Researchers teach AI to find software vulnerabilities before attackers do

When Ying Zhang was a doctoral student at Virginia Tech, she spent years learni…
When Ying Zhang was a doctoral student at Virginia Tech, she spent years learning to think like an attacker—probing sof…

At the intersection of offense and defense, researchers from Wake Forest and Virginia Tech are teaching artificial intelligence to think like an attacker — not to cause harm, but to make harm harder. By automating the generation of proof-of-concept exploits, they are transforming abstract vulnerability warnings into concrete demonstrations that compel developers to act. In an age when software is woven from countless layers of third-party code, this work reflects a deeper truth: that understanding how something breaks is often the first step toward making it whole.

  • Software vulnerabilities pile up unaddressed because developers treat them as theoretical risks — AI-generated exploits make the danger impossible to ignore.
  • Modern applications are built on stacked layers of third-party code, creating supply chain complexity that no human team can monitor manually.
  • Researchers are deploying large language models to automatically map vulnerable APIs and demonstrate exactly how an attacker would move through a system.
  • The approach shifts security culture from reactive patching to proactive proof — showing the wound before it is opened.
  • OpenAI has taken notice, signaling that automated defensive security is moving from academic experiment toward industry adoption.

Ying Zhang spent her doctoral years at Virginia Tech learning to see software the way an attacker does — hunting the hidden flaws that developers overlook and adversaries exploit. Now an assistant professor at Wake Forest, she is channeling that adversarial instinct into something constructive: training AI to break software so that humans can better defend it.

The core insight driving her work is deceptively simple. When a vulnerability is described only in abstract terms, developers often deprioritize it. But when an AI system can automatically generate a working proof-of-concept exploit — a concrete demonstration of how an attacker would move through the flaw — the urgency becomes undeniable.

The challenge is scale. Contemporary applications don't stand alone; they are assembled from layers of third-party libraries and dependencies, each introducing its own potential weaknesses. Tracking vulnerable APIs across these sprawling software supply chains is beyond what any manual process can achieve. Automated tools, guided by large language models, are now being developed to navigate this complexity and surface risks before malicious actors do.

The research has drawn the attention of OpenAI, a signal that the field is maturing beyond the laboratory. As software grows ever more interconnected, the ability to automate security — to teach machines to find the cracks before others do — may become as fundamental as the code itself. The story is still unfolding, but its direction is clear: in the arms race between vulnerability and defense, AI is becoming a weapon for both sides, and researchers like Zhang are working to ensure defenders hold the sharper edge.

A story is developing around To defend your software, first teach AI to break it. When Ying Zhang was a doctoral student at Virginia Tech, she spent years learning to think like an attacker—probing software for the hidden weaknesses that developers miss and malicious actors exploit.

When Ying Zhang was a doctoral student at Virginia Tech, she spent years learning to think like an attacker—probing software for the hidden weaknesses that developers miss and malicious actors exploit. Now an assistant professor at Wake Fo…

This account is still unfolding. More context will surface as other outlets pick up the thread and add their own reporting.

A Conversa do Hearth Outra perspectiva sobre a história
Inventor

What happened here?

Model

To defend your software, first teach AI to break it.

Inventor

Give me the shape of it.

Model

When Ying Zhang was a doctoral student at Virginia Tech, she spent years learning to think like an attacker—probing software for the hidden weaknesses that developers miss and malicious actors exploi…

Inventor

What should we watch for?

Model

Follow this story as developments unfold across multiple outlets.

Quer a matéria completa? Leia o original em Tech Xplore ↗
Fale Conosco FAQ