One of the biggest AI advancements in securing open-source code and protecting critical infrastructure just happened at the DEF CON hacker conference in Las Vegas — and many of the tools coming out of it are already freely available for companies to deploy.

Why it matters: Critical infrastructure organizations — including water systems, rural hospitals and local governments — often don't have the time, resources or manpower needed to beef up their digital defenses.

• The open-source projects developed in the two-year, DARPA-led AI Cyber Challenge (AIxCC), which concluded today, could help them catch up.

Driving the news: Team Atlanta — a group of researchers from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science & Technology, and the Pohang University of Science and Technology — won the $4 million first prize award.

• Seven teams, including researchers and private companies, participated in the last round of the competition, run by DARPA and its health care counterpart at the Department of Health and Human Services, ARPA-H.
• Four of those teams' projects are now available publicly — allowing critical infrastructure to use tools as a launching pad to bolster their digital defenses. The remaining finalists will release their tools in the coming weeks, organizers said.

How it works: The competition challenged teams from the private sector and research community to build AI-enabled tools that could autonomously detect and patch bugs in open-source code.

• The final round, which happened over the last year, required teams to run their systems in a sandboxed, manufactured environment riddled with bugs injected by the organizers.
• Google, Microsoft, Anthropic and OpenAI each provided participants with more than $1 million in credits for their AI models to offset the costs.

Zoom in: AIxCC finalist teams were able to patch bugs in the challenge in an average of 45 minutes.

• In total, the finalists found 77% of the 70 injected bugs and patched 61% of them.
• The final seven teams also discovered a total of 18 real-world vulnerabilities in the code that the organizers didn't inject.

What they're saying: "Today, the world is different," Kathleen Fisher, director of DARPA's Information Innovation Office, told reporters at the conference.

• "AIxCC has fundamentally changed our understanding of what is possible in terms of automatically finding, but really more importantly fixing, vulnerabilities in software," she said.

Between the lines: Finding and patching bugs requires a lot of time and visibility into what tools are running on an organization's systems.

• These tools have the promise to minimize those resource constraints. On average, each competition task cost only $152 for teams — a sharp discount compared with the current costs that security teams face.

The intrigue: Organizers noted that teams' performances in the final round far exceeded their performances in the semifinals — underscoring just how rapidly AI advancements are coming.

• During last year's semifinal round, teams discovered only 37% of the known vulnerabilities.
• "This is the new floor," said Andrew Carney, program manager for the AIxCC. "It will rapidly improve."

Yes, but: Companies have to actually buy into the promise of these new tools for the tools to be successful.

• Carney told reporters that the AIxCC organizers have hosted regular meetings with more than 40 government agencies, including HHS, the Department of Transportation and a mix of smaller agencies, about how to leverage these new technologies in their respective sectors now that they're available.

What's next: The top three finalists now have to work on preparing their tools for commercialization, and many of them are using the prize funds to further research their new tools' capabilities.

• DARPA and ARPA-H added $1.4 million in prizes to help the finalists prepare their new tools for real-world use.
• Those funds will only be distributed incrementally as the winning teams demonstrate that critical infrastructure organizations are actually using those tools.
• ARPA-H has also contributed $20 million to build on the teams' technologies and get them deployed into the medical device, health IT and biotech fields.