The Defense Advanced Research Projects Agency (DARPA) has named a team of Pittsburgh-based researchers as the winners of its Cyber Grand Challenge (CGC), an all-hacking tournament. The event was one of the first head-to-head competitions among developers of some of the most sophisticated automated bug-hunting systems yet to be developed.

For almost 10 hours, competitors played the cybersecurity exercise Capture the Flag in a specially created computer testbed that came equipped with an array of bugs hidden inside custom, never-before-analyzed software. The machines were challenged to find and patch within seconds—not the usual months—flawed code that was vulnerable to being hacked. They also had to find their opponents’ weaknesses before the defending systems did.

Computer security professionals and others watch the Cyber Grand Challenge. Image credit: DARPA.DARPA’s CGC was designed to accelerate development of advanced, autonomous systems that can detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them. The seven teams competing in the daylong competition were made up of white-hat hackers, academics and private-sector cyber systems experts.

"We now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense," says Mike Walker, the DARPA program manager who launched the challenge in 2013. "That is a huge advance compared to where the cyber defense world was yesterday.”

The need for automated vulnerability detection and patching is large and growing as more systems—from household appliances to major military platforms—are connected to and become dependent upon the internet. According to DARPA, the process of finding and countering bugs, hacks and other cyber infection vectors is still effectively "artisanal"—relying on professional bug hunters, security coders and others to search millions of lines of code to find and fix vulnerabilities.

For example, the Heartbleed security bug existed in many of the world’s computer systems for nearly two and a half years before it was discovered and a fix circulated in spring 2014, DARPA says. By that time, the bug had rendered an estimated 500,000 of the internet’s secure servers vulnerable to theft and other mischief. Analysts estimate that, on average, such flaws go unremediated for 10 months before being discovered and patched.