Shellphish, the hacker collective that began in the Cyber Security Group (SecLab), led by UC Santa Barbara computer science professors Giovanni Vigna, Christopher Kruegel, and Wenbo Guo, and now includes UCSB alumni who are professors at Arizona State University and Purdue University, has qualified for the finals of the AI Cyber Challenge (AIxCC), sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Advanced Research Projects Agency for Health (ARPA-H). The competition unfolded at DEF CON 32 Hacking Conference, one of the world’s largest cybersecurity conferences, which was held in Las Vegas from August 9-11.

The AIxCC competition “brings together the brightest minds in artificial intelligence and cybersecurity to develop novel AI-driven systems that can find and repair the software components supporting the nation's critical infrastructure,” according to a press release issued after the Las Vegas event, where the field of remaining teams was reduced from forty-two in the semifinals to just seven that will compete in the finals, to be held in August 2025. The team’s  remarkable achievement, earned by the performance of its cutting-edge Cyber Reasoning System (CRS), brings not only prestige to the group, but also a $2 million cash award.

"We are thrilled to see ARTIPHISHELL make it to the final round," said Adam Doupe, who earned his PhD at UCSB and is now CEO at Shellphish Support Syndicate, the company supporting Shellphish's effort, and director of the Center for Cybersecurity and Trusted Foundations at Arizona State University, where he is an associate professor. "This accomplishment reflects the team's hard work and collaborative spirit. We are eager to compete in the finals and to continue pushing the boundaries of what AI and LLMs [large language models] can achieve in cybersecurity." 

The ARTIPHISHELL AI system succeeded in the semifinal round by demonstrating exceptional capabilities in autonomously identifying, analyzing, and patching complex vulnerabilities found in real-world software. Most impressive perhaps is that fact it was the only CRS in the competition to patch one of the identified vulnerabilities in the nginx target, nginx being a widely used web browser.

"This is a natural evolution of Mechanical Phish, the system that Shellphish developed to participate in the DARPA [Defense Advanced Research Projects Agency] Cyber Grand Challenge in 2016," said Vigna, who directs the NSF ACTION Institute, a recently funded $20-million multi-university collaborative effort, with UCSB as the lead institution, to pursue new approaches to cybersecurity linking humans to AI agents, and multiple agents to each other. “Many ideas that were developed as part of other cutting-edge DARPA programs have contributed to defining the ideas that form the basis of ARTIPHISHELL,” said Antonio Bianchi, an assistant professor at Purdue University who also earned his PhD at UCSB.

Enabled by their $2 million award as a winning semi-finalist, the team will spend the coming year refining and enhancing ARTIPHISHELL in preparation for the final phase of the competition, scheduled for August 2025. There, the seven finalist teams will compete not only for bragging rights, but also for a portion of the $8.5 million in prize money reserved for the top three teams.

Shellphish, whose members have worked together for years, “is a team with a proven record of collaboration and innovation", said Fish Wang, an associate professor at Arizona State University who also earned his PhD at UCSB, "and the success of ARTIPHISHELL shows the effectiveness of multi-university cooperation.”

As the finals approach, Vigna notes, “The team remains focused on advancing their technology, and contributing to the broader goal of strengthening global cybersecurity.”