Teams chosen for the 2016 DARPA Cyber Grand Challenge final competition

and confirm the value of using a grand challenge format,” Walker said. “With no clear best approach going in, we can explore multiple approaches and improve the chances of producing groundbreaking improvements in cybersecurity technology.”

The CGC Qualifying Event from which the seven winning teams emerged:

  • was the first CTF played solely by machines
  • operated at a speed and scale at which only machines can compete. For example, most CTF events challenge experts to analyze and secure about ten pieces of software over forty-eight hours. The CGC Qualifying Event demanded that teams’ machines work on 131 pieces of software — more than any previous CTF event — over just twenty-four hours. Some teams’ systems secured single pieces of software in less than an hour.
  • resulted in participating teams together fixing all of the 590 flaws in the competition software of which the contest developers were aware.

Most CGC competitors entered on an open track available to self-funded teams, while seven teams participated on a funded track with DARPA support. The three funded-track teams heading to the CGC finals are:

  • CodeJitsu (Berkeley, California): A team affiliated with the University of California, Berkeley
  • ForAllSecure (Pittsburgh, Pennsylvania): A startup founded by a team of computer security researchers from Carnegie Mellon University
  • TECHx (Charlottesville, Virginia): Software analysis experts from GrammaTech, Inc., a developer of software assurance tools and advanced cybersecurity solutions, and the University of Virginia

The four winning open-track teams are:

  • CSDS (Moscow, Idaho): A professor and post-doctoral researcher from the University of Idaho
  • DeepRed (Arlington, Virginia): A team of engineers from the Raytheon Company
  • disekt (Athens, Georgia): Four people, working out of a technology incubator, who participate in CTF competitions around the world
  • Shellphish (Santa Barbara, California): A group of computer science graduate students at the University of California, Santa Barbara

Each qualifying team will receive $750,000 to help them prepare over the next thirteen months for the CGC final competition. They will have the opportunity to access a specialized IT infrastructure, a “digital arena” in which they can practice and refine their systems against dummy opponents that DARPA is providing. For its part, DARPA is developing custom data visualization technology to make it easy for spectators — both a live audience and anyone watching the event’s video stream worldwide — to follow the action in real time during the final contest.

DARPA says that the winning team from the CGC final competition will receive $2 million. Second place will earn $1 million and third place $750,000. More important to Walker than the prize money, however, is igniting the cybersecurity community’s belief that automated cybersecurity analysis and remediation are finally within reach.

“We want an automation revolution in computer security so machines can discover, confirm and fix software flaws within seconds, instead of waiting up to a year under the current human-centric system,” Walker said. “These capabilities are essential for protecting data and processes as more and more devices, including vehicles and homes, get networked in the ‘Internet of things.’”