Alum-run cybersecurity company Trail of Bits wins big in DARPA’s Artificial Intelligence Cyber Challenge
Anyone who knew Dan Guido as a bright, hardworking undergraduate will be unsurprised that his list of accomplishments keeps growing longer.
Alum Dan Guido (left) and co-founder Alexander Sotirov. Their company, Trail of Bits, was awarded a $3 million prize by the Defense Advanced Research Projects Agency (DARPA)
It was just a few years before Dan Guido ('08) arrived at the School of Engineering that pioneering computer scientist Nasir Memon introduced courses in information security and privacy — unusual academic offerings at a time when internet threats were still being thought of as the purview of bored teens coding viruses for fun, rather than for any truly nefarious purpose, and cybercrime was not yet considered a major problem.
Guido quickly established himself as a vital member of Memon’s Offensive Security, Incident Response, and Internet Security (OSIRIS) Lab, a student-run group that ultimately proved to be a training ground for generations of cyber professionals. Even after graduating, he remained deeply involved with the school, serving as OSIRIS Hacker in Residence and teaching vulnerability analysis and application security as an adjunct faculty member. As both a student and alum, he also played a key role in NYU Tandon’s CSAW (now known as Cybersecurity Games and Conference), overseeing the popular Capture the Flag challenge as the event grew over the years into the world’s most comprehensive student-led cybersecurity contest.
In 2012, Guido formed his own company, Trail of Bits, an industry-leading software security firm that helps secure some of the world's most targeted organizations and devices. (His clients have ranged from tech giants like Facebook to large financial institutions and government agencies, and the company has been named to Built In's Best Places to Work in NYC list every year, from 2021 through 2025.)
Last year, Trail of Bits entered the Defense Advanced Research Projects Agency (DARPA) Artificial Intelligence Cyber Challenge (AIxCC), which called upon competitors to design novel AI systems capable of addressing vital issues like the security of critical infrastructure and software running everything from transportation to water and wastewater systems, emergency services, and energy sources.
The scoring algorithm rewarded teams for finding vulnerabilities, proving that vulnerabilities existed, and correctly applying patches to open-source software, with speed and accuracy as additional factors. When the judging was over, Trail of Bits had been named a finalist and awarded $2 million to refine their entry, which they dubbed Buttercup, over the course of the following year.
The competition’s finals were held in early August 2025, at DEF CON, a high-profile annual event that draws hackers from around the world. In one round, finalists were met with 48 challenges across 23 open-source repositories, and Buttercup ultimately found 28 vulnerabilities and successfully applied 19 patches: in a test to find software vulnerabilities across the top 25 most dangerous Common Weakness Enumerations (CWEs), Buttercup submitted proofs of vulnerabilities (PoVs) across 20 of them. “Securing real-world software is more than just uncovering memory leaks and buffer overflows,” Guido explained. “This breadth demonstrates our system’s robust understanding of diverse vulnerability classes, from memory safety issues to injection flaws.”
Buttercup also submitted the largest software patch, over 300 lines of code, in the entire competition, earning the title “'LOC Ness Monster”; scored less than 5 minutes into a task; made over 100,000 LLM requests; had greater than 90% accuracy; and found a PoV that triggered a vulnerability that was not inserted into the Challenge; among other factors that distinguished it.
In the end, Trail of Bits was announced the second-place winner and awarded a $3 million prize.
Guido — a member of the CyberCorps: Scholarship for Service (SFS) Hall of Fame — noted that among all its other advantages, Buttercup also achieved remarkable efficiency relative to performance, making Trail of Bits’ approach particularly valuable for the open-source community, where compute budgets are limited and cost-effectiveness is crucial for widespread adoption. That makes him especially proud. “The real victory goes beyond any numbers on a scoreboard,” he said. “All of the systems that participated in the Challenge, which collectively took thousands of hours of research and engineering to create, are open-source and available to everyone.”
