TALK: Buttercup and DARPA's AI Cyber Challenge
Henrik Brodin, Ronald Eytchison
ABSTRACT
Trail of Bits' Buttercup secured $3 million in DARPA's AI Cyber Challenge, autonomously finding 28 vulnerabilities across 20 CWE categories and patching them with a high degree of accuracy. We'll show how our open-source system discovers and patches real vulnerabilities using static analysis and AI-guided fuzzing. You'll see our multi-agent architecture in action, learn the design principles that enabled Buttercup to go beyond the AIxCC competition, and discover what we learned about when AI helps versus hurts. From laptop deployments to enterprise Kubernetes environments, we'll show how Buttercup makes world-class automated vulnerability discovery and patching accessible to everyone.
Henrik Brodin
Principal Security Engineer, Trail of Bits
Henrik Brodin is a Principal Security Engineer at Trail of Bits. He brings over 15 years of cybersecurity expertise to Trail of Bits' Research & Engineering practice, where he serves as the lead orchestrator of Buttercup, the company's Cyber Reasoning System, and was part of the small team that achieved 2nd place in AIXCC. His work at Trail of Bits includes developing memory forensics systems, implementing compiler-based security extensions, and conducting comprehensive security audits. Since entering the field in 2010 from a background in embedded systems for industrial vision applications, Henrik has built a diverse foundation across government and private sectors. Notable achievements include implementing and leading a security program for over 200 engineers within a larger development organization, alongside deep technical work in malware analysis, reverse engineering, and network forensics.
Ronald Eytchison
Security Engineer, Trail of Bits
Ronald Eytchison is a Security Engineer at Trail of Bits in the Research & Engineering Practice. He was a core developer on the Trail of Bits Buttercup team and built the LLM-driven vulnerability discovery component. He is interested in applying AI to secure software. Additionally, he has worked on projects in areas spanning static analysis, fuzzing, performance benchmarking, and compilers.
