At the RSAC 2025 Conference in San Francisco, federal research leaders proposed a bold future for critical infrastructure cybersecurity, suggesting that artificial intelligence could nearly eliminate software vulnerabilities.
“We’ve all been trained to accept vulnerabilities as a reality,” McHenry said. “But with advances in large language models (LLMs) and formal methods, this no longer has to be the case.” He suggested that AI systems could proactively identify and patch vulnerabilities, replacing the traditional reactive cycle of exploits and software updates.
LLMs + Formal Methods: A New Era for Secure Code
DARPA’s vision centers on the combination of formal software development methods with the power of large language models. Traditionally, formal methods mathematical techniques for verifying software correctness have been seen as expensive, labor-intensive, and limited to mission-critical systems like aerospace or nuclear operations.
However, McHenry explained that when paired with LLMs, these formal methods become more scalable and affordable. AI can now automate the generation and validation of correctness proofs, dramatically reducing the time and cost needed to build secure systems.
AI Cyber Challenge Shows Real-World Potential
The optimism stems from promising results in the AI Cyber Challenge, a collaboration involving major tech players like Google, Microsoft, Anthropic, and OpenAI. In the semifinals held at DEFCON, participating teams used AI to identify and patch synthetic vulnerabilities across open-source software—including high-impact systems like the Linux kernel and SQLite.
Why Critical Infrastructure Needs Faster Patching
Panelists from healthcare and transportation sectors emphasized the urgency of faster software patching. Jennifer Roberts of ARPA-H highlighted that hospitals often take over 490 days to apply available patches—a window that leaves life-critical systems dangerously exposed.
Challenges Ahead, But AI Offers a Transformative Path
Even with the immense opportunity, the panelists acknowledged the barriers that were still to come, including regulatory red tape, liability risks, and the challenges inherent in updating a vast array of hardware systems.
Nevertheless, federal experts overwhelmingly agreed that AI could create systems that were resilient and closed vulnerabilities before they could be weaponized. “We’re not just dreaming of better cybersecurity, we’re building it,” said McHenry.
Conclusion
The AI Cyber Challenge reflects a broader effort to use cutting-edge technology to secure the foundational infrastructure of modern life. With LLMs and formal methods working hand-in-hand, DARPA believes we may soon enter an era where software vulnerabilities are not the norm, but the exception.
About The Author
