ForAllSecure, a startup in Pittsburgh founded by a team of computer security researchers from Carnegie Mellon University, won first prize and $2 million at the 2016 DARPA Cyber Grand Challenge (CGC).

The finals of CGC, an international tournament the U.S. Defense Advanced Research Projects Agency's (DARPA) called the "world's first automated network defense tournament," involved seven U.S. teams that pitted their algorithms against each other to uncover vulnerabilities that might exist in the Internet of Things (IoT).

Like Us on Facebook

DARPA also billed CGC as "The World's First All-Machine Hacking Tournament" whose participants were "cyber reasoning bots."

Second place to ForAllSecure and its artificial intelligence algorithm, "Mayhem," was TECHx of Ithaca, New York, and Charlottesville, Virginia and its bot "Xandra." TechX will receive $1 million. Third place went to Shellphish of Santa Barbara, California and its bot, "Mechanical Phish." Shellphish will receive $750,000.

ForAllSecure, which was founded by David Brumley, Thanassis Avgerinos and Alex Robert, said their technology was the result of more than a decade of program analysis research at Carnegie Mellon University.

The finals played Aug. 4 in Las Vegas was a 96-round game of "Capture the Flag." In this time-limited competitive hacking game, teams were assigned servers that must perform certain tasks while constantly being fed new code packed with bugs, security flaws and inefficiencies. Teams strove to protect their own data while attempting to access the data of others.

The difference in this game is the players, in this case the cyber reasoning bots, were completely autonomous. Normally a human looked at and corrected code or chose whether and whom to attack. All these decisions were made by their bots.

The goal of CGC was to produce systems that can repair themselves and watch for intrusions with minimal human interaction, among many other goals.

In over eight hours of computation and 96 rounds of about 270 seconds each, the bots authored 421 replacement binaries (or new native code) that was more secure than the original. They also authored 650 unique proofs of vulnerability (or attempts to navigate the maze of inputs accepted by the software) and proved the software under analysis was vulnerable.

"Tonight, completely autonomous systems played in an expert contest. In 2013 no such system existed and tonight seven of them played at a very high level," said DARPA CGC Program Manager Mike Walker.

"There's a saying in the hacker community that 'zero day can happen to anybody.' What that means is that unknown flaws in software are a universal lock-pick for intruders. Tonight we showed that machines can exist that can detect those lock-picks and respond immediately."

"We have redefined what is possible and we did it in the course of hours with autonomous systems that we challenged the world to build."

CGC was co-located this year with DEF CON, the world's largest hacker convention.

TagsForAllSecure, Carnegie Mellon University, Cyber Grand Challenge, Defense Advanced Research Projects Agency