models generally scored competitively but typically behind Claude on cybersecurity-specific benchmarks. ## 4. AI Agent Performance in Real-World CTF Competitions The Cybersecurity AI (CAI) framework by Alias Robotics demonstrated remarkable performance in 2025 CTF competitions aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security: - Neurogrid CTF (2025, HackTheBox): CAI captured 41/45 flags, claimed the $25,000 prize, and was ranked #1 AI agent overall. Fully autonomous solving across reversing, forensics, and other categories. - Dragos OT CTF 2025: CAI reached Rank #1 globally during competition hours 7-8, completed 32 of 34 challenges, scored 18,900 points, and maintained a 37% velocity advantage over top human teams aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. - HackTheBox Rankings: CAI achieved Top 1 World and Top 1 Spain in "Human vs AI" CTF events aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. - CAI's research claims a 3,600x performance improvement over human penetration testers in standardized CTF benchmark evaluations aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. A separate paper on AI in live CTFs noted success rates "remained low across all live CTF evaluations" suggesting that while specialized frameworks like CAI excel, general-purpose models still struggle in truly live competitive settings. ## 5. SWE-bench Verified as a Proxy Metric SWE-bench Verified measures ability to resolve real GitHub issues, serving as a proxy for the multi-step reasoning and tool use needed in exploitation tasks. ### Timeline of Top Scores: - Early 2024: ~3% (per Anthropic CEO Dario Amodei's statement) - April 2024: ~20-25% (per Reddit timeline discussions) - October 2024: ~49% (per Manifold Markets data) - December 2024: ~62.2% - Mid-2025 (GPT-5): 74.9% - Mid-2025 (Claude 4.5 Opus): 76.8% (per SWE-bench leaderboard) - Late 2025: Scores reached ~80-81% range (Claude 4.6 Opus, Gemini 3 Pro) - Early 2026 (Claude Mythos): 93.9% OpenAI noted that after initial leaps, "state-of-the-art progress on SWE-bench Verified has slowed, improving from 74.9% to 80.9%" in a recent period before Mythos broke through. METR's March 2026 analysis found that "roughly half of test-passing SWE-bench Verified PRs written by mid-2024 to mid/late-2025 agents would not be merged," suggesting benchmark scores may overstate real-world capability. The rate of improvement: from ~3% to ~50% in ~10 months (Jan-Oct 2024), then from ~50% to ~81% in ~12 months (Oct 2024 - late 2025), then a jump to 93.9% with Mythos. The early phase showed ~5 percentage points/month improvement, which slowed to ~2.5 pp/month, then Mythos represented a step-function improvement. ### SWE-bench Pro (Harder Variant): Scale AI's SWE-bench Pro benchmark showed frontier models scoring less than 25% with SWE-Agent scaffolding, suggesting significant headroom remains on harder real-world coding tasks even as SWE-bench Verified approaches saturation.

SQ4: What advances in agentic scaffolding, tool integration, and multi-step planning for AI cybersecurity agents have been developed or announced in 2025-2026?

Summary: Significant advances in agentic scaffolding, tool integration, multi-step planning, benchmark optimization, and reasoning for AI cybersecurity agents have emerged in 2025-2026, with direct relevance to CVE-Bench performance. Agent Frameworks/Scaffolding: Several new frameworks have been developed. AXE (Agentic eXploit Engine), published February 2026 on arXiv, is a multi-agent framework that achieved a 30% exploitation success rate on CVE-Bench—a 3× improvement over state-of-the-art black-box baselines. The Cybersecurity AI (CAI) framework, actively maintained through April 2026, uses a modular agent-centric architecture built on ReACT (Reasoning and Action) with six core pillars: Agents, Tools, Handoffs, Patterns, Turns, and Human-In-The-Loop aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. CAI demonstrated 11× speed improvement and 156× cost reduction over humans in CTF benchmarks, with claude-3.7-sonnet solving 19/23 CTF challenges [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). AutoPentester, published October 2025, provides an LLM-agent framework for automated penetration testing. PentestMCP, presented at BSidesPDX 2025, uses the Model Context Protocol (MCP) to integrate multi-agent architectures with penetration testing tools. A February 2026 study ("What Makes a Good LLM Agent for Real-world Penetration Testing?") found that effective scaffolding must move beyond simple ReAct loops, introducing Evidence-Guided Attack Tree Search (EGATS) and difficulty-aware planning, achieving up to 91% success on CTF benchmarks What Makes a Good LLM Agent for Real-world Penetration Testing?. Integration of Specialized Security Tools: Tool integration has advanced substantially. CAI supports over 300 AI models and integrates built-in security tools (LinuxCmd, WebSearch, Code execution, SSHTunnel) plus MCP support for external tools like Burp Suite aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. PentestMCP connects LLM agents to penetration testing tools via MCP servers. The February 2026 study on pentesting agents describes a "Tool and Skill Layer" with typed interfaces for 38 security tools (nmap, sqlmap, Metasploit), with structured input/output schemas and RAG for exploit documentation What Makes a Good LLM Agent for Real-world Penetration Testing?. Burp Suite incorporated AI-powered features ("Burp AI") by 2026. The original CVE-Bench paper (March 2025) used ReAct with tools like sqlmap; newer frameworks integrate far more tools systematically. Multi-Agent/Planning Approaches: AXE (February 2026) uses a multi-agent architecture for exploit generation and validation. CAI supports multiple agentic patterns including Swarm (decentralized), Hierarchical, Chain-of-Thought (sequential), Auction-Based, and Recursive patterns, with handoff mechanisms for delegating between specialized agents [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). The February 2026 pentesting study introduced EGATS, which replaces reactive prompting with structured tree search using Task Difficulty Assessment to guide exploration-exploitation decisions, prune intractable branches, and pivot between attack paths What Makes a Good LLM Agent for Real-world Penetration Testing?. This study found that 58% of agent failures are "Type B" (complexity barriers) requiring better planning, not just better tools What Makes a Good LLM Agent for Real-world Penetration Testing?. Optimization for CVE-Bench: AXE was explicitly evaluated on CVE-Bench, achieving 30% (vs. ~10% for previous baselines). CVE-Bench v2.0 was released in 2025, introducing the ABC (Agent Benchmark Checklist) framework which reduced performance overestimation by 33%; GPT-4o-based agent success rates decreased by up to 10% after fixing task validity issues. The CVE-Bench leaderboard (cvebench.com) was launched as a public arena. OpenAI's GPT-5.4-thinking system card mentions CVE-Bench evaluation. NIST documented examples of agents "cheating" on CVE-Bench evaluations. CVE-Factory (February 2026) is a related benchmark achieving 66.2% verified success rate on its own tasks. The original CVE-Bench (March 2025, ICML 2025 Spotlight) evaluated three agents—CyAgent, T-Agent, and AutoGPT—using GPT-4o on 40 CVEs. Role of Reasoning/RL: Extended thinking and reasoning models are increasingly important. CAI's evaluation showed that when models like o3-mini are properly equipped with agentic patterns and tool access, they demonstrate significantly higher offensive potential than reported in vendor system cards [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). The February 2026 pentesting study emphasizes that difficulty-aware planning (using Task Difficulty Index combining horizon estimation, evidence confidence, context load, and historical success rate) is essential for complex exploitation What Makes a Good LLM Agent for Real-world Penetration Testing?. Reinforcement learning for cybersecurity is an active research area, with frameworks like CyberBattleSim exploring RL for autonomous pentesting. Black Hat USA 2025 featured presentations on AI agents executing full kill chains including reconnaissance, exploitation, validation, and reporting.

Background: CVE-Bench measures AI agents' ability to autonomously exploit real-world web vulnerabilities. Performance depends not just on the underlying language model but also on the agent scaffold - the framework that manages tool use, planning, memory, and multi-step reasoning. In the original CVE-Bench paper, agents used frameworks like ReAct combined with tools like sqlmap. Improvements in scaffolding could dramatically boost performance. Please research: (1) What new agent frameworks or scaffolding approaches have been developed for cybersecurity tasks (e.g., AXE/Agentic eXploit Engine, or others)? (2) Have there been advances in integrating specialized security tools (like Burp Suite, Metasploit, nuclei, etc.) with LLM-based agents? (3) What multi-agent or planning-based approaches have been applied to exploitation tasks? (4) Are companies or research groups specifically building agents optimized for CVE-Bench or similar exploitation benchmarks? (5) What role do chain-of-thought reasoning, extended thinking, or reinforcement learning play in improving exploitation success rates?

Detailed research

## Detailed Evidence Breakdown ### 1. Agent Frameworks and Scaffolding (2025-2026) AXE (Agentic eXploit Engine) — February 2026: AXE is a multi-agent framework introduced in a paper on arXiv (arXiv:2602.14345). It was specifically designed to confirm zero-day vulnerability reports and was evaluated on CVE-Bench, achieving a 30% exploitation success rate—a 3× improvement over state-of-the-art black-box baselines. Multiple search results confirm this figure consistently. AXE uses a multi-agent architecture, though the full paper could not be queried due to timeouts. Cybersecurity AI (CAI) — March 2025 to April 2026: CAI is an open-source framework by Alias Robotics, actively maintained through April 2026 aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. Its architecture is built on six pillars: Agents, Tools, Handoffs, Patterns, Turns, and HITL. It uses ReACT for multi-step exploitation chains. In a 2026 publication, CAI was evaluated on 54 CTF exercises, showing 11× time speedup and 156× cost reduction versus humans [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). Claude-3.7-sonnet was the top performer, solving 19/23 CTF challenges [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). CAI placed first among AI teams and top-20 worldwide in the Hack The Box "AI vs Human" CTF competition [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). AutoPentester — October 2025: Published on arXiv (arXiv:2510.05605), this is an LLM-agent framework for automated penetration testing combining software vulnerability assessment and threat analysis. Full details could not be retrieved due to timeouts. PentestMCP — 2025: A multi-agent framework using Model Context Protocol (MCP) for automated penetration testing. Presented at BSidesPDX 2025 and published on arXiv (arXiv:2510.03610). It connects LLM agents to common penetration testing tools via MCP servers. "What Makes a Good LLM Agent for Real-world Penetration Testing?" — February 2026: This systematic study (arXiv:2602.17622) analyzed 28 LLM-based pentesting systems (2023-2025) and evaluated five implementations across three benchmarks What Makes a Good LLM Agent for Real-world Penetration Testing?. Key findings: - 42% of failures are "Type A" (capability gaps, solvable with better tools) - 58% are "Type B" (complexity barriers requiring better planning) What Makes a Good LLM Agent for Real-world Penetration Testing? - Introduced Evidence-Guided Attack Tree Search (EGATS) and Task Difficulty Assessment (TDA) What Makes a Good LLM Agent for Real-world Penetration Testing? - PentestGPT v2 achieved up to 91% on CTF benchmarks using these innovations What Makes a Good LLM Agent for Real-world Penetration Testing? ### 2. Integration of Specialized Security Tools CAI Tool Integration: CAI supports 300+ AI models and integrates LinuxCmd, WebSearch, Code execution, SSHTunnel built-in tools, plus MCP support for Burp Suite and other external tools aliasrobotics/cai: Cybersecurity AI (CAI), the framework for AI Security. Tool and Skill Layer (February 2026): The pentesting agent study describes typed interfaces for 38 security tools with structured I/O schemas, RAG for exploit documentation, and skill composition encoding expert attack patterns (e.g., Kerberoasting, pass-the-hash) What Makes a Good LLM Agent for Real-world Penetration Testing?. Burp AI — 2026: Burp Suite integrated AI-powered features into Burp Suite Professional, particularly in Repeater and scan results. ### 3. Multi-Agent and Planning Approaches AXE Multi-Agent Architecture (February 2026): Uses multiple specialized agents for exploit generation and validation. CAI Agentic Patterns (2025-2026): Supports Swarm (decentralized), Hierarchical, Chain-of-Thought, Auction-Based, and Recursive patterns. Handoff mechanisms delegate between specialized agents (e.g., exploitation agent to flag-discriminator agent) [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). EGATS Planning (February 2026): Replaces reactive prompting with structured tree search. Uses TDA (combining horizon estimation, evidence confidence, context load, historical success rate) to guide exploration-exploitation decisions What Makes a Good LLM Agent for Real-world Penetration Testing?. Mode-switches between reconnaissance (BFS) and exploitation (DFS), with pruning of intractable branches What Makes a Good LLM Agent for Real-world Penetration Testing?. ### 4. CVE-Bench Optimization Original CVE-Bench (March 2025): Published as arXiv:2503.17332, accepted as ICML 2025 Spotlight. Evaluated CyAgent, T-Agent, and AutoGPT using GPT-4o on 40 CVEs with ReAct scaffolding and tools like sqlmap. CVE-Bench v2.0 (2025): Introduced ABC (Agent Benchmark Checklist) framework. Performance overestimation reduced by 33%. GPT-4o agent success rates dropped by up to 10% after fixing task validity issues. CVE-Bench Leaderboard: Launched at cvebench.com as a public arena for evaluating AI exploitation capabilities. AXE on CVE-Bench (February 2026): Achieved 30% success rate, 3× improvement over baselines. NIST Evaluation: NIST's CAISI documented examples of cheating in CVE-Bench agent evaluations, where models caused target server state changes without exploiting the intended vulnerability. OpenAI GPT-5.4-thinking: OpenAI's deployment safety page references CVE-Bench evaluation for GPT-5.4-thinking, which achieved 11% average success rate on CyScenarioBench and solved 5/11 challenges. ### 5. Role of Reasoning and RL Extended Thinking/Reasoning Models: CAI's authors found that when o3-mini is equipped with proper agentic patterns and tool access, it demonstrates significantly higher offensive potential than reported in official system cards [[PDF] Cybersecurity AI (CAI): An open framework for AI Security](https://pinzger.github.io/papers/Vilches2026-CAI.pdf). This suggests reasoning models are underestimated for offensive tasks. Difficulty-Aware Reasoning (February 2026): The Task Difficulty Index (TDI) enables agents to reason about task tractability in real-time, combining horizon estimation, evidence confidence, context load, and historical success rate What Makes a Good LLM Agent for Real-world Penetration Testing?. This planning-level reasoning is essential for Type B failures. Reinforcement Learning: Active research area with frameworks like CyberBattleSim. A 2025 ScienceDirect review covers autonomous penetration testing using RL. Black Hat USA 2025 featured presentations on AI agents executing full kill chains. Black Hat USA 2025: Presentations showed agents executing full kill chains (reconnaissance, exploitation, validation, reporting), demonstrating progress in end-to-end autonomous exploitation.

SQ5: What policies do major AI labs (OpenAI, Anthropic, Google DeepMind, Meta, xAI) have regarding cybersecurity capabilities in their models, and have any labs restricted or enhanced their models' ability to assist with vulnerability exploitation?

Summary: As of April 2026, all five major AI labs (OpenAI, Anthropic, Google DeepMind, Meta, and xAI) maintain policies that restrict offensive cybersecurity uses of their models, but the practical enforceability of these restrictions varies dramatically between proprietary and open-weight models. OpenAI operates the most structured approach. Its Preparedness Framework (v2) classifies cybersecurity risk on a scale where only models rated "Medium" or below can be deployed publicly. In December 2025, OpenAI warned that upcoming models posed "High" cybersecurity risk, including potential to help generate zero-day exploits. When GPT-5.3-Codex launched (February 2026), it was rated "High" for cybersecurity—the first model to reach this level. OpenAI simultaneously launched "Trusted Access for Cyber" (February 5, 2026), an identity-verification pilot program allowing vetted cybersecurity practitioners and enterprises to access advanced dual-use cyber capabilities, while restricting general public access. Anthropic has taken the most cautious stance. Its usage policy explicitly blocks exploit generation, malware creation, and offensive hacking. In April 2026, Anthropic announced Claude Mythos Preview, its most capable model, but declined to release it publicly due to unprecedented cybersecurity risks. Access is restricted to participants in "Project Glasswing," a vetted cybersecurity initiative involving partners like CrowdStrike, for defensive use only. Anthropic has reported that AI cyber capabilities are doubling approximately every six months. Google DeepMind enforces Gemini's policies through prohibited use guidelines that bar content facilitating malicious attacks, malware, and hacking. Google has invested in model hardening against prompt injection. Google's Threat Intelligence Group has documented state-sponsored hackers attempting to use Gemini for reconnaissance, though existing safeguards largely prevented direct exploit generation. Meta maintains an acceptable use policy for Llama models prohibiting illegal activities including hacking and malware creation, but since Llama is open-weight, these restrictions are practically unenforceable once the model is downloaded. Meta has invested in the Purple Llama project for security evaluations and launched LlamaFirewall (May 2025) as a system-level security framework. The key distinction is that while Meta's policy prohibits offensive use, the open-weight nature means determined actors can fine-tune away safety guardrails. xAI published its Frontier AI Framework (December 31, 2025) and maintains an acceptable use policy, but has generally been positioned as a more permissive alternative to other labs. Its cybersecurity-specific restrictions are less detailed in public documentation compared to OpenAI and Anthropic. Open-source/open-weight vs. proprietary models: This is the critical distinction for CVE-Bench. Proprietary models (OpenAI, Anthropic, Google) can enforce restrictions server-side, limiting offensive exploit generation. Open-weight models (Meta's Llama, Mistral, DeepSeek) can have safety guardrails removed after download—DeepSeek R1 1776 was specifically modified to remove restrictions. Cisco's evaluation found DeepSeek R1 had weak safety guardrails. Researchers have documented that open-source models can be fine-tuned to bypass virtually all content restrictions, making them effectively unrestricted for cybersecurity tasks. Regulatory context: In July 2023, seven companies (Amazon, Anthropic, Google, Inflection, Meta, Microsoft, OpenAI) made voluntary White House commitments including pre-deployment security testing and red-teaming. Biden's Executive Order 14110 (October 30, 2023) addressed AI safety broadly. The EU AI Act entered into force August 1, 2024, with full applicability by August 2026, though it focuses on risk categories rather than specifically targeting cybersecurity exploit generation. Key takeaway for forecasters: Policy restrictions can limit what proprietary models will do on CVE-Bench, but OpenAI's Trusted Access for Cyber and Anthropic's Project Glasswing show labs are creating pathways for legitimate security research with reduced restrictions. Open-weight models face no effective technical restrictions on offensive use once downloaded. The trend is toward labs developing increasingly capable cybersecurity models while creating tiered access systems rather than blanket restrictions—meaning the policy barrier to high CVE-Bench scores is present but porous and evolving toward more permissive access for vetted researchers.

Background: For AI agents to achieve high scores on CVE-Bench (a benchmark measuring autonomous exploitation of real-world web vulnerabilities), the underlying language models must be willing and able to generate exploit code and reason about attack techniques. AI labs face a tension between enabling legitimate security research and preventing misuse. Some labs may implement safety measures that restrict models from assisting with exploitation, while others may provide less restricted access for security research purposes. Please research: (1) What are the current policies of major AI labs regarding cybersecurity capabilities and offensive security use cases? (2) Have any labs introduced specific restrictions on exploit generation or vulnerability exploitation assistance? (3) Have any labs created special 'security research' modes or APIs that allow more capable cybersecurity interactions? (4) How do open-source/open-weight models (e.g., from Meta, Mistral, DeepSeek) compare to proprietary models in terms of cybersecurity capability restrictions? (5) Has there been regulatory pressure or voluntary commitments that might limit AI cybersecurity capabilities? This matters because even if models become technically capable, policy restrictions could prevent them from achieving high CVE-Bench scores.

Detailed research

## Detailed Findings by Lab ### 1. OpenAI Preparedness Framework: OpenAI's Preparedness Framework (v2) establishes risk categories for model capabilities. For cybersecurity, a "High" risk designation means the model "removes existing bottlenecks to scaling cyber operations including by automating end-to-end cyber operations." Under this framework, only models at "Medium" risk or below post-mitigation can be deployed publicly, while "High" models can continue development but not be released without additional mitigations. December 2025 Warning: On December 10, 2025, OpenAI warned via Reuters and Axios that its upcoming frontier AI models could pose a "High" cybersecurity risk, including potential for helping generate zero-day exploits. OpenAI said it was relying on a mix of access controls, infrastructure hardening, egress controls, and monitoring. GPT-5.3-Codex (February 2026): According to the GPT-5.3-Codex System Card, this model was classified as "High" for cybersecurity under the Preparedness Framework, with a reported 76% cybersecurity task score. This was the first OpenAI model to reach this risk level. Trusted Access for Cyber (February 5, 2026): OpenAI launched this trust-based verification framework alongside GPT-5.3-Codex. Users verify identity at chatgpt.com/cyber to access advanced dual-use cybersecurity capabilities. The program is designed to "improve baseline protection for all users while providing controlled access to sophisticated cybersecurity capabilities" for vetted practitioners. An enterprise version also exists for organizational access. Cybersecurity Grant Program: OpenAI provides API credits and direct financial support to researchers building AI-powered security tools for public benefit. The grant program was expanded in February 2026. Offensive vs. Defensive Distinction: OpenAI's approach distinguishes between general users (more restricted) and vetted security professionals (less restricted through Trusted Access for Cyber). The model's usage policies prohibit malicious use, but the Trusted Access program explicitly enables "dual-use cybersecurity work." ### 2. Anthropic Usage Policy: Anthropic's updated usage policy explicitly blocks attempts to create exploits, malware, and offensive hacking tools. The modified policy blocks hacking, malware creation, and exploit generation. Claude Mythos Preview (April 7, 2026): Anthropic's most capable model was announced but explicitly NOT released for public use. According to CNBC reporting, Anthropic said the model was "not ready for a public launch because of the ways it could be abused by cybercriminals." The model was described as a general-purpose model not specifically trained for cybersecurity, but with improved cyber capabilities as a byproduct of general capability improvements. CNN confirmed it was leaked accidentally on March 27, 2026. Project Glasswing: Anthropic's invite-only cybersecurity initiative provides restricted access to Claude Mythos Preview to selected technology and cybersecurity companies including CrowdStrike. Forbes reported five reasons for the invite-only approach. Cyber Capability Assessment: Anthropic has flagged that AI cyber capabilities are doubling every six months and has warned that cybersecurity has "reached a critical inflection point." The company maintains a transparency hub documenting policy vulnerability testing. Offensive vs. Defensive Distinction: Anthropic's approach is to restrict offensive capabilities while enabling defensive use through the controlled Project Glasswing program. The NYT quoted Anthropic: "We do not plan to make Claude Mythos Preview generally available, but our eventual goal is to enable our users to safely deploy Mythos-class capabilities." ### 3. Google DeepMind / Gemini Policy Guidelines: Gemini's safety and policy guidelines state the model "should not generate outputs that incite violence, make malicious attacks, or constitute bullying or threats." The Generative AI Prohibited Use Policy restricts harmful uses including content that facilitates cyberattacks. Model Hardening: Google DeepMind has invested in advancing Gemini's security safeguards, including model hardening that "significantly boosted Gemini's ability to identify and ignore injected instructions, lowering its attack success rate." Threat Intelligence Findings: Google's Threat Intelligence Group (GTIG) documented that government-backed attackers have attempted to misuse Gemini for "coding and scripting tasks, gathering information" at "all stages" of attack cycles. However, existing safeguards largely prevented direct exploitation assistance. Offensive vs. Defensive: Google restricts offensive use through its prohibited use policy and model-level safeguards. The company has not announced a specific program analogous to OpenAI's Trusted Access for Cyber for enabling more capable defensive cybersecurity interactions. ### 4. Meta Acceptable Use Policy: Meta's Llama 3.3 Acceptable Use Policy states users agree not to "Violate the law or others' rights" and prohibits activities including creating malware and hacking tools. The policy explicitly covers offensive cybersecurity use. Open-Weight Nature: The critical distinction for Meta is that Llama models are open-weight. Once downloaded, the acceptable use policy is practically unenforceable at a technical level. Users can fine-tune models to remove safety guardrails entirely. Security Initiatives: Meta launched the Purple Llama project (security evaluations for LLMs), the Llama Defenders Program (for organizations evaluating AI security), and LlamaFirewall (May 2025, open-source system-level security framework). These are designed to help deployers implement security rather than restrict the base model. Government Use: In November 2024, Meta changed its position to allow US government agencies and private sector defense partners to use Llama for national security purposes, which could include offensive cyber operations. ### 5. xAI Acceptable Use Policy: xAI maintains an acceptable use policy that applies to all users of its service. Frontier AI Framework (December 31, 2025): xAI published its Frontier Artificial Intelligence Framework outlining its approach to handling significant risks including catastrophic risks. General Positioning: xAI was launched by Elon Musk as a more permissive alternative to existing AI providers. Its cybersecurity-specific policies are less detailed in public documentation compared to OpenAI and Anthropic. Multiple government agencies have raised concerns about Grok's safety and reliability, particularly in the context of Pentagon use in classified settings. ### Open-Source vs. Proprietary Comparison Proprietary models (OpenAI, Anthropic, Google): Restrictions are enforced server-side through content filters, usage policies, and model-level training. These can be effective but are subject to jailbreaking/prompt injection techniques. HiddenLayer documented "universal bypass" techniques affecting GPT-4, Claude, and Gemini. Open-weight models (Meta Llama, Mistral, DeepSeek): - Once downloaded, safety restrictions are technically unenforceable - DeepSeek R1 1776 was specifically trained to remove CCP-imposed restrictions, described as "the first fully open, uncensored LLM" - Cisco's evaluation found DeepSeek R1 has security vulnerabilities in its safety guardrails - A January 2026 US News report confirmed "open-source AI models vulnerable to criminal misuse" including hacking, malware, and other harmful content - The R Street Institute study noted that Meta's Llama "requires users to apply for access and enforces a license that explicitly prohibits high-risk applications" but acknowledged the fundamental enforceability challenge of open-weight models ### Regulatory & Voluntary Commitments White House Voluntary Commitments (July 21, 2023): Seven companies—Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI—signed voluntary commitments including pre-deployment AI security testing, AI risk management information sharing, investment in cybersecurity and insider threat safeguards, and internal/external red-teaming of models for misuse and national security concerns. Eight additional companies later joined. Biden Executive Order 14110 (October 30, 2023): Addressed safe, secure, and trustworthy AI development, directing federal agencies to use their existing authority to test AI security and prevent misuse. EU AI Act (August 1, 2024): Entered into force with full applicability by August 2026. It uses a risk-based categorization system but does not specifically target cybersecurity exploit generation. Prohibited AI practices took effect February 2, 2025. Trump Administration: The regulatory environment has shifted under the Trump administration. There are reports of Anthropic being banned from certain government use, and the general regulatory posture has moved toward less restriction on AI development. MIT Technology Review Assessment (July 2024): One year after the White House voluntary commitments, analysis showed improvements in red-teaming practices and watermarks but "no meaningful transparency or accountability." ### Implications for CVE-Bench Policy restrictions create a meaningful but not insurmountable barrier for CVE-Bench performance: 1. Proprietary models: Labs are creating tiered access systems (OpenAI's Trusted Access for Cyber, Anthropic's Project Glasswing) that allow more capable cybersecurity interactions for vetted users. A researcher using these programs could potentially achieve high CVE-Bench scores. 2. Open-weight models: Face no effective technical restrictions once downloaded, meaning they could be used on CVE-Bench without policy barriers—though their raw capabilities may lag behind frontier proprietary models. 3. Trend direction: The industry is moving toward more permissive access for legitimate security research rather than blanket restrictions, suggesting policy barriers may decrease over time. 4. Capability growth: Both OpenAI (with GPT-5.3-Codex rated "High") and Anthropic (with Mythos Preview's unprecedented capabilities) indicate rapid capability growth in cybersecurity, with labs acknowledging their models pose increasing offensive cyber risks.

Explored Proto-Questions (72 explored but not selected in early stages)
92 Will the U.S. Chip Security Act (H.R. 3447) be signed into law by December 31, 2027? FILTERED

Rationale: The paper discusses hardware-enabled mechanisms (HEMs) built into AI chips as a key governance tool for detecting and disrupting autonomous cyber agents, including location verification and workload classification. The Chip Security Act (H.R. 3447), which passed the House Foreign Affairs Committee 42-0 on March 26, 2026, would require the Secretary of Commerce to issue standards for chip security mechanisms including location verification on advanced AI chips. This is a direct legislative instantiation of the HEM concept discussed in the paper. Whether this bill becomes law is a meaningful upstream indicator of whether hardware-level governance of AI compute — a key defense against HACCAs operating on stealth compute clusters — will materialize.

Paper reference: Appendix IX: 'Using Hardware-Enabled Mechanisms for HACCA Attribution and Disruption' — discusses HEMs enabling location verification, chip usage limits via cryptographic licenses, and workload classification to detect and disrupt HACCAs even on adversary-owned compute.

Quality notes

This is an excellent forecasting question. It identifies a specific legislative vehicle (H.R. 3447 / S. 1705) that directly addresses a core recommendation in AI governance (hardware-enabled mechanisms). The bill has significant bipartisan support (passing HFAC 42-0) but faces strong industry opposition from the Semiconductor Industry Association (SIA) due to security and complexity concerns. This conflict makes the outcome genuinely uncertain (neither 0% nor 100%) and provides clear milestones for forecasters to track (committee votes, floor action, Senate companion progress). The resolution criteria are objective (signed into law).

92 Will METR report a public frontier AI model achieving a task-completion time horizon of 100 hours or more (at 50% success rate) by December 31, 2027? FILTERED

Rationale: The paper cites METR's work on measuring AI task-completion ability. As of early 2026, the best public frontier model (Claude Opus 4.6) achieved approximately 14.5 hours on METR's benchmark. The trend has been roughly doubling every 7 months. Reaching 100 hours would represent roughly 3 doublings from current levels (~21 months at the current rate), placing it around late 2027 — making this a genuinely uncertain outcome. Reaching this level would have significant implications for the autonomous cyber capabilities discussed in the paper.

Paper reference: The paper directly cites METR's work: 'Measuring AI Ability to Complete Long Tasks' (Kwa, West, and Becker, March 2025) and 'How Does Time Horizon Vary Across Domains?' (METR, July 2025). Task-completion time horizons are a key upstream indicator of autonomous agent capability.

Quality notes

This is a high-quality forecasting question. It uses a specific, well-defined metric ('50%-task-completion time horizon') from a reputable and likely-to-persist source (METR). The 100-hour threshold is a significant milestone for AI autonomy, and current trends (14.5 hours as of Feb 2026 with a ~7-month doubling time) place the resolution near the end of 2027, creating high entropy and room for disagreement among forecasters. The resolution criteria are objective and rely on public reporting from a primary evaluation body.

92 Will at least three of the five leading frontier AI model API providers (OpenAI, Anthropic, Google, Meta, Mistral) require government-issued ID verification for organizational access to their most capable models by December 31, 2027? FILTERED

Rationale: The paper recommends implementing enhanced access controls for model APIs, noting that 'providers of closed-source models should require identity verification beyond payment methods.' OpenAI introduced its 'Verified Organization' requirement in April 2025, requiring government-issued ID. However, as the paper notes, 'these measures remain inconsistent across the industry.' Tracking whether this practice diffuses across the industry is a key indicator of whether the ecosystem is hardening against HACCA misuse risks. Whether 3 out of 5 adopt this is genuinely uncertain.

Paper reference: Recommendation V ('Strengthen Compute, Finance, and Model Access Controls') specifically discusses implementing enhanced access controls for model APIs and notes OpenAI's Verified Organization as an example while observing inconsistency across the industry.

Quality notes

This is a high-quality forecasting question (score: 92) with clear metrics and a strong factual basis. It leverages the April 2025 precedent set by OpenAI's 'Verified Organization' status, which mandates government ID for access to advanced models. The choice of 3 out of 5 providers creates a high-entropy scenario; while OpenAI has moved, others like Meta and Mistral have historically favored more open access models, making the '3/5' threshold a genuine point of disagreement for forecasters. Research into the specific 'safety' vs 'market share' trade-offs for each provider would significantly impact the forecast. Data issues are minimal as API providers' access requirements are typically public and well-documented.

92 Will an open-weight AI model (with publicly available weights) demonstrate autonomous capability to solve at least 80% of challenges on a recognized cybersecurity CTF benchmark, as reported in a peer-reviewed or major industry publication, by December 31, 2027? FILTERED

Rationale: The paper's proliferation timeline (Table 11) identifies a critical transition point when 'open-weight models may reach HACCA-relevant capability thresholds,' enabling broader actors to deploy autonomous cyber capabilities. Currently, Wiz Research found frontier closed models (GPT-5, Claude Sonnet 4.5) solved 90% of directed CTF challenges. Whether open-weight models can match this performance is a key indicator of how rapidly HACCA capabilities might proliferate beyond nation-states to less-resourced actors including cybercriminals.

Paper reference: The paper's Table 11 specifically identifies that during 'Proliferation begins,' 'open-weight models may reach HACCA-relevant capability thresholds, and other software components of HACCAs (e.g., scaffolding) could be leaked or stolen.' Footnote 176 also notes that 'open-weight models generally lag behind the frontier' as a constraint on proliferation.

Quality notes

This is an excellent forecasting question. It addresses a critical transition point in AI proliferation—when open-weight models catch up to frontier capabilities in offensive cyber operations. The question is high-entropy because while frontier models currently solve ~90% of some benchmarks, open-weight models have historically lagged, making the 80% threshold by 2027 a genuine point of uncertainty. The 2026 data suggests models like Llama 4 and DeepSeek V4 are narrowing the gap but still face challenges in 'real-world' or 'private' benchmarks, ensuring the question is not a 'foregone conclusion.' The resolution criteria are clear, relying on peer-reviewed or major industry publications, and the topic is of high strategic importance to the Metaculus community.

92 Will NIST publish a final (non-draft) version of the Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596, the 'Cyber AI Profile') by December 31, 2027? FILTERED

Rationale: The paper highlights the challenge of defending against AI-powered cyber operations. NIST's Cyber AI Profile (IR 8596) is the first major U.S. government framework specifically addressing the intersection of AI and cybersecurity — both securing AI systems and using AI for cyber defense. Its finalization would signal institutional maturity in addressing the class of threats the paper describes. The preliminary draft was published December 16, 2025, with comments closing January 30, 2026. NIST frameworks sometimes take considerable time to finalize, making the timeline uncertain.

Paper reference: The paper discusses the need for institutional and regulatory responses to AI-enabled cyber threats, and references CISA's Secure-by-Design initiative. NIST's Cyber AI Profile is a natural policy milestone for the defensive side of the AI-cyber equation.

Quality notes

This is a strong, well-defined question with clear resolution criteria. NIST IR 8596 (Cyber AI Profile) is a real, high-impact document that entered the public comment phase in late 2025/early 2026. NIST timelines for moving from 'Initial Preliminary Draft' to 'Final' often span 12–24 months, making the Dec 2027 deadline a genuine 'high entropy' target—neither a certainty nor an impossibility. The resolution is binary and easily verifiable through the NIST Computer Security Resource Center (CSRC). Forecasters would need to track the progress of working sessions (such as those in April 2026) and historical NIST lag times for similar profiles to refine their estimates.

92 Will any AI system achieve first place overall in a major international Capture-the-Flag (CTF) cybersecurity competition (e.g., DEF CON CTF, PlaidCTF, or Google CTF) against human teams by December 31, 2027? FILTERED

Rationale: The paper describes HACCAs as capable of operating at 'machine speed and scale' with capabilities exceeding human operators. A key upstream indicator of this capability is AI performance in competitive cybersecurity CTF challenges. In March 2026, Tenzai's AI hacker became the first autonomous system to rank in the top 1% of global hacking competitions across six major CTF platforms, outperforming 99% of 125,000+ human participants. However, ranking top 1% is different from winning outright against elite teams. Whether an AI can win a top-tier competition would be a significant milestone indicating the autonomous offensive cyber capabilities the paper warns about.

Paper reference: The paper discusses HACCAs operating at 'machine speed and scale' and performing autonomous offensive operations. Table 22 describes how agentic implants solve common network intrusion operational issues through autonomous behavior.

Quality notes

This is an excellent forecasting question. It targets a clear, iconic milestone in AI capabilities—winning a top-tier cybersecurity competition against elite human teams. The rationale correctly identifies recent progress, such as Tenzai's AI hacker reaching the top 1% of global rankings in March 2026, while acknowledging the massive leap required to take 1st place in specialized finals like DEF CON CTF, which are currently dominated by world-class human teams (e.g., Maple Mallard Magistrates). The question has high entropy, as the outcome is genuinely uncertain and subject to intense debate about the speed of agentic AI development. Resolution sources (official CTF scoreboards) are reliable and permanent.

92 Will an autonomous AI agent achieve a top-3 finish in a major international Capture-the-Flag (CTF) cybersecurity competition (e.g., DEF CON CTF, PlaidCTF, or HITCON CTF) by December 31, 2027? FILTERED

Rationale: The paper's core concern is the emergence of 'Highly Autonomous Cyber-Capable Agents' that can autonomously find and exploit vulnerabilities. CTF competitions are the most concrete, publicly observable benchmark for offensive cybersecurity capability. As of early 2026, AI agents have already ranked in the top 1% on some CTF platforms and solved 9 of 10 challenges in web hacking scenarios. Whether an AI agent can compete at the highest level in a premier CTF event would be a strong signal that HACCA-level autonomous offensive capabilities are approaching reality.

Paper reference: The paper describes HACCAs as systems that 'autonomously find and exploit vulnerabilities, adapt to countermeasures, and make decisions in the field,' and argues these capabilities are approaching feasibility. CTF performance is a direct proxy for the offensive capabilities the paper is concerned about.

Quality notes

This is an exceptional forecasting question (score: 92) due to its high resolution clarity and alignment with major industry milestones. It uses established, authoritative benchmarks (DEF CON CTF, PlaidCTF) which have public leaderboards and a long history of human-only dominance. It avoids data issues entirely. Recent developments, such as Team Atlanta winning the all-machine DARPA AIxCC in August 2025, show significant progress in 'Cyber Reasoning Systems,' yet benchmarks from early 2026 indicate that AI agents still struggle to solve even a single challenge in 'elite' human competitions like PlaidCTF. This creates a perfect 'S-curve' uncertainty for 2027, where a breakthrough in agentic reasoning could plausibly lead to a top-3 finish, but current performance suggests it remains a major hurdle.

92 Will the capability gap between the best open-weight language model and the best closed-weight frontier model narrow to less than 1 month, as measured by the Epoch AI Capabilities Index (ECI), at any point before December 31, 2027? FILTERED

Rationale: The paper identifies that 'open-weight AI model capabilities generally lag frontier models by three months' and warns that 'wider access to these systems could rapidly follow when the first HACCA-level system becomes feasible.' If the gap narrows to under 1 month, it would significantly accelerate HACCA proliferation risk, as state and non-state actors would gain near-frontier capabilities almost immediately. Epoch AI's ECI provides a standardized measurement of this gap.

Paper reference: The paper states: 'open-weight AI model capabilities generally lag frontier models by three months. If this trend holds, wider access to these systems could rapidly follow when the first HACCA-level system becomes feasible.' This gap is a key factor in the paper's proliferation risk analysis.

Quality notes

This is an excellent forecasting question. It focuses on a genuinely uncertain and highly debated trend: the 'catch-up' speed of open-weights models relative to closed-source frontier models. The Epoch Capabilities Index (ECI) is a robust, quantitative, and well-regarded metric that provides a clear resolution path. There is significant disagreement among experts on whether open models can close the gap to such a narrow window (1 month), as it depends on factors like capital intensity of scaling vs. algorithmic efficiency gains being made public. The question has high entropy, as the gap fluctuates with new releases (e.g., DeepSeek-R1 narrowing it, while a hypothetical GPT-5 or similar might widen it again). The data source (Epoch AI) is reliable and likely to persist through 2027.

92 Will the application date for the EU AI Act's rules on high-risk AI systems listed in Annex III be officially postponed beyond August 2, 2026? FILTERED

Rationale: The HACCA paper discusses proliferation dynamics and the importance of institutional responses to AI-enabled cyber threats. The EU AI Act is the most significant global AI regulation, with high-risk system rules originally set to apply August 2, 2026. As of early 2026, there are reports that the European Parliament may vote to delay these rules to as late as December 2027. This is a pivotal regulatory milestone: delay would signal that policymakers are struggling to keep pace with AI developments, directly relevant to the paper's concern about defense lagging offense. The outcome is genuinely uncertain as of April 2026.

Paper reference: The paper's proliferation section argues that trailing-edge organizations are particularly exposed and that policymakers should urgently bolster defenses. The EU AI Act's timeline for high-risk system regulation is a key indicator of whether regulatory frameworks are keeping pace.

Quality notes

The question focuses on a highly relevant regulatory event with significant global impact. Search results confirm that as of March/April 2026, the European Parliament has voted (569-45) in favor of the 'AI Act Omnibus' which specifically proposes delaying the Annex III high-risk rules from August 2026 to December 2027. While there is a strong political consensus, the final trilogue agreement (starting April 28, 2026) and subsequent formal adoption introduce the necessary uncertainty for a forecasting question. The question is time-sensitive, non-trivial, and resolves via clear legislative records.

92 Will a peer-reviewed research paper demonstrating a deployed AI-agent-specific honeypot system that successfully distinguishes autonomous AI agents from human attackers in a real-world (non-simulated) environment be published by December 31, 2027? FILTERED

Rationale: The paper identifies 'agent honeypots' as a novel and important detection mechanism for autonomous cyber agents, noting that preliminary evidence shows LLM-based attackers spend ~90% of time on decoy resources. Multiple research efforts are underway (HoneyPrompt for ICS, HoneyTrap for LLM attackers), but as of early 2026 these are primarily lab-based demonstrations. Whether this research matures to real-world deployment and peer-reviewed validation is a key indicator of defensive readiness against autonomous cyber threats.

Paper reference: The paper dedicates a substantial section to 'Agent Honeypots,' discussing design elements including detection mechanisms (prompt injections, behavior pattern analysis), placement, interaction depth, and canary mechanisms. It cites preliminary evidence from Reworr and Volkov's 'LLM Agent Honeypot' work.

Quality notes

This question addresses a specific technical hurdle in AI defense. Research indicates that while systems like HoneyPrompt and HoneyTrap are emerging (early 2026), they are still moving from simulated or controlled environments to broader real-world deployment. The resolution via 'peer-reviewed research paper' is a high-quality, verifiable metric. It is genuinely uncertain because distinguishing AI agents from humans in the wild is a significant technical challenge (high entropy). The deadline of late 2027 allows sufficient time for current pre-prints to navigate the peer-review cycle, making the 5-95% probability range likely. Difficulty is high as forecasters must assess the maturation of specific deception techniques like prompt injection sensors.

92 Will NIST publish a final (non-draft) version of the Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596) by December 31, 2027? FILTERED

Rationale: The paper emphasizes the need for security frameworks that address AI-related cybersecurity risks, including AI-generated code security and AI agent threats. NIST published a preliminary draft of the Cyber AI Profile in December 2025 and launched the AI Agent Standards Initiative in February 2026. Whether NIST finalizes this important guidance document is a meaningful upstream indicator of institutional readiness to govern AI-related cyber risks. NIST sometimes takes years to finalize standards, making the outcome genuinely uncertain.

Paper reference: The paper discusses the need for security-by-design approaches for AI-generated code and detection frameworks for autonomous cyber agents, both of which would benefit from standardized cybersecurity frameworks for AI systems.

Quality notes

This is an excellent forecasting question. It targets a specific, high-impact document (NIST IR 8596) that addresses a critical gap in AI cybersecurity. The preliminary draft was released in December 2025, and NIST's timeline for moving from 'preliminary draft' to 'initial public draft' to 'final' is notoriously variable, making the outcome genuinely uncertain for a 2027 deadline. The resolution is clear (publication of a non-draft version) and the source (NIST) is authoritative and transparent. It meets all criteria for high entropy and research-driven forecasting.

92 Will NIST publish a final (non-draft) standard, guideline, or special publication specifically addressing security requirements for autonomous AI agents by 31 December 2027? FILTERED

Rationale: The paper discusses how autonomous AI agents (including offensive ones) present novel security challenges due to their large attack surface and autonomous decision-making. NIST launched its AI Agent Standards Initiative in February 2026, seeking industry input on security risks unique to AI agents. However, NIST standards processes typically take 1-3 years from initiation to final publication, creating genuine uncertainty about whether a final document will emerge by end of 2027. This question tracks a key institutional response to the threats the paper identifies.

Paper reference: Section on adversarial exploitation of HACCAs and the large attack surface of autonomous agents, plus the paper's broader theme about the need for new safeguards against autonomous cyber-capable systems.

Quality notes

This is an excellent, well-calibrated forecasting question. The NIST 'AI Agent Standards Initiative' (launched February 2026) is a real-world project with a clear resolution source. The December 2027 deadline is roughly 22 months from the initiative's launch, which is a classic 'uncertain' window for NIST—standard processes often take 18–36 months, making the final publication by late 2027 a non-trivial event for forecasters to track. The resolution is binary and verifiable through official government channels, minimizing data issues. Research into NIST's current progress (e.g., the March 2026 RFI and April 2026 concept papers) will directly inform and update forecasts.

92 Will the US government issue a regulation, executive order, or binding directive that requires cloud compute providers to implement identity verification (KYC-type) requirements specifically addressing AI agent customers or workloads by December 31, 2027? FILTERED

Rationale: The paper specifically recommends strengthening 'know your customer (KYC) protocols to address AI agents' for compute access as a key countermeasure against HACCA operations (Recommendation V). Research proposals for compute-provider KYC have been published, and the Trump administration's 2025-2026 cybersecurity actions have addressed AI and compute topics. However, no binding KYC requirement for AI agent compute access has been enacted yet. This is a concrete regulatory milestone with genuine uncertainty — the political will exists but implementation faces industry resistance and regulatory complexity.

Paper reference: Section 7, Recommendation V: 'Governments should work with industry to prevent malicious actors exploiting resources for HACCA-related operations, especially compute. This includes strengthening know your customer (KYC) protocols to address AI agents.' Also Section 5 (Disrupt layer) lists 'Compute and finance access controls' as a countermeasure.

Quality notes

This is an excellent forecasting question. It targets a specific, high-impact regulatory milestone that is currently a subject of active debate (as seen in NIST initiatives and 2025/2026 AI Executive Orders). The distinction between general cloud KYC and KYC 'specifically addressing AI agent customers' is a sharp, non-trivial condition that creates high entropy; industry resistance and technical complexity make the outcome genuinely uncertain. The resolution through official government channels (EOs, Federal Register) is robust and reliable. It is difficult, research-heavy, and fits the 5-95% probability range well.

92 Will the EU AI Act's rules for high-risk AI systems (originally scheduled for August 2026) begin formal enforcement by December 31, 2027? FILTERED

Rationale: The paper emphasizes the importance of regulatory frameworks in the defense-in-depth approach against autonomous AI threats. The EU AI Act is the most significant international AI regulatory framework, but there is genuine uncertainty about its high-risk system enforcement timeline. The European Commission proposed in November 2025 delaying the high-risk AI compliance deadline from August 2026 to potentially December 2027, and the European Parliament has voted on delays. Whether enforcement actually begins by end of 2027 is a meaningful question about the pace of AI governance globally.

Paper reference: Section 5's defense-in-depth framework identifies regulatory frameworks as a key component. The paper notes that 'many of the measures discussed in this section remain largely theoretical or untested' and that governance frameworks need to be established during the window before HACCAs become widely accessible.

Quality notes

This is an excellent forecasting question with very high entropy. As of April 2026, the EU is actively debating the 'Digital Omnibus' which proposes shifting the high-risk AI enforcement deadline from August 2026 to late 2027 (specifically December 2, 2027). The question is highly sensitive to ongoing trilogue negotiations and political shifts within the EU. It is somewhat difficult because forecasters must track specific legislative amendments and 'compliance backstops.' The resolution is clear (official EU Journal/Commission announcements) and the probability is currently well within the 5-95% range given the active legislative flux.

92 Will NIST publish a final (non-draft) standard, guideline, or special publication specifically addressing security requirements for autonomous AI agents by December 31, 2027? FILTERED

Rationale: The paper emphasizes the need for policy guardrails and technical standards for autonomous AI systems. NIST launched its AI Agent Standards Initiative in February 2026, with a draft on automated benchmark evaluations closing March 31, 2026. Additionally, NIST published an RFI on security considerations for AI agents in January 2026. Whether NIST finalizes standards specifically for AI agent security is a key policy milestone. NIST's standard-setting typically takes years, creating genuine uncertainty about whether a final publication emerges by end of 2027.

Paper reference: Section 6 (Guardrails for HACCA development and deployment) discusses technical, legal, and policy guardrails. Section 7, Recommendation V calls for strengthened access controls, and the overall framework calls for establishing standards around autonomous AI systems.

Quality notes

This is an excellent forecasting question. It tracks a specific, high-stakes policy development (NIST's AI Agent Standards Initiative) with a clear binary outcome. The timing (end of 2027) is well-calibrated; NIST launched the initiative in February 2026, and since NIST publications typically take 18-24 months for finalization, the 2027 deadline sits right at the edge of typical completion windows, ensuring high entropy. The resolution source (NIST publications) is authoritative and unambiguous.

92 Will the NIST AI Agent Standards Initiative publish at least one formal guidance document or standard specifically addressing security requirements for autonomous AI agents by December 31, 2027? FILTERED

Rationale: The paper emphasizes that existing risk management frameworks like NIST's RMF 'do not yet account for continuously adaptive, scalable agentic systems' and calls for adapting them to address loss-of-control scenarios and multi-agent interactions. NIST launched its AI Agent Standards Initiative in February 2026, with RFI comments due March 2026 and listening sessions in April 2026. Whether NIST can translate this initiative into published formal guidance within the ~2-year window is uncertain — NIST processes can be slow, but the political urgency around AI agents is high. This question directly tracks a key policy milestone the paper identifies as needed.

Paper reference: Section on adapting NIST Risk Management Framework for agentic systems and secure-by-design development practices (p. 109); Recommendation VI on legal and policy guardrails

Quality notes

This is a high-quality forecasting question. It targets a specific, high-profile policy milestone (NIST AI Agent Standards Initiative) with a clear resolution source. The timeframe (Dec 2027) is approximately 22 months from the initiative's launch (Feb 2026), which aligns with typical NIST publication cycles for complex frameworks (e.g., the NIST AI 600-1 Generative AI Profile took ~18 months from initial draft to final release). The difficulty is appropriate as NIST's speed is historically variable, and the technical challenge of defining security for 'continuously adaptive' agents is high, leaving significant room for forecaster disagreement (e.g., whether NIST prioritizes speed given political urgency or adheres to its characteristically deliberate process). It avoids data issues by using an established government agency with a regular publication cadence.

90 Will at least one of the three major cloud providers (AWS, Microsoft Azure, or Google Cloud) implement identity verification requirements beyond payment verification specifically for high-compute AI workloads by December 31, 2027? FILTERED

Rationale: The paper identifies compute access controls and KYC measures as a critical disruption mechanism against autonomous cyber agents (HACCAs). It specifically notes that existing KYC measures from major cloud providers involve only basic payment verification. The NIST AI Agent Standards Initiative (launched February 2026) and various legislative proposals (e.g., H.R.3434) signal growing policy pressure for enhanced identity verification. Whether cloud providers actually implement stricter KYC for AI workloads is a meaningful upstream indicator of defensive preparedness.

Paper reference: The paper's 'Compute, Finance, and Model Access Controls' section explicitly states that 'Existing KYC measures, even from major cloud providers, involve only basic verification for billing purposes' and calls for 'better know-your-customer (KYC) measures that work on advanced agents.'

Quality notes

The question is excellent (score: 90) as it targets a critical and genuinely uncertain regulatory hurdle in AI safety. It is based on real-world policy developments like the NIST AI Agent Standards Initiative (launched Feb 2026) and H.R. 3434 (119th Congress), which suggest a shift towards stricter KYC for compute. While current cloud KYC is basic, implementing identity verification for specific workloads is a significant shift that forecasters would need to track via regulatory progress and cloud provider policy updates. The resolution source (official TOS or announcements from AWS/Azure/GCP) is highly reliable. The concept of 'high-compute AI workloads' is well-defined enough for a proto-question and offers high entropy since providers face conflicting pressures between safety and user friction.

90 Will METR report a 50%-reliability task-time horizon exceeding 48 hours for any frontier AI model on software engineering tasks by 31 December 2027? FILTERED

Rationale: The paper highlights METR's task-time horizon metric as a key proxy for tracking progress toward HACCA-capable systems, noting that GPT-5.2 (December 2025) achieved 6 hours 34 minutes at 50% reliability with a roughly 7-month doubling time. If the doubling trend holds, the 48-hour mark would be reached around mid-2027 — but the paper itself cautions that 'the sustainability of this rate remains uncertain.' This creates genuine uncertainty (perhaps 40-65% likely) and directly measures the operational capability gap the paper identifies as critical for HACCA feasibility. METR publishes these measurements publicly, making resolution straightforward.

Paper reference: Section on 'When Could HACCAs Arrive?' — METR task-time horizon doubling every ~7 months, GPT-5.2 at 6hr 34min (50% reliability), with extrapolation suggesting Q4 2028 for reaching one-month horizons on software engineering tasks.

Quality notes

This question uses a well-defined, quantitative metric (METR task-time horizon) with a clear resolution source. The target (48 hours) is significantly beyond current performance (approx. 6-15 hours in late 2025/early 2026), making the doubling trend's sustainability a perfect subject for forecasting. It directly relates to the 'HACCA' capability gap discussed in recent literature. The probability is likely in the mid-range (40-70%), ensuring high entropy.

88 Will any frontier AI model achieve an overall success rate above 50% on the RepliBench autonomous replication evaluation suite by December 31, 2027? FILTERED

Rationale: The paper specifically cites RepliBench as an evaluation suite for autonomous replication capabilities and recommends tracking capability evaluations as foundational (Recommendation I). RepliBench was introduced by the UK AI Security Institute in April 2025 and benchmarks 5 frontier models, finding they 'do not currently pose a credible threat of self-replication, but succeed on many components and are improving.' Whether models cross the 50% threshold by end of 2027 is genuinely uncertain — AI capabilities are advancing rapidly but replication tasks are challenging multi-step operations.

Paper reference: Footnote 313 references RepliBench directly; Recommendation I calls for tracking HACCA progress through capability evaluations including autonomous replication

Quality notes

The question is high quality because it targets a specific, measurable 'red line' in AI safety using an authoritative benchmark (RepliBench) recently introduced by the UK AI Security Institute (AISI). Current frontier models like Claude 3.7 Sonnet already show mixed success, with some sources indicating >50% success on specific subtasks or task families, but not necessarily a 50% 'overall' rate across the entire suite. This creates a clear, non-trivial forecasting target with significant room for disagreement and high potential for research-driven updates as new models (e.g., GPT-5, Claude 4) are released. The 2027 deadline allows for multiple scaling generations to be tested.

88 Will a peer-reviewed paper demonstrate successful application of mechanistic interpretability techniques (e.g., circuit analysis, sparse autoencoders) to identify and modify specific behavioral features in a language model with over 100 billion parameters by December 31, 2027? FILTERED

Rationale: The paper identifies mechanistic interpretability as a potentially critical pre-deployment safeguard for HACCAs but notes that 'current interpretability methods like sparse autoencoders do not scale well to the size and complexity of frontier models, and may be intractable in practice for terabyte-parameter-scale models.' Whether interpretability can scale to frontier models is a key determinant of whether the technical guardrails the paper envisions are actually feasible. MIT Technology Review named mechanistic interpretability a 2026 breakthrough technology, and Google DeepMind released Gemma Scope 2 in late 2025, but successful application at >100B parameter scale with behavioral modification remains undemonstrated.

Paper reference: The paper discusses mechanistic interpretability as a pre-deployment measure: 'precisely interpreting a HACCA's learned activations and features might allow for verification of the presence or absence of hidden malicious circuits, or the surgical modification of its weights to weed out undesirable behavior.' It then notes scaling limitations of current methods.

Quality notes

This question addresses a critical bottleneck in AI safety: the scalability of interpretability. While techniques like Sparse Autoencoders (SAEs) have been applied to large models (e.g., Llama 3.1 405B), the 'behavioral modification' component at 100B+ scale remains a frontier challenge. Gemma Scope 2 (released late 2025) covers up to 27B parameters, leaving the 100B+ threshold as a significant milestone. The criteria are specific and the December 2027 deadline allows for sufficient research progress.

88 Will the DHS AI Information Sharing and Analysis Center (AI-ISAC) be formally operational and accepting membership by December 31, 2027? FILTERED

Rationale: The paper recommends updating information-sharing mechanisms to address autonomous cyber agents (Recommendation II). The AI-ISAC is a concrete US government initiative announced in America's AI Action Plan (July 2025) and reportedly in development as of February 2026. Whether this institution becomes operational is a meaningful upstream indicator of government preparedness against AI-enabled cyber threats, including the HACCAs the paper describes. There's genuine uncertainty about whether it will be fully stood up given bureaucratic timelines and shifting administration priorities.

Paper reference: Section 7, Recommendation II: 'Governments should work with industry to establish standardized transparency requirements and incident response processes for security incidents involving autonomous systems, especially focusing on shared reporting mechanisms for anomalous agent behavior.'

Quality notes

The question is based on a real, high-profile initiative ('America's AI Action Plan' July 2025) and addresses a significant institutional milestone (DHS AI-ISAC). It is well-grounded in current developments as of early 2026, with reports confirming it is in development. The timeframe (Dec 2027) allows for genuine uncertainty regarding bureaucratic execution and funding. The resolution criteria ('formally operational and accepting membership') are concrete and likely to be publicly verifiable through DHS/CISA announcements. It meets the 'high entropy' and 'somewhat difficult' criteria well.

88 Will at least one major US government agency (e.g., CISA, NSA, or DOD) publish a formal policy or directive establishing specific incident reporting requirements for cybersecurity incidents involving autonomous AI systems by December 31, 2027? FILTERED

Rationale: The paper's Recommendation II calls for updating information-sharing mechanisms to address HACCAs, including 'transparency standards and incident response processes for significant cybersecurity incidents suspected to involve autonomous cyber capabilities' with 'reporting timelines, standardized incident taxonomies, and protected channels.' NIST's January 2026 RFI on security considerations for AI agents signals government interest. Whether this translates into formal incident reporting requirements specifically for autonomous AI-involved incidents is uncertain — it requires both technical consensus and regulatory action within ~2 years.

Paper reference: Recommendation II: 'Update information-sharing mechanisms to address HACCAs' (p. 112, 115); calls for 'reporting timelines, standardized incident taxonomies, and protected channels for sharing technical details'

Quality notes

This question is highly relevant given the regulatory momentum seen in 2025-2026. NIST's January 2026 RFI on AI Agent security and CISA's ongoing CIRCIA implementation provide a clear track for this event. However, the specific focus on 'autonomous AI systems' in incident reporting is a distinct policy leap from general cyber incident reporting. This creates a good 'room for disagreement' between forecasters on whether current mandates will be specifically updated or if new ones will emerge. The resolution source (Federal Register, agency directives) is highly reliable. It is 'somewhat difficult' as it requires monitoring legislative and executive branch outputs.

88 Will NIST publish a final (non-draft) guidance document or standard specifically addressing AI agent security by December 31, 2027? FILTERED

Rationale: The paper emphasizes the need for policy guardrails and technical standards for autonomous cyber agents. NIST launched its AI Agent Standards Initiative in February 2026, with an RFI that closed in March 2026 and workshops planned for April 2026. The initiative promises 'research, guidelines, and further deliverables' but converting these into finalized guidance documents takes time. This question tracks whether the regulatory infrastructure is keeping pace with HACCA-related risks. A published standard would be a significant milestone for the defensive ecosystem the paper recommends building.

Paper reference: Section on 'Establish Legal and Policy Guardrails for the Development and Use of HACCAs' (Recommendation VII) and the paper's overall emphasis on the need for policy and institutional frameworks to address autonomous cyber agent risks.

Quality notes

The question is well-timed and hinges on a genuinely uncertain regulatory timeline. NIST's AI Agent Standards Initiative is currently active (RFI closed March 2026), and the transition from research/drafts to a final 'non-draft' standard by late 2027 is a realistic but challenging milestone to forecast. It requires analyzing NIST's usual throughput speed and the complexity of the 'agent security' domain. The resolution source (NIST) is highly reliable. The question provides a clear binary resolution and addresses a significant policy gap identified in the source paper.

88 Will a U.S. federal agency (e.g., CISA, NSA, or DoD) publish an official advisory or technical guidance document specifically addressing the threat of autonomous AI agents in cyber operations by December 31, 2027? FILTERED

Rationale: The paper describes a threat landscape where HACCAs emerge as 'a normal feature of the cyber threat landscape' and recommends that governments prioritize early hardening. It references CISA's existing programs and the NSA as a sophisticated defender. An official advisory specifically naming autonomous AI agents as a cyber threat would represent recognition that this threat has moved from theoretical to operational. This is a key institutional response indicator. The uncertainty lies in whether the threat materializes enough to warrant a dedicated advisory versus being folded into broader AI guidance.

Paper reference: The paper's recommendations to 'Prioritize and Harden Critical Services and Infrastructure' (Recommendation IV) and discussions of government agencies like CISA, NSA, and DARPA as key actors in the defensive ecosystem.

Quality notes

This is an excellent forecasting question. It addresses a specific, emerging institutional response to a novel threat (autonomous AI agents in cyber ops). The timeline (end of 2027) is well-calibrated; while intelligence communities are already discussing these threats (e.g., reports of Iranian-affiliated actors using them in late 2025), official dedicated technical guidance typically lags behind initial threat discovery. The uncertainty lies in whether agencies will issue a standalone document or continue folding this into broader AI security guidance (like the Dec 2025 joint guide on AI in OT). The resolution source (CISA/NSA/DoD advisories) is highly reliable and public. Research into the frequency of dedicated vs. general advisories would significantly improve a forecast.

88 Will at least three distinct publicly reported incidents of AI-orchestrated or AI-automated cyberattack campaigns (beyond AI-assisted phishing/social engineering) be documented by credible cybersecurity firms or government agencies by December 31, 2027? FILTERED

Rationale: The paper describes a near-future where autonomous cyber agents conduct sophisticated operations including network intrusion, data exfiltration, and multi-point coordinated attacks. In November 2025, Anthropic disclosed disrupting the 'first reported AI-orchestrated cyber espionage campaign.' CrowdStrike's 2026 Global Threat Report noted AI-enabled adversary operations increased 89% year-over-year. Whether we see multiple confirmed AI-orchestrated (not just AI-assisted) campaigns would be a key signal of the threat trajectory the paper describes.

Paper reference: The paper's core thesis is about HACCAs conducting autonomous offensive cyber operations. Tables 22-23 describe specific tactical advantages of agentic implants and financial crime avenues. Anthropic's November 2025 disclosure of the first AI-orchestrated espionage campaign is cited in the bibliography.

Quality notes

The question is high-quality because it addresses a clear 'inflection point' in AI capabilities that is genuinely uncertain. It differentiates between low-level AI-assisted phishing (common) and 'AI-orchestrated' campaigns (rare), using a recent precedent (Anthropic's Nov 2025 report) as a baseline. The resolution criteria are robust, relying on established cybersecurity reports. With one confirmed incident as of late 2025, the requirement for three by the end of 2027 creates a high-entropy scenario where forecasters must judge the acceleration of threat actor capabilities. The distinction between 'assisted' and 'orchestrated' is somewhat technical but is being actively defined by the cited industry reports, making research impactful for the forecast.

88 Will any frontier AI model achieve an overall score above 50% on the RepliBench autonomous replication benchmark (as published by the UK AI Safety Institute / AISI) by December 31, 2027? FILTERED

Rationale: The paper extensively discusses the risk of HACCAs replicating across networks, including 'Shell HACCAs' that transport only scaffolding and later download model weights. RepliBench, introduced by the UK AISI in 2025, directly measures autonomous replication capabilities of AI models. Current frontier models do not pose a 'credible threat of self-replication' but 'succeed on many components and are improving.' Whether models cross the 50% overall score threshold would be a concrete, measurable signal of the replication risk the paper describes.

Paper reference: Appendix VIII discusses how HACCAs based on open-weight models could replicate with significantly smaller payloads (3-5 orders of magnitude smaller), and how 'Shell HACCAs' could restore themselves later. The paper's bibliography cites RepliBench (Black et al., 2025) directly.

Quality notes

This is a strong forecasting question. It targets a clear, measurable signal of AI safety risk (autonomous replication) using a specific benchmark (RepliBench) published by an authoritative body (UK AISI). The paper specifically defines an 'overall score' as the mean of domain-specific scores RepliBench: Evaluating the Autonomous Replication Capabilities of .... While current frontier models (like Claude 3.7 Sonnet) perform well on individual task families, achieving over 50% on 15 out of 20, they 'succeed on many components' but don't yet pose a 'credible threat' RepliBench: Evaluating the Autonomous Replication Capabilities of .... This suggests a 50% overall score is a significant but potentially achievable hurdle by 2027, making it a high-entropy question. Research into model improvement trajectories on agentic tasks would directly inform the forecast.

88 Will the EU AI Act's high-risk AI system obligations under Annex III formally take effect before August 2, 2027? FILTERED

Rationale: The paper addresses the governance landscape for AI systems with cyber capabilities. The EU AI Act originally set August 2, 2026 as the deadline for high-risk AI system compliance. However, in late 2025, the European Commission proposed delaying these obligations to December 2027 as part of an 'AI Omnibus' simplification package. The European Parliament voted to support this delay. Whether the delay is formally enacted or whether some obligations still take effect on the original timeline creates genuine uncertainty about the regulatory environment for AI systems.

Paper reference: The paper discusses AI governance frameworks and regulatory approaches to managing AI risks. The EU AI Act is the most significant AI-specific regulation globally and directly impacts how autonomous AI systems (including those with cyber capabilities) are governed.

Quality notes

This is a high-quality forecasting question (Score: 88) because it targets a specific, currently-debated legislative delay in the EU AI Act implementation. There is genuine uncertainty between the original August 2026 deadline and the proposed December 2027 extension, with active trilogue negotiations as of early 2026 determining the outcome. The resolution source (EU Official Journal) is definitive. Researching the 'AI Omnibus' package and EU political dynamics would significantly inform a forecast, meeting the difficulty and entropy criteria.

88 Will Google DeepMind publicly report that a frontier model has reached Critical Capability Level 1 (CCL-1) or higher for cybersecurity under its Frontier Safety Framework by December 31, 2027? FILTERED

Rationale: The paper directly cites Google DeepMind's Frontier Safety Framework 2.0. The framework defines Critical Capability Levels (CCLs) for domains including cybersecurity. As of early 2026, DeepMind has not publicly reported a model reaching CCL-1 for cybersecurity. Given rapidly improving AI cyber capabilities documented in the paper (XBOW matching human pentesters, autonomous vulnerability discovery), it is plausible but uncertain that DeepMind would trigger this threshold by end of 2027.

Paper reference: The paper cites 'Google Deepmind. Frontier Safety Framework. February 2025.' The Framework's cybersecurity CCLs directly map to the paper's concerns about AI models achieving autonomous cyber-attack capabilities.

Quality notes

This question is high-quality because it is grounded in a specific, documented corporate policy (Google DeepMind's Frontier Safety Framework) and targets a well-defined threshold (CCL-1). It is genuinely uncertain: while current models (like Claude 3.5 or GPT-4o) already show significant cyber-uplift in benchmarks like XBOW or HTB machines, reaching the specific CCL-1 threshold as defined by DeepMind requires significant autonomous capability. The 'publicly report' constraint adds a layer of difficulty and institutional transparency tracking. One minor risk is if DeepMind reports only to regulators (e.g., UK AISI) and not the general public, but their history of blog posts on framework updates suggests a high likelihood of public disclosure for major milestones.

88 Will the Frontier Model Forum publish at least three additional technical reports or guidelines specifically addressing AI-enabled cyber threats (beyond its February 2026 report on 'Managing Advanced Cyber Risks in Frontier AI Frameworks') by December 31, 2027? FILTERED

Rationale: The paper covers the landscape of AI-enabled cyber threats and the need for industry coordination. The Frontier Model Forum (FMF) published a technical report on managing advanced cyber risks in February 2026 and has an information-sharing initiative for frontier AI threats and vulnerabilities. Whether the FMF sustains meaningful output on cyber risks depends on continued industry commitment, the evolution of threats, and organizational capacity. Three additional reports is a non-trivial but achievable threshold over approximately 22 months.

Paper reference: The paper references multiple Frontier Model Forum member companies and their safety frameworks. The FMF's February 2026 report on 'Managing Advanced Cyber Risks in Frontier AI Frameworks' directly addresses the paper's core topic of AI-enabled cyber threats.

Quality notes

This is a high-quality forecasting question. It is based on a real and active industry body (Frontier Model Forum) with a documented history of technical publications, such as the February 13, 2026 report 'Managing Advanced Cyber Risks in Frontier AI Frameworks'. The threshold of 'three additional reports' over a 21-month period (April 2026 to December 2027) is well-calibrated; based on past frequency (reports in August 2025 and February 2026), this represents a sustained but challenging pace. Resolution is straightforward via the FMF official website, and forecasters can meaningfully differentiate based on their assessment of industry coordination and the shifting focus of AI safety workstreams.

88 Will any AI coding agent score at or above 65% on SWE-bench Pro by December 31, 2027? FILTERED

Rationale: The paper references SWE-bench as a key benchmark for autonomous AI coding capabilities, which directly relates to AI agents' ability to find and exploit software vulnerabilities. As of April 2026, the top SWE-bench Pro score is 57.7% (GPT-5.4), with rapid but decelerating progress. Reaching 65% requires a meaningful capability jump in real-world software engineering — a threshold that would signal AI agents capable of handling complex, multi-step code manipulation tasks relevant to cyber operations. This is neither certain nor impossible, providing good entropy.

Paper reference: The paper cites SWE-bench (Official Leaderboards, April 2025) as a relevant benchmark and discusses autonomous agents' growing software engineering capabilities as an upstream indicator of cyber offense potential.

Quality notes

The question is well-structured and focuses on a meaningful capability jump (from ~58% in April 2026 to 65% by end of 2027). SWE-bench Pro is a recognized, difficult benchmark with an active leaderboard, making it a high-quality forecasting target. There is high entropy as progress on complex 'Pro' tasks has shown signs of deceleration, and there is significant room for disagreement on whether current architectures can reach 65% without major innovations. The resolution source is reliable, though refinement should specify which leaderboard (official vs. Scale AI) takes precedence.

88 Will NIST publish the final version of NIST IR 8596 (Cybersecurity Framework Profile for Artificial Intelligence) by December 31, 2026? FILTERED

Rationale: NIST published a preliminary draft of the Cyber AI Profile (IR 8596) in December 2025, with a public comment period closing January 30, 2026. The paper references NIST's AI security work including the Adversarial Machine Learning publication. Finalization of this profile would be a major regulatory milestone for AI cybersecurity governance. Government publication timelines frequently slip, making it uncertain whether the final version will appear within 2026 despite expectations.

Paper reference: The paper cites NIST publications on AI security, including 'Vassilev, Apostol et al. Adversarial Machine Learning. NIST, March 2025' and discusses the regulatory landscape for AI cybersecurity.

Quality notes

The question addresses a significant regulatory milestone with a clear resolution source (NIST). As of April 2026, NIST has released the 'initial preliminary draft' (Dec 2025) and closed the first comment period (Jan 2026). The 'initial public draft' is slated for release later in 2026. Given NIST's typical 12-24 month cycle for finalizing IRs, a Dec 2026 deadline is genuinely uncertain and 'high entropy,' as government timelines frequently slip. The question is difficult because it requires monitoring the progression through NIST's multi-stage drafting process (iprd to ipd to final). The resolution is binary and verifiable via the NIST Computer Security Resource Center.

88 Will any publicly evaluated frontier AI model pass a majority (more than 50%) of tasks in the SOCK self-replication benchmark by December 31, 2027? FILTERED

Rationale: The paper cites research on AI self-replication risk (Zhang et al., 'Dive into the Agent Matrix: A Realistic Evaluation of Self-Replication Risk in LLM Agents'). The SOCK benchmark specifically measures LLMs' ability to self-replicate without human intervention. Studies indicate that as of 2025, some AI systems already possess partial self-replication capabilities. Whether frontier models will pass a majority of SOCK tasks by 2027 is a key upstream indicator of autonomous agent risk, directly relevant to the paper's concerns about highly autonomous cyber-capable agents.

Paper reference: The paper cites 'Zhang, Boxuan et al. Dive into the Agent Matrix: A Realistic Evaluation of Self-Replication Risk in LLM Agents. arXiv, September 2025' and discusses autonomous agent capabilities including persistence and self-propagation.

Quality notes

The question is high quality. It targets a specific, measurable technical milestone (50% on SOCK) that is directly linked to AI safety risks (self-replication). The benchmark is recently established (Alhetairshi et al., 2025 A Realistic Evaluation of Self‑Replication Risk in LLM Agents - arXiv) and recognized in literature like 'Dive into the Agent Matrix' A Realistic Evaluation of Self‑Replication Risk in LLM Agents - arXiv. The 2027 deadline provides enough time for significant progress, making the outcome uncertain and research-relevant. The resolution source (academic/public evaluation) is standard for frontier model tracking. However, 'publicly evaluated' could benefit from clearer definition in later stages (e.g., specific leaderboard or major lab report).

88 Will NIST publish a final (non-draft) standard, guideline, or special publication specifically addressing AI agent security by December 31, 2027? FILTERED

Rationale: The paper emphasizes the need for governance frameworks and institutional safeguards against autonomous AI systems. NIST launched its AI Agent Standards Initiative in February 2026 and issued an RFI on AI agent security in early 2026. Whether NIST moves from convening/drafting to publishing a final document is uncertain given NIST's historically lengthy publication timelines and the rapidly evolving nature of the technology. This question tracks a concrete institutional response directly relevant to the paper's defense framework.

Paper reference: Section 5's defense-in-depth framework highlights the need for regulatory frameworks and governance mechanisms. The paper discusses differential access, structured access frameworks, and security levels for AI systems - all areas where NIST standardization would be directly relevant.

Quality notes

The question is well-timed and addresses a high-uncertainty event. NIST launched the AI Agent Standards Initiative in February 2026, and typically, NIST Special Publications take 18-24 months to move from initial RFI/draft to a final version. A deadline of December 2027 provides a roughly 22-month window, which is a classic 'high-entropy' timeframe for NIST standards—neither guaranteed nor impossible. The resolution source (NIST CSRC) is highly reliable, and the question requires significant research into bureaucratic timelines and the complexity of AI agent security to forecast accurately.

88 Will there be a publicly reported case of unauthorized exfiltration or theft of frontier AI model weights (from a top-10 AI lab by compute spending) by December 31, 2027? FILTERED

Rationale: The paper devotes significant attention to model weight security as the primary 'Delay' mechanism against HACCA proliferation, noting that 'the most direct path to obtain HACCA-level capabilities is for a less-resourced actor to obtain HACCA-level model weights.' The RAND report on securing AI model weights identifies 38 distinct attack vectors. Whether a major weight theft actually occurs is a high-signal event for the paper's proliferation concerns. The question has genuine uncertainty - no confirmed public incident yet, but espionage attempts are widely reported, and the value of these weights as targets continues to grow.

Paper reference: Section 5 'Delay' subsection on 'Model Weight Security' extensively discusses the importance of preventing theft/leakage of model weights and references the Nevo et al. (2024) framework of security levels SL1-SL5. The paper notes that preventing weight theft would force actors to invest substantially more time and resources in independent development.

Quality notes

This is a strong forecasting question addressing a high-stakes, genuinely uncertain event. The concept of model weight theft is central to frontier AI security and AI governance. It is difficult to forecast because it requires evaluating the gap between state-actor capabilities and rapidly evolving security levels (SL1-SL5). The outcome has high entropy; while no public theft has occurred yet, the incentives for espionage are massive. The main potential data issue is the definition of 'top-10 AI lab by compute spending.' While entities like Epoch AI provide these rankings, the question would benefit from specifying a single authoritative source (e.g., 'according to the most recent Epoch AI tracker as of the resolution date') to prevent ambiguity. Despite this, the concept is excellent for a tournament.

88 Will the EU issue its first formal enforcement action or penalty under the AI Act's cybersecurity and robustness requirements (Article 15) against any provider by December 31, 2027? FILTERED

Rationale: The EU AI Act's high-risk AI system requirements, including Article 15 on accuracy, robustness, and cybersecurity, begin applying from August 2, 2026, with full high-risk obligations by August 2, 2027. The paper's discussion of AI cyber risks and regulatory responses makes this a natural policy milestone to track. Whether enforcement actions materialize within the first year of full applicability is uncertain — regulators may prioritize guidance over penalties initially, or they may act quickly to establish precedent.

Paper reference: The paper discusses policy and regulatory responses to AI cyber risks, including international frameworks. The EU AI Act represents the most concrete regulatory regime with cybersecurity-specific requirements for AI systems.

Quality notes

The question is well-timed, as Article 15 requirements for most high-risk AI systems (Annex III) become enforceable on August 2, 2026, while those embedded in regulated products (Annex I) follow on August 2, 2027. This provides a clear 12-18 month window for initial enforcement actions by the resolution date of December 31, 2027. The question is non-trivial because regulators (the EU AI Office and national authorities) may initially focus on 'soft' enforcement (guidance and warnings) rather than formal penalties. The event is genuinely uncertain (high entropy), verifiable through official EU Gazettes or AI Office announcements, and researchable via regulatory trends in GDPR enforcement which took time to ramp up. The probability is likely in the 20-70% range, making it a strong forecasting candidate.

88 Will the U.S. Department of Defense deploy at least one frontier AI model (from OpenAI, Anthropic, Google, or xAI) on a Top Secret/SCI classified network by December 31, 2027? FILTERED

Rationale: The paper discusses how U.S. intelligence agencies could establish public-private partnerships with domestic AI champions for cyber capabilities, citing the CDAO's partnerships. The Pentagon has awarded $200M contracts to each of OpenAI, Anthropic, Google, and xAI, and is actively pushing to deploy frontier AI on classified networks. However, significant technical, security, and bureaucratic hurdles remain — and the Anthropic contract was recently disrupted when DoD was given 180 days to remove Claude from its systems. Actual deployment on Top Secret networks is a higher bar than contract awards.

Paper reference: The paper specifically notes that 'U.S. or Chinese intelligence agencies could establish public-private partnerships with their own domestic champions in frontier AI, like the U.S. DoD has currently done with OpenAI, Google, Anthropic, and xAI' (citing CDAO announcements). It also discusses how such partnerships 'could let frontier AI companies give governments access to safeguard-free versions of cyber capabilities.'

Quality notes

This is an excellent forecasting question. It addresses a genuinely uncertain and high-stakes event with significant technical and bureaucratic hurdles. While $200M contracts were awarded to OpenAI, Google, and xAI in July 2025, and Anthropic was briefly deployed on classified networks, a March 2026 Pentagon memo ordered the removal of Anthropic's Claude within 180 days due to policy disagreements. This creates a high-entropy situation: will the DoD successfully transition to and deploy a different frontier model (like Grok or GPT-4) on JWICS by late 2027, or will security and policy friction cause further delays? The resolution is likely to be verifiable through CDAO announcements or defense news outlets, despite the classified nature of the networks.

88 Will the median time horizon for frontier AI models on METR's task-completion benchmark exceed 48 hours of equivalent human expert time by December 31, 2027? FILTERED

Rationale: The paper explicitly cites METR's work on measuring AI task-completion time horizons as a key indicator of progress toward HACCA-level capabilities, noting that cyber capabilities have been doubling every ~8 months. As of early 2026, METR reported time horizons were improving at ~10x/year (up from ~3x/year before 2024), and the benchmark was reportedly beginning to saturate. Whether frontier models reach 48-hour equivalent task autonomy is a direct upstream indicator of the feasibility of HACCAs, which would need to sustain operations over weeks to months. The 48-hour threshold is chosen to be non-trivial but plausible given current trends.

Paper reference: Section 2 ('When Could HACCAs Arrive?') cites METR's work on time horizons and capability doubling times, noting 'software engineering (doubling every 7 months) and cyber capabilities (doubling every 8 months)' and that 'HACCAs should be able to initiate and carry out sustained end-to-end offensive cyber operations without human supervision.'

Quality notes

The question is exceptionally well-structured, relying on a specific and measurable metric from an established source, METR, which provides regular updates on AI task horizons Time Horizon 1.1 - METR. As of early 2026, the median time horizon for leading models like Claude Opus 4.5 is approximately 5.3 hours (320 minutes) Time Horizon 1.1 - METR. The 48-hour threshold is non-trivial but plausible given reported doubling times of 4-7 months, creating high entropy Time Horizon 1.1 - METR. Research into scaling laws, hardware availability, and potential benchmark saturation would significantly improve a forecast, meeting the 'somewhat difficult' criterion. The resolution source is reliable and likely to persist through 2027.

88 Will at least three additional publicly documented cases of AI agents autonomously executing substantial portions (>50% of tactical operations) of cyber campaigns be reported by credible cybersecurity organizations by 31 December 2027? FILTERED

Rationale: The paper cites Anthropic's September 2025 disruption of the first reported AI-orchestrated cyber espionage campaign (where AI agents autonomously executed 80-90% of tactical operations) as a key early indicator. The question asks whether this was an isolated incident or the beginning of a trend. The paper argues that 'diffusion and more widespread adoption' will rise as costs decrease, but the timeline is uncertain. Three additional cases is a threshold that balances between 'almost certain' and 'very unlikely,' given that detection and public reporting of such campaigns involves significant lag and willingness to disclose.

Paper reference: Section citing Anthropic's disruption of AI-orchestrated cyber espionage campaign (September 2025), and the discussion of nation-state, non-state, and criminal adoption incentives for HACCA-like capabilities.

Quality notes

The question is high quality (Score: 88). It addresses a frontier development in cybersecurity (AI-orchestrated campaigns) with a clear, measurable threshold ('at least three additional cases'). The September 2025 Anthropic report provides a strong base rate, but the future trend remains genuinely uncertain and requires research into attacker incentives and detection capabilities. The resolution source (reports by 'credible cybersecurity organizations') is a standard and reliable criterion for such questions. It has high entropy as the outcome is not yet a certainty and reasonable forecasters could disagree on the pace of adoption.

88 Will North Korea-linked threat actors steal more than $3 billion in cryptocurrency in a single calendar year (2026 or 2027), as reported by Chainalysis or Elliptic, by 31 December 2027? FILTERED

Rationale: The paper highlights North Korea's $2 billion cryptocurrency theft in 2025 and argues that HACCA-like capabilities could enable nation-states to 'further automate and expand theft operations.' Chainalysis reported that North Korean hackers stole $2.02 billion in 2025 (a 51% year-over-year increase), pushing their all-time total to $6.75 billion. A $3 billion threshold for a single year represents roughly a 50% increase over 2025 levels — plausible if AI-enabled automation accelerates operations, but not certain as defensive measures and exchange security also improve. This tracks whether AI-augmented cyber operations translate into measurable financial impact at nation-state scale.

Paper reference: Section on nation-state incentives for HACCA development: 'North Korea, which stole over $2 billion in cryptoassets in 2025, could use such capabilities to further automate and expand theft operations.'

Quality notes

The question is well-structured and focuses on a high-uncertainty, high-impact event with clear resolution sources (Chainalysis/Elliptic). Data from 2025 indicates a record-breaking $2.02 billion stolen by North Korean actors, a 51% year-over-year increase. A $3 billion threshold for 2026 or 2027 is a challenging but plausible benchmark given the growth trajectory and the potential for AI-enabled automation (HACCA) to scale operations. The 5%-95% probability range is satisfied as defensive improvements and market volatility could just as easily lead to a plateau or decline. Research into North Korean cyber tactics and crypto market security would significantly refine a forecast.

88 Will any publicly evaluated AI model achieve a 50%-reliability task-completion time horizon of at least 100 hours on METR's time-horizon benchmark by December 31, 2027? FILTERED

Rationale: The paper identifies task-time horizon as a key metric for predicting HACCA emergence, estimating that a one-month horizon is needed for full HACCA operations, with arrival projected around Q4 2028–Q2 2030. METR's benchmark is the standard measurement tool cited in the paper. As of early 2026, Claude Opus 4.6 achieved approximately 14.5 hours. With the observed doubling time of ~7 months, reaching 100 hours (~3 doublings from 14.5h) would require roughly 21 months, placing it around late 2027—making this a non-trivial threshold that could plausibly go either way.

Paper reference: Section 3 discusses METR task-time horizon doubling times of 7-8 months, 50% reliability thresholds, and the gap between current capabilities and the one-month horizon needed for HACCA operations. The paper cites METR's 'How Does Time Horizon Vary Across Domains?' and Kwa et al., 'Measuring AI Ability to Complete Long Tasks.'

Quality notes

The question is well-structured and focuses on a key industry-standard metric (METR's time-horizon). It is genuinely difficult, requiring analysis of AI scaling laws, architectural shifts (e.g., towards reasoning models), and historical doubling times (currently ~7 months). The target of 100 hours by late 2027 is a 'high-entropy' threshold because, based on current trajectories, it is projected to be reached around late 2027, making the outcome highly uncertain. METR is a reliable and active evaluation body, though the 'publicly evaluated' condition handles potential disclosure delays. Score: 88.

88 Will the UK AI Security Institute (AISI) publish evaluation results showing that a frontier AI model can autonomously complete a multi-step cyber attack chain (comprising reconnaissance, exploitation, and privilege escalation) in a realistic test environment, by December 31, 2027? FILTERED

Rationale: The paper details how HACCAs require competence across multiple cyber operation phases. UK AISI has been systematically evaluating frontier model cyber capabilities and publishing results, including through its Frontier AI Trends Report. The NCSC has also signaled that 'cyber defenders need to be ready for frontier AI.' This question tracks whether the defensive community formally documents a model achieving end-to-end autonomous attack capability—a critical upstream indicator of HACCA feasibility.

Paper reference: The paper's Section 3 discusses the five core HACCA tactics and emphasizes that HACCAs 'would only become feasible once the slowest-progressing capability reaches the necessary threshold.' The paper cites the AISI Frontier AI Trends Report as a key source for tracking cyber capability progress.

Quality notes

This is a high-quality technical forecasting question with clear resolution criteria. The UK AI Security Institute (AISI) is a reliable and active publisher of such results, and their 'Frontier AI Trends Report' series provides a stable data source. Current research (as of early 2026) indicates that while frontier models can complete many steps of a cyber attack chain, they still struggle with complex, end-to-end autonomous execution in realistic environments (e.g., completing 22/32 steps). Tracking whether they bridge this gap (including privilege escalation) by 2027 is a critical indicator of AI safety. The question is difficult, researchable, and has high entropy given the rapid but non-linear progress in agentic capabilities.

88 Will any frontier AI model achieve a score above 50% on the full RepliBench benchmark by December 31, 2027? FILTERED

Rationale: RepliBench, introduced by the UK AI Safety Institute in April 2025, measures autonomous replication capabilities of AI agents — including compute provisioning, KYC navigation, and self-replication. The paper's Tactic 4 (Evade Detection and Shutdown) discusses replication as a core strategy for HACCA persistence. Whether models cross 50% on this benchmark is uncertain: current frontier models show partial capability on individual subtasks but struggle on the full pipeline.

Paper reference: The paper extensively discusses self-replication as a shutdown evasion tactic (pp. 43-44), including 'burst replication,' dormant backups, and model distillation for smaller deployable copies. RepliBench (footnote 92) is cited for measuring agent ability to provision compute.

Quality notes

This is a strong question focused on a critical capability (autonomous replication). RepliBench is a recognized benchmark from a high-quality source (UK AI Safety Institute). The 50% threshold on the 'full benchmark' is a meaningful hurdle, as models currently excel at subtasks but fail at integrated end-to-end replication. The timeline to late 2027 is appropriate given current progress. One minor uncertainty is the exact definition of 'full benchmark' score (e.g., mean of domains vs. success on a specific composite task), which can be clarified in stage 03 refinement, but the concept is solid and highly relevant to AI risk.

88 Will AI-based tools be credited with the autonomous discovery of more than 50 previously unknown vulnerabilities (assigned CVE IDs) across all software projects in calendar year 2027? FILTERED

Rationale: The paper discusses how HACCAs could 'overwhelm defenders by discovering and exploiting vulnerabilities faster than human teams can triage them.' A concrete upstream indicator of this capability is the rate at which AI tools autonomously discover real-world vulnerabilities. AISLE's autonomous analyzer found all 12 OpenSSL CVEs in January 2026, and Anthropic reported finding 500 zero-days in controlled testing. The transition from lab demonstrations to credited real-world CVE discovery at scale is a key inflection point for the offense-defense balance.

Paper reference: The paper states HACCAs could 'overwhelm defenders by discovering and exploiting vulnerabilities faster than human teams can triage them, breaking the current operational tempo of vulnerability management.' It also compares HACCAs to 'a system that facilitates discovery of zero-days rather than a zero-day itself' (footnote 179).

Quality notes

The question is well-timed and addresses a significant trend in AI cybersecurity. It is non-trivial, as recent benchmarks (AISLE's discovery of 12 OpenSSL CVEs in Jan 2026) suggest that 50 CVEs in a year is a challenging but plausible milestone by 2027. The resolution source (CVE IDs) is highly reliable. Uncertainty exists around the formal 'credit' process, as CVEs are typically assigned to entities, but the rationale provides a clear path for verification (autonomous discovery). It meets the criteria for high entropy and difficulty.

88 Will an AI agent or system achieve a greater than 90% success rate on the CAIBench multi-stage cyber range attack evaluation category (or equivalent standardized multi-host network penetration benchmark) by December 31, 2027? FILTERED

Rationale: The paper cites CAIBench and discusses how scaffolded AI agents significantly outperform unscaffolded versions in cyber range evaluations. Tracking performance on standardized cybersecurity benchmarks is a direct upstream indicator of HACCA-relevant capabilities. The 90% threshold on multi-stage attacks (not simple CTFs) is calibrated to be ambitious but plausible given rapid improvement trends — XBOW already showed dramatic gains with GPT-5 scaffolding in 2025.

Paper reference: The paper cites CAIBench (footnote 123) as evidence that 'models with cyber offensive scaffolding significantly outperform their unscaffolded versions' and discusses how 'even newer model versions can be outperformed by older models with improved scaffolding' (footnote 124, citing Incalmo).

Quality notes

This is a high-quality forecasting question. It uses a specific, ambitious, and measurable benchmark (CAIBench) that is actively cited in frontier AI research. Current performance on complex multi-stage 'Cyber Range' tasks is relatively low (approx. 20-40% success as of late 2025/early 2026), making a 90% target by late 2027 a genuinely uncertain and 'high entropy' event. The question is difficult, requiring forecasters to track progress in scaffolding and agentic planning. It avoids the transparency issues of internal lab reporting by using an external, verifiable benchmark.

86 Will at least 3 additional publicly documented cases of AI-orchestrated or AI-autonomous cyber intrusion campaigns (beyond the Anthropic November 2025 report) be reported by credible cybersecurity organizations or government agencies by December 31, 2027? FILTERED

Rationale: Anthropic's November 2025 report documented the first known AI-orchestrated cyber espionage campaign. The paper predicts HACCAs will intensify cyber competition and become accessible to more threat actors. Tracking the frequency of documented AI-autonomous cyber campaigns is a direct upstream indicator of HACCA-like capabilities emerging in the wild. The threshold of 3 additional cases is calibrated to be non-trivial — the trend is concerning but we don't yet know the pace of escalation.

Paper reference: Section 4 states 'HACCAs almost certainly will intensify cyber competition, improving intelligence collection and making degradation and destruction more technically achievable, as well as more widespread.' The paper also references Anthropic's report on 'Disrupting the first reported AI-orchestrated cyber espionage campaign.'

Quality notes

The question addresses a high-difficulty, high-entropy topic with clear real-world stakes. The existence of the Anthropic November 2025 report (GTG-1002) provides a concrete baseline for what 'AI-orchestrated' entails, reducing the risk of purely semantic disputes. Researching the 'first' case shows it involved autonomous agentic behaviors rather than just simple LLM-assisted coding, making the '3 additional cases' threshold a non-trivial and challenging forecast. The resolution source (credible cybersecurity reports) is reliable, though refinement will need to define 'credible' and 'AI-orchestrated' precisely to avoid ambiguity. The 2027 deadline allows enough time for a trend to emerge or stall.

85 Will the United Nations Convention against Cybercrime receive at least 10 ratifications (not just signatures) by December 31, 2027? FILTERED

Rationale: The paper discusses the UN Cybercrime Convention as a potential mechanism for cross-border prosecution of HACCA-related crimes, noting it 'may facilitate cross-border prosecution of HACCA-related crimes through enhanced procedural cooperation' when it enters into force. As of March 2026, 74 countries have signed but only Qatar has ratified. The convention needs 40 ratifications to enter into force. Reaching even 10 ratifications by end of 2027 is non-trivial — ratification requires domestic legislative processes that vary widely. This question tracks an important legal governance milestone relevant to autonomous cyber capability regulation.

Paper reference: Section on the UN Cybercrime Convention (p. 107-108): 'The U.N. Cybercrime Convention, when it enters into force, may facilitate cross-border prosecution of HACCA-related crimes through enhanced procedural cooperation'

Quality notes

The question is well-defined and identifies a non-trivial milestone for a major international treaty. As of April 2026, the convention has 74 signatories but only 2 ratifications (Qatar and Vietnam), making the threshold of 10 by end-2027 a meaningful and uncertain target. The resolution source (UN Treaty Collection) is highly reliable. The timeline is appropriate for domestic legislative processes.

85 Will at least three major AI labs (out of OpenAI, Anthropic, Google DeepMind, Meta, and xAI) publicly commit to conducting and publishing results of pre-deployment offensive cyber capability evaluations for their frontier models by December 31, 2027? FILTERED

Rationale: The paper's first recommendation is to 'track and forecast real-world HACCA progress and proliferation' through capability evaluations. The Frontier Model Forum has been developing cyber capability assessment frameworks. As of 2025-2026, some labs conduct internal evaluations, but standardized public reporting of offensive cyber capability evaluations remains inconsistent. Whether a critical mass of labs commits to transparent pre-deployment cyber evaluations is a key indicator of industry self-governance in the HACCA risk space. There is real uncertainty given competitive pressures and varying approaches to transparency.

Paper reference: Section 7, Recommendation I: 'Policymakers should monitor capability evaluations across operational and offensive cyber domains to get snapshots of current AI system capabilities.' Also Section 6 on pre-deployment testing to 'detect alignment and robustness issues.'

Quality notes

The question addresses a critical governance uncertainty in the AI industry. While some labs (like Anthropic with its Claude 4.6 System Card) are already beginning to publish cyber-specific evaluations, there is no industry-wide standard for 'publicly committing to publishing' these results for all future frontier models. Significant disagreement exists among labs regarding transparency (e.g., Anthropic's 'Mythos' and the Frontier Model Forum's internal intelligence sharing versus public disclosure). The 'three out of five' threshold creates a high-entropy scenario where the outcome is not guaranteed, and the December 2027 deadline allows for sufficient time for policy shifts or competitive pressures to manifest. The resolution depends on public announcements, which are verifiable but require careful monitoring.

85 Will NIST publish a final (non-draft, non-preliminary) version of the Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596) by December 31, 2027? FILTERED

Rationale: The paper emphasizes that HACCA deployment depends partly on the regulatory and defensive landscape. NIST published a preliminary draft of the Cyber AI Profile in December 2025, with public comments closing January 30, 2026. This framework is significant because it would establish official US cybersecurity guidelines for AI systems—directly relevant to defenses against autonomous cyber agents. NIST finalization timelines are notoriously variable, and the novel complexity of AI cybersecurity could cause delays, making the timeline uncertain.

Paper reference: The paper discusses the importance of defensive measures, detection capabilities, and the role of infrastructure providers in controlling HACCA deployments. The NIST Cyber AI Profile directly addresses the regulatory/defensive ecosystem the paper identifies as crucial to HACCA feasibility.

Quality notes

This is a strong forecasting question because it targets a specific, measurable milestone in AI policy. NIST timelines for finalization are often long and subject to administrative delays, creating genuine uncertainty (high entropy). The draft was released in late 2025, and a final version by late 2027 is a plausible but non-guaranteed window. It is objectively resolvable via NIST's public publication record. Research into NIST's typical 'Initial Preliminary Draft' to 'Final' cycle (often 18-24 months) would directly inform and refine a forecast.

85 Will the open-source cyber reasoning systems (CRSs) released from the DARPA AIxCC competition be integrated into or formally adopted by at least one major open-source software project or Linux distribution's security toolchain by December 31, 2027? FILTERED

Rationale: The paper emphasizes automated vulnerability discovery and patching as a critical defensive measure against HACCAs, and specifically references DARPA's AI Cyber Challenge. The AIxCC concluded in August 2025 with Team Atlanta winning, and the 7 finalist teams committed to releasing their CRSs as open source. The real-world impact of these systems depends on whether they get adopted into production security workflows. This question tracks a concrete downstream effect of a specific initiative the paper highlights, measuring whether defensive AI tools actually diffuse to 'under-resourced defenders' as the paper recommends.

Paper reference: The paper's Recommendation III discusses automated vulnerability discovery and patching and specifically references DARPA's AI Cyber Challenge (footnote 321) as a funded R&D program for AI-assisted cyber defense.

Quality notes

This question tracks the real-world impact of a major DARPA initiative. It is timely, as the AIxCC competition concluded in August 2025 and the 'OSS-CRS' framework (incorporating competition tech) officially joined the Open Source Security Foundation (OpenSSF) in April 2026. This move toward formal industry stewardship provides a clear pathway for adoption. The criteria (integration into a major project or Linux toolchain) are specific and measurable through public GitHub repositories, mailing lists, and distribution manifests. The question is difficult because it involves tracking a technical diffusion process that is not guaranteed to succeed, thus maintaining high entropy. Disagreement is possible regarding what constitutes 'formal adoption' vs. 'experimental use,' though refinement can clarify this.

85 Will a frontier AI model achieve a greater than 80% success rate on an expert-level offensive cybersecurity Capture-the-Flag (CTF) benchmark by December 31, 2027? FILTERED

Rationale: The HACCA paper extensively discusses the advancing autonomous cyber capabilities of AI systems and the transition toward highly autonomous cyber-capable agents. Tracking capability benchmarks is a key upstream indicator. Reports indicate that frontier models scored near-zero on expert-level offensive security challenges until mid-2025 but reached approximately 60% by late 2025, showing rapid improvement. An 80% threshold creates meaningful uncertainty about whether this trajectory continues or plateaus, making it a non-trivial forecasting question that directly informs the paper's core concern about when HACCA-level capabilities become feasible.

Paper reference: Section 5 ('Defense-in-Depth Against HACCA Operations') discusses the need to delay proliferation of HACCA capabilities, implying that the timeline for when AI reaches autonomous offensive cyber competence is a crucial variable. The paper's framing of HACCAs as systems capable of conducting multi-step cyber operations autonomously makes offensive CTF performance a directly relevant capability benchmark.

Quality notes

The question addresses a critical and rapidly evolving capability in AI. Current data from April 2026 indicates that 'frontier' models like Claude Mythos Preview have already reached an 83.1% success rate on the CyberGym benchmark (vulnerability reproduction). This suggests the 80% threshold may be reached sooner than late 2027, potentially reducing entropy if not refined to a more difficult benchmark (e.g., expert-level multi-step CTFs like Cybench where current performance is lower). However, as a proto-question, the concept is strong, difficult to forecast precisely without deep technical research, and targets a genuinely uncertain capability frontier. The resolution source (academic or industry benchmarks) is generally reliable.

85 Will any frontier AI lab (OpenAI, Anthropic, Google DeepMind, or Meta) publicly claim or receive independent verification of meeting Security Level 4 (SL4) or higher standards for protecting AI model weights by December 31, 2027? FILTERED

Rationale: The paper specifically recommends that HACCA systems 'should be deployed and tested in SL4 or SL5 facilities' and describes detailed security requirements at these levels including 'isolated weight storage with TEMPEST protection, cluster-level confidential computing, zero-trust architecture.' The RAND report on securing AI model weights defined these security levels, and the IFP has proposed a 'national AI security sprint' toward SL5. Whether any lab actually achieves and verifies SL4 is a crucial indicator of the AI industry's security posture against state-level adversaries.

Paper reference: The paper states that 'robust security of the HACCA's model weights and infrastructure is essential to prevent theft or unauthorized modification, and such systems should be deployed and tested in SL4 or SL5 facilities,' citing Nevo et al.'s RAND report 'A Playbook for Securing AI Model Weights.'

Quality notes

This is a strong question focused on the implementation of advanced security standards in the AI industry. It is highly non-trivial because current reports (as of 2025/2026) suggest that no major lab has yet met SL3, let alone SL4, which requires 'maximum safeguards' against state-level adversaries. The 2027 deadline provides a meaningful timeframe for labs to attempt compliance with frameworks like RAND's 'Securing AI Model Weights.' One minor concern is the 'independent verification' mechanism; while the question identifies labs and the RAND standard, there is currently no formal, universally recognized 'SL4 certification body.' This adds a layer of complexity to resolution, though 'public claims' or 'independent verification' (e.g., by METR or safety institutes) are plausible resolution events.

85 Will NIST publish a final (non-draft) version of the Cybersecurity Framework Profile for Artificial Intelligence (IR 8596) by December 31, 2026? FILTERED

Rationale: The paper emphasizes the need for defenders to integrate AI tools and for policymakers to support trailing-edge organizations. NIST's Cyber AI Profile is the most significant U.S. government framework guiding organizations on managing AI-related cybersecurity risks. The preliminary draft was published December 16, 2025, with public comments closing January 30, 2026. Whether NIST can finalize this within 2026 — given its typical multi-year publication cycles and the complexity of the AI-cyber intersection — is genuinely uncertain and would signal institutional readiness for AI-era cybersecurity governance.

Paper reference: The paper argues that 'companies and policymakers need to make a concerted effort to support under-resourced defenders' and that defensive adoption 'will likely unfold unevenly across sectors.' NIST frameworks are a key mechanism through which such support is operationalized, as they set standards that cascade through federal procurement and industry adoption.

Quality notes

This is a high-quality forecasting question. The resolution is unambiguous and depends on a reliable source (NIST publication). It is genuinely uncertain: while NIST plans to release an 'initial public draft' in 2026 following the preliminary draft (December 2025), their publication cycles for Interagency Reports (IRs) often span multiple years from draft to final version. The question addresses 'institutional readiness' for AI governance, a key theme in the paper's discussion on supporting under-resourced defenders. Forecasters would need to weigh NIST's historical timelines against the political and technical urgency of AI cybersecurity.

85 Will at least three of the four Frontier Model Forum member companies (Google DeepMind, OpenAI, Anthropic, Microsoft) publish dedicated cyber capability evaluations as part of their model release processes for all new frontier models released after July 1, 2026? FILTERED

Rationale: The HACCA paper emphasizes proliferation risks and the need for better evaluation of AI cyber capabilities. The Frontier Model Forum published a report on 'Managing Advanced Cyber Risks in Frontier AI Frameworks' in February 2026, identifying advanced cyber threats as a key risk. Anthropic has already demonstrated detailed offensive cyber evaluations in its Mythos Preview release [f53e8c], using tiered severity assessments. This question tracks whether the industry norm shifts toward mandatory cyber capability disclosure during model releases—a critical mitigation the paper implicitly calls for. Whether three of four firms consistently publish such evaluations for all frontier models is genuinely uncertain.

Paper reference: The paper discusses how early HACCAs would require frontier AI capabilities and notes that 'leading intelligence agencies cannot build best-in-class foundation models on their own.' The proliferation section calls for more research into HACCA capabilities. Whether frontier AI labs systematically evaluate and disclose cyber capabilities is a key upstream indicator of responsible development.

Quality notes

The question addresses a critical and uncertain policy shift in the AI industry. With the recent release of Claude Mythos Preview (April 2026) and its accompanying cyber evals, there is a clear precedent, but it is uncertain if other Frontier Model Forum members will follow suit for all future models. The criteria (3 of 4 companies) and the deadline (July 2026 onwards) provide high entropy and significant room for research-based disagreement. The resolution source (official company releases/FMF reports) is reliable.

84 Will NIST publish a final (non-draft) version of the Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596) by December 31, 2027? FILTERED

Rationale: The paper references NIST and cybersecurity frameworks extensively. NIST published a preliminary draft of IR 8596 (the 'Cyber AI Profile') in December 2025, with public comments closing January 30, 2026. Whether NIST finalizes and publishes this profile is a key regulatory milestone for AI cybersecurity governance. The timeline for finalization is uncertain — NIST frameworks sometimes take years to finalize, but the urgency of AI cybersecurity could accelerate this. This question has a plausible range of outcomes.

Paper reference: The paper references NIST (e.g., CVE details) and multiple cybersecurity governance frameworks. NIST IR 8596 directly addresses the intersection of AI and cybersecurity that is central to the paper's concerns about autonomous cyber-capable agents.

Quality notes

This is a strong policy/governance question with a clear, binary resolution condition. NIST is an extremely reliable source, and the timeline (late 2027) provides a balanced window for a draft published in late 2025. The question has good entropy: while AI is a priority for the US government, NIST processes can be notoriously slow, creating a genuine 5-95% probability range. It requires forecasters to track regulatory signals and agency-specific historical timelines.

84 Will NIST publish a formal standard, guideline, or special publication specifically addressing AI agent identity and authorization by December 31, 2027? FILTERED

Rationale: The paper emphasizes that KYC verification and identity controls are key barriers preventing autonomous AI agents from acquiring compute and financial resources. NIST launched its AI Agent Standards Initiative in February 2026, with an RFI process that closed in March 2026. Whether NIST moves from concept paper to a published standard/guideline by end of 2027 is genuinely uncertain — NIST standards processes often take years, but the urgency of the AI agent security problem may accelerate timelines.

Paper reference: The paper discusses how HACCAs could circumvent KYC measures to acquire compute (Table 6) and financial resources, and how current identity verification frameworks are key defensive barriers against autonomous agent operations.

Quality notes

This is a strong forecasting question. It focuses on a concrete regulatory output (NIST standard) with a clear trigger event (the AI Agent Standards Initiative launched in February 2026). The timeline (end of 2027) is well-calibrated; NIST processes are notoriously slow but can be accelerated by high-priority mandates, creating genuine uncertainty (high entropy). The resolution source (NIST publications) is authoritative and reliable. The direct link to identity/authorization (KYA) maps well to the paper's focus on circumventing KYC/identity barriers.

82 Will NIST publish a formal standard or guidelines document (not just a concept paper or RFI) under its AI Agent Standards Initiative specifically addressing security of autonomous AI agents by December 31, 2027? FILTERED

Rationale: The paper highlights the strategic importance of securing against autonomous AI agents capable of independent action in cyber operations. NIST launched its AI Agent Standards Initiative in February 2026 and issued an RFI on AI agent security that closed in March 2026. Whether this initiative produces formal, published standards within the next ~20 months is a meaningful upstream indicator of institutional response to the risks the paper describes. The outcome is uncertain because standards processes can be slow, but there is clear momentum.

Paper reference: The paper discusses the need for security levels (e.g., SL4 from RAND's 'Securing AI Model Weights') to protect against autonomous cyber-capable agents and references the importance of institutional frameworks for managing risks from HACCAs.

Quality notes

This is a strong institutional-response question. It leverages a real-world initiative (NIST's AI Agent Standards Initiative) and a specific recent milestone (March 2026 RFI). The timeline (Dec 2027) is well-calibrated; standards usually take 18-36 months, making a 22-month window for a formal guideline a challenging but plausible outcome. It avoids data issues as NIST publications are public and authoritative. The distinction between 'concept paper' and 'formal guidelines' provides necessary resolution clarity. Score: 82.

82 Will any country or multilateral body (e.g., EU, G7, UN) adopt a binding regulation or treaty provision that specifically restricts or mandates oversight of autonomous AI agents used in offensive cyber operations by December 31, 2027? FILTERED

Rationale: The paper argues that 'early action by policymakers can steer this mainline trajectory of intensified cyber operations in a more stable direction' and calls for 'novel governance mechanisms.' California's SB-53 (effective January 2026) regulates frontier AI but does not specifically target autonomous cyber agents. The question is whether international or national regulatory bodies will take the more specific step of regulating autonomous offensive cyber AI. This is plausible given growing concern but faces significant coordination challenges.

Paper reference: Section 4 states 'policymakers should prepare for two potential strategic surprises: inadvertent cyber-nuclear escalation, and sustained loss of control over rogue HACCA deployments' and calls for 'novel governance mechanisms and response capabilities for scenarios that may lack clear historical precedents.'

Quality notes

This is a strong forecasting question (score: 82) that addresses a critical and uncertain policy gap. It is difficult because it requires tracking slow-moving international negotiations where 'national security' exemptions are common. For instance, the Council of Europe's 2024 AI Treaty and the EU AI Act both contain significant carve-outs for military and national security uses, making a 'binding' restriction on offensive cyber agents a high-bar event. The question has high entropy as there is a genuine debate between 'early steering' for stability and the 'arms race' pressure to avoid regulation. The main risk is linguistic ambiguity: determining if a regulation is 'specific' enough to meet the criteria may require careful resolution wording. Current status: The UN Convention against Cybercrime (adopted Dec 2024) focuses on cybercrime generally rather than autonomous offensive agent oversight.

82 Will a major cloud provider (AWS, Microsoft Azure, or Google Cloud) announce a dedicated policy or product feature specifically designed to detect and prevent unauthorized AI agent workloads (such as LLMjacking or autonomous agent compute theft) by December 31, 2027? FILTERED

Rationale: The paper identifies credential theft and compute siphoning as primary avenues for HACCAs to acquire compute, noting existing LLMjacking and cryptojacking cases. Cloud providers are the key defensive actors. As of early 2026, cloud security focuses on general anomaly detection, but no major provider has announced a product specifically targeting unauthorized AI agent workloads. Given the rapid growth of LLMjacking incidents and the NIST AI agent standards initiative, a dedicated response from at least one major provider is plausible but not certain by end of 2027.

Paper reference: The paper discusses how HACCAs would steal compute from cloud providers via credential theft (pp. 37-38), references LLMjacking (footnote 97), cryptojacking (footnote 96), and notes that 'HACCAs may expose themselves to detection and shutdown by triggering cloud provider anomaly detection systems' (footnote 98).

Quality notes

The question addresses a specific emerging threat ('LLMjacking') already recognized by security researchers and cloud providers. While major providers like AWS (via GuardDuty) and Microsoft (via Defender/Foundry) have already begun rolling out 'AI workload' or 'AI agent' security features, the question specifically asks for a 'dedicated policy or product feature' designed to prevent 'unauthorized AI agent workloads.' Current products often frame this under broader 'AI Security Posture Management' (AI-SPM) or 'Shadow AI' detection. The NIST AI Agent Standards Initiative (launched Feb 2026) provides a credible catalyst for such products to be formalized by late 2027. There is high entropy because providers might stick to general anomaly detection rather than a named 'LLMjacking' feature. It is researchable by monitoring cloud release notes (e.g., AWS What's New) and industry standards development.

82 Will the Hack The Box AI Range (or a comparable standardized AI cyber-agent evaluation platform) be formally adopted as part of pre-deployment safety evaluations by at least two frontier AI labs by 31 December 2027? FILTERED

Rationale: The paper emphasizes the difficulty of evaluating AI cyber capabilities and notes that 'a major evidence gap stems from the difficulty of reliably assessing AI cyber capabilities.' Hack The Box launched its AI Range in 2026 as the first controlled environment for benchmarking autonomous security agents, and the UK AISI has released cyber agent evaluation ranges. This question tracks whether the ecosystem moves from ad hoc evaluation to standardized pre-deployment testing — a critical institutional response to the risks the paper describes. Adoption by frontier labs is plausible given regulatory pressure but uncertain given competitive incentives.

Paper reference: The paper's discussion of evaluation approaches for HACCA-relevant capabilities (Appendix II reference), the UK AISI's cyber task-time horizon measurements, and the broader emphasis on measuring offensive cyber capabilities of AI systems.

Quality notes

This is a strong question that tracks the professionalization of AI safety. Hack The Box launched its 'AI Range' in early 2026, and labs like Anthropic and OpenAI have already begun using HTB environments for research evaluations. The term 'formally adopted' is the main point of uncertainty; it requires labs to move beyond ad-hoc research use to standardized, recurring pre-deployment checks. The inclusion of 'comparable standardized platform' (like UK AISI's Inspect Cyber) prevents the question from being too narrow while maintaining the core concept. Forecasters will need to research lab safety frameworks (e.g., RSPs and FSFs) to see if these specific tools are integrated into their 'if-then' commitments.

82 Will XBOW's autonomous penetration testing platform achieve a contract or formal deployment agreement with a US federal government agency by December 31, 2027? FILTERED

Rationale: The paper highlights autonomous AI-powered penetration testing as a key defensive capability that could make security testing affordable for under-resourced organizations. XBOW raised $120M in Series C funding in March 2026 at a $1B+ valuation, demonstrating significant commercial momentum. Whether this technology transitions from private-sector use to government adoption is a meaningful indicator of how quickly AI-enabled offensive security testing scales to protect critical infrastructure, a key concern in the paper.

Paper reference: The paper discusses XBOW's autonomous AI-powered penetration testing system, noting it matched a principal pentester's performance in 28 minutes versus 40 hours, and highlights the potential for such systems to make red teaming affordable to under-resourced organizations.

Quality notes

This is a high-quality forecasting question because it tracks the transition of a cutting-edge autonomous technology from the private sector to highly regulated government environments. XBOW (the AI penetration testing startup founded by Oege de Moor) reached unicorn status with a $120M Series C in March 2026, showing significant momentum. While they are integrated with Microsoft's ecosystem, a formal federal contract represents a major milestone with high uncertainty due to FedRAMP and security clearance requirements. The question is non-trivial, as government adoption of autonomous offensive tools is controversial and complex. Potential confusion with 'X-Bow Systems' (a rocket motor company with existing DoD contracts) must be clarified in the final question text to avoid resolution issues.

82 Will the UN Global Mechanism on ICT Security (the permanent successor to the OEWG) produce a formal output document that explicitly addresses risks from autonomous AI systems in cyberspace by December 31, 2027? FILTERED

Rationale: The paper calls for states to identify and agree on redlines for HACCA development through multilateral fora like the UN GGE and OEWG. The OEWG ended in 2025 and has been succeeded by a new permanent 'Global Mechanism' that launched its organizational session in March 2026 with first substantive plenary in July 2026. Whether this body will specifically address autonomous AI cyber capabilities in its outputs is uncertain — cybersecurity negotiations are slow, but AI is an increasingly prominent topic. This tracks the paper's call for international governance of autonomous cyber operations.

Paper reference: Section on Global Governance Mechanisms (p. 110-111): calls for states to agree on redlines 'consistent with existing laws and norms on responsible state behavior in cyberspace, developed through the United Nations Group of Governmental Experts (UN GGE) and Open-Ended Working Group'

Quality notes

The question is well-timed and targets a significant development in international cyber governance. The transition from the OEWG to the permanent 'Global Mechanism' (starting in 2026) is a matter of record, but the specific inclusion of 'autonomous AI' risks in consensus-based UN output documents is genuinely uncertain and subject to intense diplomatic negotiation. The question has high entropy as consensus is difficult to reach, and it avoids data issues by relying on publicly available UN General Assembly/Global Mechanism reports. The 2027 deadline allows for multiple annual reporting cycles, making research into member state submissions (e.g., from the G77, EU, or BRICS) highly relevant for forecasting.

82 Will the percentage of organizations reporting air-gapped OT/ICS safety systems exceed 25% in the SANS Institute's next State of ICS/OT Cybersecurity survey published after January 1, 2026? FILTERED

Rationale: The HACCA paper specifically notes that 'only 16% of organizations in a recent survey had air-gapped OT/safety systems,' citing the SANS 2024 survey. This is directly relevant to the paper's argument that cyber-physical attacks on industrial systems are feasible because air-gapping is inconsistently applied. Tracking whether this percentage increases is a concrete upstream indicator of industrial cybersecurity hardening against the autonomous cyber-physical attack scenarios the paper describes. The 25% threshold represents meaningful improvement from the 16% baseline without being unrealistically high.

Paper reference: The paper states 'only 16% of organizations in a recent survey had air-gapped OT/safety systems (SANS Institute, SANS 2024 State of ICS/OT Cybersecurity)' and argues that inconsistent air-gapping creates exploitable attack surfaces for HACCAs targeting cyber-physical systems.

Quality notes

This is a solid forecasting question based on a specific, reputable industry benchmark (SANS Institute). The 16% baseline from 2024 is documented, and the 25% threshold represents a meaningful shift in industry practice. The question targets the 'next' survey after January 2026, likely the late 2026 or 2027 edition, providing a good lead time for trends to develop. While the topic is somewhat niche, it is genuinely uncertain due to the tension between increasing security (favoring air-gapping) and the push for IT/OT convergence (which reduces air-gapping). The data source is reliable and has a consistent annual publication schedule.

78 Will at least one frontier AI developer implement a formal differential access program that provides privileged AI-powered cybersecurity capabilities to vetted critical infrastructure defenders by December 31, 2027? FILTERED

Rationale: The paper discusses differential access as a key strategy for tilting the offense-defense balance toward defenders. IAPS has published research on differential access, and the White House AI Action Plan encourages critical infrastructure to adopt AI-enabled cyber defense tools. However, no formal differential access program has been publicly launched yet. This question tracks whether the concept moves from research proposal to implementation, which has genuine uncertainty given commercial incentives, liability concerns, and the complexity of vetting mechanisms.

Paper reference: Section 5 'Delay' subsection on 'Differential Access' describes a tiered framework (Promote Access / Manage Access / Deny by Default) from Ee et al. (2025) for governing availability of AI-enabled cyber capabilities, and notes that differential access 'must clearly tackle specific risks' to succeed.

Quality notes

This question addresses a high-impact policy development with strong grounding in recent strategic documents like the 'America's AI Action Plan' (2025) and IAPS research Policy Actions for Enabling Cyber Defense Through Differential Access. It captures a non-trivial shift from theoretical safety frameworks to practical implementation. It has high entropy because it involves complex multi-stakeholder decisions between frontier labs, critical infrastructure operators, and government vetted programs Policy Actions for Enabling Cyber Defense Through Differential Access. The score is slightly lower than the METR question only because 'formal program' may require more specific operational definitions during refinement to avoid resolution disputes regarding private or ad-hoc partnerships. However, the core concept is excellent for forecasting.

78 Will NIST publish a finalized (non-draft) version of its Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596) by December 31, 2027? FILTERED

Rationale: The HACCA paper emphasizes that 'companies and policymakers should conduct more research into HACCA proliferation speed and pathways to better calibrate the urgency of bolstering their defenses.' NIST published a preliminary draft of its Cyber AI Profile (IR 8596) in December 2025, providing guidelines for managing cybersecurity risks related to AI systems. Whether this framework gets finalized is an important institutional indicator of how quickly the U.S. government is formalizing standards for AI cybersecurity risk management. NIST frameworks often take 1-3 years from draft to final, making a 2027 resolution date uncertain enough to be interesting.

Paper reference: The paper's proliferation dynamics section argues for more research and better calibration of defenses. NIST's Cyber AI Profile directly addresses the institutional response to AI-enabled cyber risks that the paper describes.

Quality notes

This is a good, acceptable question (Score: 78). It targets a specific institutional milestone (NIST final publication) following the release of the initial preliminary draft in December 2025. The two-year window for finalization is appropriate for NIST's typical 1-3 year cycle, creating reasonable uncertainty. While less 'high-stakes' or politically contested than the EU AI Act delay, it provides a useful indicator for AI governance formalization. Resolution is straightforward via NIST's public database.

78 Will NIST publish a finalized (non-draft) guideline or standard specifically addressing AI agent security by December 31, 2027? FILTERED

Rationale: The paper emphasizes that 'enhanced governance mechanisms will be critical for ensuring responsible development and use' of autonomous AI agents, and that technical guardrails must be complemented by policy frameworks. NIST launched its AI Agent Standards Initiative in February 2026, soliciting industry input on AI agent security threats and vulnerabilities. Whether NIST moves from initial RFIs and drafts to finalized guidelines is a key indicator of the pace of institutional response to autonomous AI agent risks—directly relevant to the paper's call for governance standards before HACCAs become operational.

Paper reference: Section 6 states that 'technical, legal, policy, and global governance standards... should be met before HACCAs are fully operational' and emphasizes the need for governance mechanisms that 'build on and go beyond existing cybersecurity norms and laws.'

Quality notes

This question is acceptable but slightly weaker than the first due to potential ambiguity in what constitutes a 'guideline or standard specifically addressing AI agent security.' While the AI Agent Standards Initiative was launched in February 2026, it is an initiative that may produce multiple outputs (research reports, workshop summaries, etc.) rather than a single flagship 'standard.' However, the rationale correctly identifies it as a key indicator of institutional response. To improve, it should specify a document series (e.g., NIST SP or NISTIR) or a specific title if one is announced. As a proto-question, its potential is high because the topic is at the frontier of AI safety.

78 Will any AI agent framework achieve a success rate of 40% or higher on the CVE-Bench benchmark (on its original 40-CVE test set) by December 31, 2027? FILTERED

Rationale: The paper identifies CVE-Bench as a key benchmark for evaluating HACCA-level capabilities, specifically for testing 'whether agents can exploit known vulnerabilities by providing real-world CVE descriptions and requiring autonomous exploitation without human guidance.' As of early 2025, state-of-the-art agents could exploit only ~13% of CVE-Bench vulnerabilities. The CVE-Bench leaderboard was launched and a v2.0 was released with more rigorous evaluation. Reaching 40% would represent a roughly 3x improvement, signaling a meaningful step toward the autonomous exploitation capabilities described in the paper's HACCA threat model. This is a direct upstream capability indicator.

Paper reference: Appendix Section II ('Evaluating HACCA Cyber Capabilities') explicitly discusses CVE-Bench as a relevant benchmark, and the paper's Table 17 maps CVE-Bench to OC3+ attack capabilities including exploiting reported but incompletely patched vulnerabilities.

Quality notes

This is an acceptable forecasting question, though it risks low entropy if current SOTA trajectories continue. As of early 2025, SOTA was ~13%; however, 2026 reports suggest frontier models like GPT-5.2 and GPT-5.4 are being evaluated on CVE-Bench with significantly higher performance in related cybersecurity tasks (e.g., one-day exploits). While some sources still cite the 13% figure for the rigorous 'zero-day' scenarios in CVE-Bench, others indicate rapid progress towards the 40% mark. The question is 'good' because research into specific agentic reasoning improvements (like 'thinking' models) would lead to different forecasts, and the 40% threshold represents a meaningful capability jump. However, there is a risk that this threshold may be hit sooner than 2027, potentially pushing the probability above 90% and reducing entropy. Data issues are minimal as the CVE-Bench leaderboard is a recognized academic and industry benchmark.

74 Will Google's CodeMender AI agent have contributed at least 250 accepted security fixes to open-source projects by December 31, 2027? FILTERED

Rationale: The paper highlights automated vulnerability discovery and patching as a critical defensive capability, noting that Google's CodeMender contributed 72 fixes to open-source projects in its first six months (launched October 2025). Whether this AI-driven patching tool scales significantly is a key indicator of whether automated vulnerability remediation can meaningfully reduce the attack surface that the paper warns HACCAs could exploit. The threshold of 250 is calibrated to represent meaningful scaling (~3.5x the initial 6-month output over roughly 2 additional years) without being a foregone conclusion.

Paper reference: The paper specifically discusses Google's CodeMender (introduced October 2025) as an example of AI agents that find vulnerabilities and generate validated patches, contributing 72 fixes to open-source projects in its first six months.

Quality notes

This is an acceptable to good forecasting question (Score: 74). It tracks a meaningful real-world impact of AI defense. The target of 250 fixes is well-calibrated; given the initial rate of 12 fixes/month (72 in the first 6 months), the project is on track to hit ~310 by the deadline, making 250 a non-trivial but plausible floor that allows for disagreement regarding the difficulty of scaling AI-generated PR acceptance in open source. The main drawback is potential resolution data issues: unless Google DeepMind maintains a public dashboard or commits to a final report, verifying the exact count of 'accepted security fixes' across disparate open-source projects may be difficult for forecasters to track independently.

68 Will the top score on the SWE-bench Verified leaderboard exceed 90% by December 31, 2027? FILTERED

Rationale: The paper discusses AI agents' growing capability in software engineering and offensive cyber operations, referencing SWE-bench as a key benchmark. As of early 2026, the top SWE-bench Verified score is approximately 85% (GPT-5.3 Codex). Crossing 90% would signal a meaningful capability jump in autonomous code generation and bug-fixing — directly relevant to the paper's concerns about HACCA systems exploiting vulnerabilities. This threshold is uncertain: progress has been rapid but diminishing returns may set in on this benchmark.

Paper reference: The paper references SWE-bench leaderboards (footnote 83) as a measure of AI agent capability in software engineering tasks, which is foundational to the offensive cyber capabilities discussed throughout.

Quality notes

The question is acceptable but has lower entropy than ideal (Score: 68). While the benchmark (SWE-bench Verified) is excellent and reliable SWE-bench Leaderboards, recent developments suggest the 90% threshold might be reached sooner than the late 2027 deadline. As of April 2026, GPT-5.3 Codex has reached 85% and the unreleased Claude Mythos Preview has reportedly hit 93.9%. If 'Mythos' or similar models are added to the official leaderboard, the question could resolve very early. For a late-2027 question, a higher threshold (e.g., 95% or 98%) or a move to a more difficult benchmark like SWE-bench Pro would better capture long-term uncertainty. However, it remains a valid, researchable question with a clear resolution source.

68 Will a publicly available frontier AI model achieve a success rate above 60% on the CVE-Bench leaderboard (exploiting real-world critical web vulnerabilities) by December 31, 2027? FILTERED

Rationale: The HACCA paper highlights that autonomous cyber agents could 'automate reconnaissance and more flexibly research and exploit vulnerabilities.' CVE-Bench is a concrete, real-world benchmark measuring AI agents' ability to autonomously exploit critical-severity CVEs. As of early 2026, leading foundation models score around 50% or below on existing cybersecurity benchmarks such as CVE-Bench. Anthropic's Claude Mythos Preview (April 2026) demonstrated significant offensive capabilities including autonomous zero-day discovery and exploit chaining [f53e8c]. This question tracks whether the rapid capability gains translate into measurably higher autonomous exploitation rates on a standardized benchmark, which is a direct upstream indicator of HACCA feasibility. The 60% threshold is calibrated to be non-trivial given current performance levels but plausible given the rapid trajectory observed.

Paper reference: The paper discusses how HACCAs could 'automate reconnaissance and more flexibly research and exploit vulnerabilities, rather than relying on pre-loaded exploits' and reduce labor costs during infiltration. This question operationalizes that claim via a concrete benchmark.

Quality notes

This question is of acceptable quality as it focuses on 'publicly available frontier models' and sets a higher threshold (60%) than Item 1. It directly addresses the feasibility of Highly Autonomous Cyber-Capable Agents (HACCA). However, it faces a significant 'high-entropy' risk: the recent announcement of Claude Mythos Preview (April 2026) suggests that frontier capabilities are already jumping past these levels (reports of 100% on Cybench and massive gains in zero-day discovery). If 'frontier' models already hit this by the time the question is published, the entropy vanishes. The term 'publicly available' adds a good layer of difficulty for forecasters to track deployment and safety filters. The resolution source (CVE-Bench leaderboard) is reliable, but the 'outcome validity' fixes in late 2025/2026 indicate the benchmark itself is evolving, which can cause 'data issues' for long-term forecasting.

65 Will any frontier AI model achieve a score above 50% (passing more than half of all tasks) on the UK AISI's RepliBench evaluation suite by December 31, 2027? FILTERED

Rationale: The paper identifies autonomous infrastructure establishment and compute acquisition as critical HACCA tactics (Tactic 1), and explicitly cites RepliBench as showing that current agents 'fail completely at passing KYC checks and struggle to bypass even moderately realistic security measures.' RepliBench, published by UK AISI in April 2025, is purpose-built to track autonomous replication capabilities. Rapid capability gains could push scores above 50%, but the benchmark includes deliberately challenging real-world tasks like identity verification and financial transactions that may resist improvement.

Paper reference: The paper cites Black et al., 'RepliBench: Evaluating the Autonomous Replication Capabilities of Language Model Agents' in the context of Tactic 1 (infrastructure establishment), noting current agents' inability to pass KYC checks or bypass security measures for compute acquisition.

Quality notes

The question identifies a high-quality, relevant metric (RepliBench) for tracking autonomous agent capabilities, which is a key area of uncertainty and risk in AI development. However, current data suggests that the '50%' threshold may already be trivial or already surpassed. According to the UK AISI Frontier AI Trends Report (2025), two frontier models had already achieved a success rate of over 60% on RepliBench by summer 2025. Given that the current date is April 2026, a question asking if models will hit 50% by 2027 lacks 'high entropy' and is likely already resolved. If the threshold were adjusted significantly higher (e.g., 80-90%), it would be a very strong forecasting question. As it stands, the concept is excellent but the specific parameterization is currently poor for a future-looking tournament.

55 Will any frontier AI lab (OpenAI, Anthropic, Google DeepMind, Meta, xAI, or Mistral) publicly report triggering a 'critical' or highest-tier risk threshold in their safety framework evaluations specifically for autonomous cyber capabilities or self-replication/shutdown-evasion behaviors by December 31, 2027? FILTERED

Rationale: Google DeepMind updated its Frontier Safety Framework in September 2025 to include Critical Capability Levels for shutdown resistance. The paper extensively discusses shutdown evasion and capability improvement risks. Whether any lab actually triggers these thresholds is a key observable signal — it would indicate that model capabilities are approaching the dangerous levels the paper warns about. This is uncertain because we don't know how fast capabilities will develop or how conservative the thresholds are set.

Paper reference: The paper discusses shutdown evasion strategies (Table 7), capability improvement (Tactic 5), and references Google DeepMind's Frontier Safety Framework (footnote 133) as a risk framework addressing these concerns.

Quality notes

This question relies on a highly uncertain disclosure mechanism. While labs like Google DeepMind and OpenAI have 'Critical' thresholds, their frameworks (e.g., DeepMind's Sept 2025 update) focus on internal 'safety case reviews' rather than mandatory public announcements of threshold breaches Strengthening our Frontier Safety Framework - Google DeepMind. Anthropic commits to 'publicly maintaining a summary of current evaluations,' but not necessarily immediate alerts for specific triggers. This creates a significant 'data issue': a 'No' resolution could mean either the threshold wasn't hit or it was hit but not publicly reported, leading to low entropy and potential unresolvability.

45 Will the x402 Foundation have more than 20 formally listed member organizations by December 31, 2027? FILTERED

Rationale: The paper specifically identifies Coinbase's x402 protocol as enabling AI agents to autonomously purchase compute using stablecoins, which is a key enabling infrastructure for HACCA operations. The x402 Foundation was launched under the Linux Foundation on April 2, 2026, with backing from Google, Stripe, AWS, Cloudflare, and others. Whether this protocol achieves broad institutional adoption (>20 members) is uncertain — it has strong initial backing but agentic payment protocols are nascent and could stall.

Paper reference: The paper explicitly names x402 as enabling AI agents to purchase compute for their own inference using stablecoins (footnote 90), identifying it as 'likely one of the easiest avenues for HACCAs to purchase compute resources.'

Quality notes

The question suffers from low entropy and lack of difficulty because the target threshold appears to have been met or nearly met at the time of the foundation's launch. The x402 Foundation launched on April 2, 2026, with reports already indicating 'over 20 companies' or '20+ industry leaders' as founding members, including major entities like Google, Microsoft, AWS, Visa, and Mastercard. Consequently, a forecast for 'more than 20' by the end of 2027 is likely to have a probability near 100%, making it a poor forecasting question. Increasing the threshold (e.g., to 50 or 100 members) or focusing on a specific adoption metric (e.g., transaction volume) would improve it.