Researchers make the case for a cybersecurity AI scientist
Autonomous AI agents have started doing real security work. Language-model agents probe software for flaws, run penetration tests, and chain together attack steps that once needed a human operator. Research about security has stayed slower and more manual, built around expert scarcity and hand-designed experiments.

A team at the Chinese Academy of Sciences wants to close that gap. In a recent paper, they define what they term the Cybersecurity AI Scientist. They describe a research system that moves from a question to experimental design, tool building, controlled execution, evaluation, and a written result on its own.
The authors offer Hephaestus, a modular, multi-agent system, with role-specialized agents for problem framing, threat modeling, tool generation, and reporting, as one workable realization. The name comes from the Homeric smith who forged both spear and shield, marking a system meant to produce offensive and defensive work under one design.
The limits of a straight domain transfer
Automated research systems are already a thing. The AI Scientist and its follow-up can run the whole loop from idea to draft paper in machine learning subfields, and tools like Co-Scientist and Robin pull off something similar in biology and biomedicine.
Cybersecurity, the authors argue, breaks the assumptions all of them lean on. The object of study adapts to being studied. Model platforms, guardrails, and tool access drift faster than a single research loop can run. And whether you believe a finding depends on digital twins, cyber ranges, and evidence chains that are part of the method itself.
Four kinds of failure to bound
The authors hang all of this on something they call a four-zeros frame, and it comes down to four things the system should worry about: risk, trust, incident, and energy.
Risk is about the hidden defects lurking in software. Trust is about assistance that stays calibrated, so a human operator keeps the wheel. Incident is about operational slip-ups and the test environments you need to catch them. Energy is the long game, the organizational and ethical outcomes that play out over years. Each one names a kind of failure the system is supposed to study and shrink.
Hidden defects and frontier models
Recent capability jumps sit behind the risk axis. Anthropic’s Claude Mythos Preview, released under Project Glasswing, was held back from general access because its offensive cyber ability was strong enough to require a vetted partner program, and reporting has tied large-scale defect discovery in widely used software, including some long-lived flaws, to that model. CyberGym, a benchmark the paper cites, tests agents against more than a thousand real-world vulnerabilities drawn from a large set of open-source projects, with frontier models reporting single-trial success in the tens of percent and surfacing fresh zero-days on their own.
From terminals to agent legions
The paper’s most vivid idea is something the authors call resilient agent legions. Most defenses today lean on a few steady assumptions: the perimeter holds, each team owns its lane, and repairs happen at human speed. Those assumptions start to buckle once both sides of a fight run on autonomous agents and the attack surface shifts faster than anyone can push patches.
So the authors flip the model. Picture a large, deliberately redundant crowd of defensive agents scattered across network edges, monitoring layers, coordination channels, and recovery jobs. Each one hauls around an “event-and-defense capsule,” a tidy bundle that ties a category of security events to the routines meant to handle them. In this telling, the old idea of terminal security comes apart and turns into agent security. The job stops being about guarding a single endpoint and starts being about running a whole population of agents whose collective behavior does the protecting.
Measuring the work over time
Lidong Zhai, a co-author, addressed how such a system should be judged. He treats long-term benchmarking as a longitudinal protocol that holds the goal fixed and perturbs the model stack, tools, guardrails, and threat environment over time.
The output he describes is a profile matrix reporting research yield, evidence quality, calibration burden, resilience to model and tool turnover, governance compliance, and consequence handling. He puts weight on which events count most. “The benchmark should be consequence-weighted: high-propagation, high-loss events should count more than nuisance events, because prioritization is part of the scientific capability being measured,” Zhai told Help Net Security.
Keeping dual-use in check
Zhai described containment as part of the architecture, with control at four levels: capability, role, environment, and artifact. Offensive exploration, defensive analysis, evaluation, and release decisions each follow separate authorization paths, and sensitive work stays inside isolated digital twins and cyber ranges. The key question, he said, is “who invoked it, for what purpose, in what environment, under what authority, and with what release boundary.”
The paper stops short of a built system. It is a framework with open challenges, among them heterogeneous defense targets and the difficulty of separating offensive and defensive uses of a capability at the level of code. For Zhai, the measure of success runs past speed. “A Cybersecurity AI Scientist should ultimately be judged not only by whether it accelerates research, but by whether it improves strategic composure, sharper prioritization, and more durable defensive design,” he said.

Guide: What automated pentesting alone cannot see