Cybersecurity AI: Evaluating Agentic Cybersecurity in Attack/Defense CTFs
By: Francesco Balassone , Víctor Mayoral-Vilches , Stefan Rass and more
Potential Business Impact:
AI is better at defending computers than attacking.
We empirically evaluate whether AI systems are more effective at attacking or defending in cybersecurity. Using CAI (Cybersecurity AI)'s parallel execution framework, we deployed autonomous agents in 23 Attack/Defense CTF battlegrounds. Statistical analysis reveals defensive agents achieve 54.3% unconstrained patching success versus 28.3% offensive initial access (p=0.0193), but this advantage disappears under operational constraints: when defense requires maintaining availability (23.9%) and preventing all intrusions (15.2%), no significant difference exists (p>0.05). Exploratory taxonomy analysis suggests potential patterns in vulnerability exploitation, though limited sample sizes preclude definitive conclusions. This study provides the first controlled empirical evidence challenging claims of AI attacker advantage, demonstrating that defensive effectiveness critically depends on success criteria, a nuance absent from conceptual analyses but essential for deployment. These findings underscore the urgency for defenders to adopt open-source Cybersecurity AI frameworks to maintain security equilibrium against accelerating offensive automation.
Similar Papers
CAI: An Open, Bug Bounty-Ready Cybersecurity AI
Cryptography and Security
AI finds computer security flaws much faster.
Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations
Cryptography and Security
AI helps hackers attack weak companies more often.
Cybersecurity AI: The World's Top AI Agent for Security Capture-the-Flag (CTF)
Cryptography and Security
AI now wins all computer hacking contests easily.