Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Wang, Zhun, Schiller, Nico, Li, Hongwei, Narayana, Srijiith Sesha, Nasr, Milad, Carlini, Nicholas, Qi, Xiangyu, Wallace, Eric, Bursztein, Elie, Invernizzi, Luca, Thomas, Kurt, Shoshitaishvili, Yan, Guo, Wenbo, He, Jingxuan, Holz, Thorsten, Song, Dawn
Format: Preprint
Veröffentlicht: 2026
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2605.11086
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866918494906351616
author Wang, Zhun
Schiller, Nico
Li, Hongwei
Narayana, Srijiith Sesha
Nasr, Milad
Carlini, Nicholas
Qi, Xiangyu
Wallace, Eric
Bursztein, Elie
Invernizzi, Luca
Thomas, Kurt
Shoshitaishvili, Yan
Guo, Wenbo
He, Jingxuan
Holz, Thorsten
Song, Dawn
author_facet Wang, Zhun
Schiller, Nico
Li, Hongwei
Narayana, Srijiith Sesha
Nasr, Milad
Carlini, Nicholas
Qi, Xiangyu
Wallace, Eric
Bursztein, Elie
Invernizzi, Luca
Thomas, Kurt
Shoshitaishvili, Yan
Guo, Wenbo
He, Jingxuan
Holz, Thorsten
Song, Dawn
contents AI agents are rapidly gaining capabilities that could significantly reshape cybersecurity, making rigorous evaluation urgent. A critical capability is exploitation: turning a vulnerability, which is not yet an attack, into a concrete security impact, such as unauthorized file access or code execution. Exploitation is a particularly challenging task because it requires low-level program reasoning (e.g., about memory layout), runtime adaptation, and sustained progress over long horizons. Meanwhile, it is inherently dual-use, supporting defensive workflows while lowering the barrier for offense. Despite its importance and diagnostic value, exploitation remains under-evaluated. To address this gap, we introduce ExploitGym, a large-scale, diverse, realistic benchmark on the exploitation capabilities of AI agents. Given a program input that triggers a vulnerability, ExploitGym tasks agents with progressively extending it into a working exploit. The benchmark comprises 898 instances sourced from real-world vulnerabilities across three domains, including userspace programs, Google's V8 JavaScript engine, and the Linux kernel. We vary the security protections applied to each instance, isolating their impact on agent performance. All configurations are packaged in reproducible containerized environments. Our evaluation shows that while exploitation remains challenging, frontier models can successfully exploit a non-trivial fraction of vulnerabilities. For example, the strongest configurations are Anthropic's latest model Claude Mythos Preview and OpenAI's GPT-5.5, which produce working exploits for 157 and 120 instances, respectively. Notably, even with widely used defenses enabled, models retain non-trivial success rates. These results establish ExploitGym as an effective testbed for exploitation and highlight the growing cybersecurity risks posed by increasingly capable AI agents.
format Preprint
id arxiv_https___arxiv_org_abs_2605_11086
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks?
Wang, Zhun
Schiller, Nico
Li, Hongwei
Narayana, Srijiith Sesha
Nasr, Milad
Carlini, Nicholas
Qi, Xiangyu
Wallace, Eric
Bursztein, Elie
Invernizzi, Luca
Thomas, Kurt
Shoshitaishvili, Yan
Guo, Wenbo
He, Jingxuan
Holz, Thorsten
Song, Dawn
Cryptography and Security
Artificial Intelligence
Machine Learning
AI agents are rapidly gaining capabilities that could significantly reshape cybersecurity, making rigorous evaluation urgent. A critical capability is exploitation: turning a vulnerability, which is not yet an attack, into a concrete security impact, such as unauthorized file access or code execution. Exploitation is a particularly challenging task because it requires low-level program reasoning (e.g., about memory layout), runtime adaptation, and sustained progress over long horizons. Meanwhile, it is inherently dual-use, supporting defensive workflows while lowering the barrier for offense. Despite its importance and diagnostic value, exploitation remains under-evaluated. To address this gap, we introduce ExploitGym, a large-scale, diverse, realistic benchmark on the exploitation capabilities of AI agents. Given a program input that triggers a vulnerability, ExploitGym tasks agents with progressively extending it into a working exploit. The benchmark comprises 898 instances sourced from real-world vulnerabilities across three domains, including userspace programs, Google's V8 JavaScript engine, and the Linux kernel. We vary the security protections applied to each instance, isolating their impact on agent performance. All configurations are packaged in reproducible containerized environments. Our evaluation shows that while exploitation remains challenging, frontier models can successfully exploit a non-trivial fraction of vulnerabilities. For example, the strongest configurations are Anthropic's latest model Claude Mythos Preview and OpenAI's GPT-5.5, which produce working exploits for 157 and 120 instances, respectively. Notably, even with widely used defenses enabled, models retain non-trivial success rates. These results establish ExploitGym as an effective testbed for exploitation and highlight the growing cybersecurity risks posed by increasingly capable AI agents.
title ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks?
topic Cryptography and Security
Artificial Intelligence
Machine Learning
url https://arxiv.org/abs/2605.11086