National labs are quietly making breakthroughs in AI-powered cyber defense
Add Axios as your preferred source to
see more of our stories on Google.

Illustration: Sarah Grillo/Axios
The secretive national laboratories scattered across the country are now making public breakthroughs in AI-enabled cyber defense.
Why it matters: National laboratories — including Los Alamos, Sandia and Lawrence Livermore — are behind some of the biggest advancements you've never heard of in cyberspace.
- Even hearing about a new project likely indicates that the U.S. government is making more headway in the race to fend off adversarial AI attacks than it's showing.
Driving the news: Scientists at the Pacific Northwest National Laboratory (PNNL) in Washington state built a generative AI-powered system that allows defenders to quickly simulate the cyberattacks targeting their organizations.
- Reconstructing a cyberattack is a key part of investigating and remediating the threat. Defenders need to retrace their adversaries' footsteps to understand how they got in and what vulnerabilities must be addressed.
How it works: Researchers used both Anthropic's Claude and MITRE's open-source Caldera simulation tool to build the new system, known as Aloha.
- A security analyst starts by inputting a plain-language description of a specific attack on their network or a hypothetical attack they want to test, including what happened across their systems.
- The AI system, powered by Claude, then generates a detailed representation of the attack's sequences based on its own knowledge base — expanding the plain-language sequence into an executable play-by-play.
- Caldera takes those steps and runs a simulation in a contained environment against a test network, effectively emulating how the attack would play out under different conditions.
- Aloha then observes the simulation in real time, evaluating each step as it runs and determining whether it achieved its intended effect.
- If the simulation hits a wall, Aloha can automatically adjust the next action and keep the simulation moving forward.
- The security analyst can then tweak the conditions — such as what defensive cyber tools are in place — and keep replaying the simulation until they're satisfied with the outcome.
The intrigue: Traditionally, rebuilding an attack chain requires weeks of manual scripting and expert labor. Aloha compresses that timeline dramatically.
- "The technology speeds up the defender's response so that the cybersecurity expert doesn't need to carry out quite as many operations themselves," Loc Truong, who led the PNNL team behind Aloha, said in a statement. "It's click and go."
- Aloha also lowers the barrier for organizations that lack the budget and staff expertise required to run traditional attack-emulation tools.
The big picture: Aloha is arriving as both well-intentioned and malicious hackers embrace AI in their work.
- Anthropic uncovered evidence late last year of Chinese state-sponsored actors using Claude to break into about 30 global organizations. Ransomware gangs are slowly but surely automating their entire kill chain.
- Even at last year's DEF CON hacker convention, nearly every team that competed in the conference's Capture the Flag competition was using AI to assist in their attacks, PNNL cybersecurity researcher Kristopher Willis said in a statement.
Between the lines: The national labs' cyber teams have been at the heart of AI cyber research for decades — and the same goes for the wave of generative AI advancements.
- Researchers across several national laboratories, including those that participate in the country's nuclear program, have been using OpenAI's models in their work for years.
- OpenAI and Los Alamos National Laboratory have also been working together to evaluate the safety of multimodal AI systems.
- Anthropic has been working with the National Nuclear Security Administration to determine the difference between those using its models for legit research and those abusing it to uncover nuclear secrets.
What to watch: The PNNL team is now building on DARPA findings in a recent DEF CON competition to expand Aloha to automatically test newly discovered vulnerabilities on a system and see how severe it is, Willis told Axios.
- "We want to take Aloha to understand proof of vulnerabilities and make them into proof of concepts," Willis said. "That way we can also either create a remediation or even test the remediation."
Go deeper: The age of AI-powered cyberattacks is here
