Episode 02

Offensive Transformation

What frontier models actually deliver to attackers

15:00 October 20, 2026 with Cynthia, Robert, Lukas, Chris
▸ Listen to Episode 02

What this episode is about

In episode one we built the arc — from the Microsoft report in February 2024 to the Anthropic report in August 2025. Today we look more closely at the offensive side. What do frontier models actually deliver when an attacker uses them seriously? The anchors are three pieces of evidence from 2024 and 2025 that, independently of each other, give the same answer — and at the end a clear thesis: scale beats sophistication.

From Naptime to Big Sleep

In June 2024, Google’s Project Zero team publishes a research paper with the programmatic title “Evaluating Offensive Security Capabilities of Large Language Models.” The system is called Naptime. The architecture is methodologically elegant: the agent gets four tools — a code browser, a Python interpreter for fuzzing, a debugger, and a reporter — and with these imitates the hypothesis-driven workflow of a human security researcher. Chris explains that this completes the paradigm shift from question-answer machine to tool user: the model gets to execute code, test hypotheses, evaluate results — an agentic loop in the classical ReAct pattern.

The performance numbers on Meta’s CyberSecEval 2 benchmark are unambiguous. Buffer-overflow score rises from 0.05 to 1.00, a factor of twenty. Advanced memory corruption from 0.24 to 0.76. Robert brings the reality check: CTF benchmarks are synthetic, real-world code is millions of lines. That is exactly why Google did the follow-up. Naptime becomes Big Sleep — a productive pipeline, deployed in November 2024, run by Project Zero and DeepMind jointly. In July 2025 the key incident: the Google Threat Intelligence Group observes indicators that an attacker is targeting a specific SQLite version. Big Sleep is pointed at the code area and finds CVE-2025-6965 — a memory corruption vulnerability, CVSS 7.2. Detection-to-patch in 48 hours. The first documented case globally in which an AI agent prevented active zero-day exploitation.

DARPA AIxCC and Team Atlanta

At DEF CON 33 in August 2025, the DARPA AI Cyber Challenge ends. Seven finalists, 30 million dollars in prize money, 54 million lines of code to analyze. The winner is Team Atlanta — a consortium of Georgia Tech, Samsung Research, KAIST and POSTECH — with their system Atlantis. Four million dollars. Trail of Bits with Buttercup wins second place, Theori third. The results are technically remarkable: fifty-four synthetic vulnerabilities found, forty-three automatically patched, plus eighteen previously unknown zero-days in productive open-source code, now in coordinated disclosure with the projects.

Architecturally, Atlantis is explicitly hybrid — the authors call it “ensemble fuzzing everywhere.” Coverage-guided fuzzers like AFL++ run in parallel with directed fuzzers, with concolic executors, and on top with LLM agents. The central ML component is called MLLA, Multi-Language LLM Agent, part of a larger UniAFL component with six different input-generation modules. Chris highlights a methodological point from the authors: what the ML community calls hallucination is in practice diversity. For fuzzing you need inputs that deterministic heuristics don’t find — five agents with orthogonal solution paths deliver exactly that.

Autonomous offense in academic research

Lukas points to the work of Daniel Kang and colleagues at the University of Illinois Urbana-Champaign. Their HPTSA system — Hierarchical Planning and Task-Specific Agents — shows that a combination of planner agent and specialized sub-agents can exploit real zero-day vulnerabilities. On a benchmark of fourteen real CVEs, HPTSA achieves a 4.3x improvement over a single agent. The paper was published in June 2024 and updated in March 2025 with extended results. Together with Hazell 2023 and Heiding et al. 2024 in IEEE Access (LLM-generated phishing emails reach click-through rates above 50 percent in field tests), the economic thesis of the episode becomes provable.

The thesis — and what you take away

It is not about qualitatively new attack techniques. Spear phishing, pentesting, vulnerability research have existed for decades. What is new is the unit cost structure. A class of attacks that was previously economical only against high-value targets is now economical against mid-market companies. Robert formulates the practical consequence: anyone as a defender who still believes their mid-market business is uninteresting because of its size hasn’t heard the shot. Chris adds from the AI perspective: the agentic loop is the key architecture, the jump from 2024 to 2026 is tool-use — methodologically clear, not magical. Lukas rounds off from the research perspective: Big Sleep, Atlantis and HPTSA are three independent pieces of evidence for the same result. Anyone building defender architectures in 2026 without pricing in this reality is building defense against 2022. The next step in the season is the most concrete example of this scaling — social engineering at industrial scale.

Sources and references

  1. Glazunov, S., & Brand, M. (2024, June 20). Project Naptime: Evaluating offensive security capabilities of large language models. Google Project Zero. https://projectzero.google/2024/06/project-naptime.html
  2. The Hacker News. (2025, July). Google AI Big Sleep stops exploitation of critical SQLite vulnerability before hackers act. The Hacker News. https://thehackernews.com/2025/07/google-ai-big-sleep-stops-exploitation.html
  3. Defense Advanced Research Projects Agency. (2025, August). AI Cyber Challenge marks pivotal inflection point for cyber defense. DARPA. https://www.darpa.mil/news/2025/aixcc-results
  4. Trail of Bits. (2025, August 9). Buttercup wins 2nd place in AIxCC Challenge. Trail of Bits Engineering Blog. https://blog.trailofbits.com/2025/08/09/trail-of-bits-buttercup-wins-2nd-place-in-aixcc-challenge/
  5. Bhatt, M., Chennabasappa, S., Yan, Y., Nikolaidis, C., Song, D., Hyrum, A., Hyrum, V., Tay, Y., & Saxe, J. (2024). CYBERSECEVAL 2: A wide-ranging cybersecurity evaluation suite for large language models (arXiv:2404.13161). arXiv. https://arxiv.org/abs/2404.13161
  6. Kim, T., Yu, K., Lee, H., Lim, S., Park, D., & Kim, T. (Team Atlanta). (2025). ATLANTIS: AI-driven threat localization, analysis, and triage intelligence system (arXiv:2509.14589). arXiv. https://arxiv.org/abs/2509.14589
  7. Zhu, F., Wang, Z., & Kang, D. (2024). Teams of LLM agents can exploit zero-day vulnerabilities (arXiv:2406.01637, updated March 2025). arXiv. https://arxiv.org/abs/2406.01637
  8. Hazell, J. (2023). Spear phishing with large language models (arXiv:2305.06972). arXiv. https://arxiv.org/abs/2305.06972
  9. Heiding, F., Schneier, B., Vishwanath, A., Bernstein, J., & Park, P. S. (2024). Devising and detecting phishing emails using large language models. IEEE Access, 12, 42131–42146. https://doi.org/10.1109/ACCESS.2024.3375882
  10. Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., & Cao, Y. (2023). ReAct: Synergizing reasoning and acting in language models (arXiv:2210.03629). arXiv. https://arxiv.org/abs/2210.03629
  11. MITRE Corporation. (n.d.). ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems. https://atlas.mitre.org/
  12. OST – Ostschweizer Fachhochschule. (2026). CAS AI-Driven Cybersecurity and Strategic Defence [Programmseite, 15 ECTS, 14 Präsenztage, Campus Rapperswil-Jona]. https://www.ost.ch/de/weiterbildung/weiterbildungsangebot/informatik/cybersecurity-networks/cas-ai-driven-cybersecurity-and-strategic-defence