The Defense Advanced Research projects Agency (DARPA) announced on Thursday the winner of the agency’s Cyber Grand Challenge (CGC), an automated cyber defense exercise.

The presumptive winning computer system, Mayhem, was created by the ForAllSecure team. This was one of seven competitors participating for a first-place cash prize of $2 million, second-place award of $1 million, and third-place award of $750,000. The results were announced at the DEF CON hacker convention held annually in Las Vegas, Nev. Each team in the competition’s final event was made up of white-hat hackers, academics, and private sector cyber systems experts.

DARPA Cyber Grand Challenge finalists at DEF CON. Photo: DARPA.
DARPA Cyber Grand Challenge finalists at DEF CON. Photo: DARPA.

DARPA created the challenge to accelerate the development of advanced autonomous systems that can detect, evaluate, and patch software vulnerabilities before adversaries could exploit them.

The seven teams competed against each other head-to-head on Thursday for nearly 10 hours, playing a classic cybersecurity version of Capture the Flag in a specially created computer testbed. Inside the testbed was an array of bugs hidden inside custom software that had not been analyzed before. Each team’s computer system was challenged to find and patch flawed code that was vulnerable to being hacked within seconds rather than the normal months. They also had to find opponents’ weaknesses before the defending systems did.

The presumptive second-place winner, Xandra, was designed by the TECHx team from Ithaca, N.Y., and Charlottesville,Va. The presumptive third-place system, Mechanical Phish was designed by the Shellphish team based out of Santa Barbara, Calif.

DARPA said judges would spend Thursday night verifying the preliminary results before crowning the winners at a ceremony early Friday. Following the final awards DEF CON organizers were set to formally invite the Mayhem system to participate as the first machine in the conference’s all-human Capture the Flag competition.

“I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible. The effort by the teams, the DARPA leadership and staff, and all the hundreds of people who helped make this unique, open-to-the-public test happen was enormous,” Mike Walker, the DARPA program manager who launched the challenge in 2013, said in a statement.

“This may be the end of DARPA’s Cyber Grand Challenge, but it’s just the beginning of a revolution in software security. In the same way that the Wright brothers’ first flight—although it didn’t go very far—launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense. That is a huge advance compared to where the cyber defense world was yesterday,” Walker added.

DARPA touted this advance as important in detecting and patching software vulnerabilities as more systems and products get connected to the internet. Automated processes emanating from this competition’s results can reinforce or replace the efforts of professional “bug hunters” who spend hours searching many millions of lines of code to find and fix vulnerabilities that can be exploited for cyberattacks.

“Today, the process of finding and countering bugs, hacks, and other cyber infection vectors is still effectively artisanal,” DARPA said in an explanation of the program’s importance.