Mechanical Phish: Resilient Autonomous Hacking

Yan Shoshitaishvili, Antonio Bianchi, Kevin Borgolte, Amat Cama, Jacopo Corbetta, Francesco Disperati, Audrey Dutcher, John Grosen, Paul Grosen, Aravind Machiry, Chris Salls, Nick Stephens, Ruoyu Wang, Giovanni Vigna

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


The size and complexity of software is increasing, and security flaws are becoming more numerous, sophisticated, and impactful. While the vulnerability identification process (especially in hard-to-analyze binary programs) has traditionally been driven by highly skilled human analysts, this approach does not scale, given the vast amount of deployed software. Recently, the vulnerability analysis process has started to shift toward automated approaches. The DARPA Cyber Grand Challenge has played a key role in transforming disconnected research ideas into fully autonomous cyber reasoning systems that analyze code to find vulnerabilities, generate exploits to prove the existence of these vulnerabilities, and patch the vulnerable software. In this article, we discuss our cyber reasoning system, Mechanical Phish, which we have open-sourced; the lessons we learned in participating in this ground-breaking competition; and our system's performance as a tool in assisting humans during the DEF CON Capture-the-Flag competition, which followed the DARPA Cyber Grand Challenge.

Original languageEnglish (US)
Pages (from-to)12-22
Number of pages11
JournalIEEE Security and Privacy
Issue number2
StatePublished - Mar 1 2018


  • Cyber Grand Challenge
  • Hacking without Humans
  • autonomous systems
  • computer aided analysis
  • computer security
  • knowledge based systems
  • reasoning about programs
  • security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering
  • Law


Dive into the research topics of 'Mechanical Phish: Resilient Autonomous Hacking'. Together they form a unique fingerprint.

Cite this