Pith. sign in

REVIEW 2 major objections 4 minor 41 references

Defender welfare depends on the AI capability gap, not the shared level: a timed pre-release is the lab's optimal release policy.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-12 01:31 UTC pith:YAGHXH5I

load-bearing objection Clean formalization of release sequencing as a lab-led Stackelberg game; the gap-vs-level insight is solid, the headline windows are not. the 2 major comments →

arxiv 2607.05442 v1 pith:YAGHXH5I submitted 2026-07-03 cs.GT

The Oracle's Gambit: A Game-Theoretic Framework for Responsible AI Release

classification cs.GT
keywords responsible AI releaseStackelberg security gamesvulnerability disclosurestochastic gamesfrontier AI safetycapability gapdual-use models
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

When both defenders and adversaries draw power from the same frontier AI model, releasing that model simultaneously to both sides fails to help the defender and can intensify attacks. The paper recasts the lab's release decision as a bilevel Stackelberg game: the lab first commits to a window of exclusive defender access, which sets time-varying capabilities for a downstream zero-sum race over discovering, patching, and exploiting vulnerabilities. Because the defender's pipeline (detect, build, test, ship, wait for adoption) is longer than the adversary's (detect, weaponize, strike), equal capability gains leave the structural head-start of the attacker intact—a Red Queen's race. A pre-release window opens a temporary protective gap that restores defender welfare, and the lab's optimal window trades that welfare gain against the opportunity cost of delay. Calibrated to successive real model transitions via elicited per-round rates, a pre-release remains the equilibrium choice across most of the uncertainty range. For dual-use models that already clear binary deploy-or-withhold thresholds, the protective lever is therefore the sequencing of access, not whether to release at all.

Core claim

Defender welfare turns on the capability gap between defender and adversary, not on the shared absolute level of AI capability. Symmetric release of one model to both sides traps the defender in a Red Queen's race driven by pipeline asymmetry, whereas a pre-release that hands the new model to the defender alone creates a protective gap; the lab's Stackelberg-optimal policy is an interior pre-release window that balances that welfare gain against delay cost, and this choice is robust across calibrated model transitions.

What carries the argument

A bilevel three-player Stackelberg game: the lab commits to a release window W that induces time-varying capability schedules for a fully observable, zero-sum, finite-horizon stochastic game between defender and adversary, solved to its unique value by backward induction; the lab then maximises defender welfare net of delay cost over admissible windows.

Load-bearing premise

The five per-round success rates that drive the race can be reliably read off end-to-end benchmark pass rates by an expert-panel elicitation procedure, and those rates correctly capture how each new model moves both sides.

What would settle it

Re-solve the same game with independently measured per-round rates from real agent runs (or human baselines) on the same model ladder; if public simultaneous release then yields higher defender welfare than any pre-release window, or if pre-release ceases to be modal under the elicited uncertainty, the central claim fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 4 minor

Summary. The paper models frontier AI release for dual-use cyber capabilities as a bilevel three-player Stackelberg game: a lab commits to a release window W (public, pre-release of length W, or embargo) that induces time-varying capability schedules κ_Def(t) and κ_Adv(t) for a downstream finite-horizon zero-sum stochastic game between defender and adversary over n vulnerabilities. The inner game tracks asymmetric pipelines (defender: detect-build-test-ship plus exogenous coverage ρ; adversary: detect-weaponize or reverse-engineer a shipped patch) with Bernoulli success rates drawn from a capability vector κ; its unique value is obtained by backward induction. Defender welfare depends on the capability gap rather than the shared level, so simultaneous public release produces a Red Queen’s race while a temporary pre-release opens a protective gap. The lab maximizes welfare net of linear delay cost. Calibrated via LLM-Delphi elicitation of κ on successive frontier models and Monte Carlo over elicitation uncertainty, pre-release is the Stackelberg optimum in 80–95% of draws, with a headline interior window of 24 rounds for the Opus 4.6→Mythos transition.

Significance. If the qualitative gap-versus-level result holds, the paper supplies a clean, policy-relevant formalization that moves frontier-AI safety frameworks beyond binary deploy-or-withhold thresholds to the sequencing of access—an issue already visible in real programs such as Anthropic’s Project Glasswing. The bilevel construction is technically sound: the inner game is a standard finite-horizon zero-sum stochastic game with a unique value via Shapley-style backward induction, the outer problem is finite enumeration, and the Red Queen insight follows directly from pipeline-length asymmetry plus capability-independent coverage ρ. Strengths include the Morris elementary-effects screening of κ components, the explicit Monte Carlo robustness check over the LLM-Delphi posterior, and the transparent mapping of the model onto a concrete recent release. These elements make the framework a useful starting point for mechanism-design extensions that align private delay costs with social welfare.

major comments (2)
  1. [§3.3 Eq. (15), §4.1, Fig. 2, Fig. 6b, Table 3] Section 3.3 Eq. (15) and Section 4.1 (Class B, Fig. 2, Fig. 6b): Lab payoff is defined as U_Lab = u_Def − c_delay · ℓ(π_Lab). The interior optimum W⋆ (and therefore the claim that pre-release is Stackelberg-optimal) exists only inside a band of the hand-chosen operating point c_delay = c_Def = 0.05. Outside that band the solution collapses to PUBLIC or EMBARGO. Table 3’s 80–95% frequencies and the headline W⋆ = 24 for Mythos are therefore conditional on an uncalibrated cost, not on the elicited capabilities. The qualitative gap-versus-level result (Fig. 5) is robust; the quantitative optimality claim needs either external grounding of c_delay or explicit reframing as holding only inside the interior band.
  2. [§4.1, Table 2, Fig. 3] Section 4.1 Class C and Table 2: The five per-round Bernoulli rates that drive the entire inner game are obtained by mapping end-to-end benchmark pass rates through an LLM-Delphi panel of five GPT-5.1 personas (the same authors’ concurrent method). While Morris screening (Fig. 3) and the Monte Carlo (Table 3) show that the sign of the gap effect is insensitive to exact values, the magnitude of welfare gains Δu_Def and the precise location of W⋆ still depend on those absolute levels. Absent human-expert validation or an alternative calibration path, the quantitative welfare numbers remain soft.
minor comments (4)
  1. [§3.3] Section 3.3: The selection of the minimal-action-count strategy among value-optimal policies (to make u_Def unique) is described as the limit c_Def → 0+, yet the numerical experiments set c_Def = 0.05. A short clarifying sentence would remove the minor inconsistency.
  2. [Fig. 5] Figure 5a caption and surrounding text: “symmetric scaling (Δκ ≡ 0)” is clear, but the vertical axis label “welfare U_def” should be u_Def for consistency with Eq. (14).
  3. [§5] Section 5: The discussion correctly flags that the reported windows are conditional on the operating point; elevating that caveat into the abstract or the contributions list would better match the strength of the quantitative claims.
  4. [References] References: Several 2026-dated system cards and blog posts (AISI Mythos evaluation, Project Glasswing, Zero Day Clock) are cited; if any remain non-archival, a note on accessibility would help reproducibility.

Circularity Check

1 steps flagged

Mild self-citation for the LLM-Delphi capability elicitation; core Stackelberg derivation and gap-vs-level claim are independent of that method and not tautological.

specific steps
  1. self citation load bearing [Section 4.1 (Eliciting Class C), Table 2, citation [24]]
    "Our elicitation follows the Scalable Delphi method of Lorenz and Fritz [24], which has three parts: the target variables to estimate (here the five components of κ), a board of LLM experts, and a shared evidence base. ... Table 2 reports the consensus vectors (panel mean ± inter-expert standard deviation)."

    The five per-round rates that parameterize the inner-game transitions (and therefore the Monte-Carlo frequencies of pre-release optimality) are produced by a method paper whose authors overlap with the present paper. While the structural gap-vs-level claim survives variation of those rates, the reported quantitative posterior shares (80–95%) and headline windows rest on this self-cited elicitation pipeline rather than on independently measured transition probabilities.

full rationale

The bilevel game (Eqs. 1–16), inner value by finite-horizon Shapley backward induction (Eqs. 10–11), and welfare/payoff definitions (Eqs. 14–15) are self-contained mathematical constructions. The qualitative result that defender welfare depends on the capability gap Δκ rather than the shared level follows directly from the asymmetric pipeline lengths (adversary: two Bernoulli stages to READY; defender: four stages to SHIPPED plus exogenous coverage ρ) and is demonstrated by comparing symmetric scaling (Figure 5a) against an opened gap (Figure 5b); it does not reduce to any fitted parameter or self-definition. Cost levers are swept (Figure 2, Figure 6b) and the operating point c_delay = c_Def = 0.05 is explicitly chosen inside the non-trivial band rather than reverse-engineered from a target W*. The sole mild circularity risk is that the Class C rates (Table 2) that set the quantitative size of gains and the 80–95% Monte-Carlo frequencies are obtained via the authors’ own prior LLM-Delphi procedure; this is ordinary methodological self-citation, not a load-bearing uniqueness claim or a prediction forced by construction. No self-definitional loop, no fitted-input-called-prediction, and no ansatz smuggled via citation appear in the derivation chain.

Axiom & Free-Parameter Ledger

6 free parameters · 6 axioms · 2 invented entities

The central qualitative claim (gap, not level) rests on pipeline asymmetry and AI-independent coverage growth; the quantitative optimality claim rests on elicited rates, swept costs, and several game abstractions chosen for tractability. Free parameters and domain assumptions dominate; invented entities are modeling constructs rather than new physical objects.

free parameters (6)
  • c_delay (per-round hold cost) = 0.05 (operating point)
    Swept; operating point fixed at 0.05 so that the committed window is interior (Section 4.1, Figure 2).
  • c_Def (defender per-action cost) = 0.05
    Swept jointly with c_delay; set equal to 0.05 at the reported operating point.
  • ρ (post-ship fleet coverage rate) = 0.11
    Calibrated from Edgescan mean time to remediate (~63 days) with 7-day rounds to ρ ≈ 0.11.
  • T (horizon in rounds) = 48
    Modeling choice set to 48 for a single release window.
  • n (number of co-disclosed vulnerabilities) = 1-3 (headline n=2)
    Restricted to {1,2,3} for tractability of the exponential state space; headline uses n=2.
  • Five κ components (disc, egen, rev, pgen, ptest) per model = panel means in Table 2
    Not measured; elicited as panel means ± std via LLM-Delphi and used as Bernoulli rates (Table 2).
axioms (6)
  • domain assumption Inner game is fully observable, zero-sum, finite-horizon, simultaneous-move stochastic game admitting unique value by backward induction.
    Stated in Section 3.1-3.2 as design choices that guarantee uniqueness and provide conservative baselines.
  • domain assumption Defender pipeline is longer (detect-build-test-ship + adoption) than adversary pipeline (detect-weaponize or reverse-engineer).
    Premise of the analysis (Introduction and Section 3.1); drives the Red Queen result under symmetric scaling.
  • domain assumption Coverage after ship grows at exogenous rate ρ independent of AI capability.
    Equation (8); makes earlier adversary readiness strictly more damaging under equal capability gains.
  • ad hoc to paper LLM-Delphi panel of five GPT-5.1 security personas can convert benchmark pass rates into valid per-round Bernoulli rates.
    Section 4.1 Class C; the quantitative case study stands or falls on this mapping.
  • ad hoc to paper Lab payoff is defender welfare minus linear delay cost; lab internalizes defender welfare.
    Equation (15); acknowledged in Discussion as potentially misaligned with pure private profit.
  • standard math Standard finite-horizon zero-sum stochastic game value (Shapley recursion).
    Cited Shapley 1953; used for V* in Section 3.2.
invented entities (2)
  • Release window W as the lab's sole strategic lever inducing time-varying capability schedules κ_Def(t), κ_Adv(t) no independent evidence
    purpose: Turns the dual-use release decision into a finite action set for the Stackelberg leader.
    Defined in Section 3.3; modeling construct, not an empirical object with independent measurement.
  • Capability vector κ = (κ_disc, κ_egen, κ_rev, κ_pgen, κ_ptest) no independent evidence
    purpose: Couples the outer release policy to the inner transition kernel.
    Equation (3); rates are postulated as the right granularity for pipeline stages.

pith-pipeline@v1.1.0-grok45 · 21009 in / 3812 out tokens · 26070 ms · 2026-07-12T01:31:57.845110+00:00 · methodology

0 comments
read the original abstract

Responsible vulnerability disclosure can secure the defender's head start by controlling when a vulnerability becomes public. However, this status quo is now challenged by increases in capability of AI models, which benefits both defenders and adversaries. When both sides draw their capability from the same AI model, the defender's head start depends on the lab's decision to release the model, and the question becomes not whether to release but how. Existing safety frameworks govern only the deploy-or-withhold threshold and leave the timing of release unmodeled. We cast this decision as a bilevel Stackelberg game in which a lab commits to a window that sets each side's capability over time in a downstream contest between defender and adversary. Defender welfare turns on the capability gap, not the shared level. Handing one model to both sides can trap the defender in a Red Queen's race, whereas a pre-release to the defender alone creates a protective gap, and the lab's optimal window balances this welfare gain against the opportunity cost of delaying release. For dual-use models, the lever is the sequencing of access, not the deployment threshold.

Figures

Figures reproduced from arXiv: 2607.05442 by Christoph R. Landolt, Mario Fritz, Marta Kwiatkowska, Tobias Lorenz.

Figure 1
Figure 1. Figure 1: Overview of the bilevel game. The lab Lab (leader) commits to a release policy πLab that sets both players’ capabilities (➀), inducing an inner zero-sum stochastic game between the defender Def and adversary Adv (➁). Backward induction solves this game to its value (➂), and the resulting defender welfare, net of the opportunity cost of delaying the release, forms the lab’s payoff (➃), whose maximization ov… view at source ↗
Figure 2
Figure 2. Figure 2: Committed window under the two cost levers. (a) Optimal window W ⋆ versus delay cost cdelay for several capability jumps ∆κ. As delay costs increase, W ⋆ decreases in discrete steps, while larger capability jumps widen the optimal window. (b) Opti￾mized lab payoff U ⋆ Lab as a function of cdelay and the per-action cost cDef. Although cDef does not affect the inner equilibrium, it enters the outer optimizat… view at source ↗
Figure 3
Figure 3. Figure 3: Global capability sensitivity (Morris elementary effects). For each component of κ, the mean absolute effect µ ∗ against its spread σ, on (a) attack success, (b) defender welfare, and (c) the patch-diffing share. Defensive rates κ ptest , κ pgen lead on attack success and welfare; offensive κ disc , κ egen on the patch-diffing share; κ rev weakest throughout. Spreads σ≈µ ∗ indicate interaction-heavy effect… view at source ↗
Figure 4
Figure 4. Figure 4: Patch-diffing share over ρ and κ egen, for (a) n = 1 and (b) n = 2. Governed by coverage (peaking at low ρ, gone by ρ ≳ 0.45); its κ egen-dependence flips with the surface, and the peak rises from 21% to 54%. Dotted line: calibrated ρ. For a single vulnerability, the expected time to traverse a pipeline is P i 1/κi , with one geometric wait for each Bernoulli stage, and the adversary reaches READY sooner t… view at source ↗
Figure 5
Figure 5. Figure 5: Welfare turns on the capability gap, not the level. (a) Symmetric scaling (∆κ ≡ 0): raising the shared level yields no net welfare gain up the ladder, while attacks rise. (b) Asymmetric gap: defender fixed at the Mythos frontier, adversary swept back toward Opus 4.6 [PITH_FULL_IMAGE:figures/full_fig_p016_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Calibrated decision for Opus 4.6 → Mythos (n = 2, cdelay = 0.05). (a) Lab payoff ULab and welfare uDef over the window W, peaking at the interior W ⋆=24, above public release and embargo. (b) Optimal window W ⋆ over the hold cost cdelay, a pre￾release beneficial for both n=1 and n=2. for offense-weighted releases, and converts the qualitative case for early access into a model-implied window. The round-to-… view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

41 extracted references · 6 linked inside Pith

  1. [1]

    AI Security Institute: Our evaluation of claude mythos pre- view’s cyber capabilities (2026),https://www.aisi.gov.uk/blog/ our-evaluation-of-claude-mythos-previews-cyber-capabilities

  2. [2]

    Anthropic: Project Glasswing: Securing critical software for the AI era (Apr 2026)

  3. [3]

    Anthropic: Responsible scaling policy, version 3.3 (2026)

  4. [4]

    Management Science54(4), 642–656 (2008)

    Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Management Science54(4), 642–656 (2008)

  5. [5]

    Proceedings of the National Academy of Sciences111(4), 1298–1303 (2014)

    Axelrod, R., Iliev, R.: Timing of cyber conflict. Proceedings of the National Academy of Sciences111(4), 1298–1303 (2014)

  6. [6]

    Game Theory and Machine Learning for Cyber Security pp

    Bao, T., Shoshitaishvili, Y.: Cyber autonomy in software security: Techniques and tactics. Game Theory and Machine Learning for Cyber Security pp. 204–229 (2021)

  7. [7]

    arXiv preprint arXiv:2512.08864 (2025)

    Barrett, S., Murray, M., Quarks, O., Smith, M., Kryś, J., Campos, S., Boria, A.T., Touzet, C., Hayrapet, S., Heiding, F., et al.: Toward quantitative modeling of cybersecurity risks due to ai misuse. arXiv preprint arXiv:2512.08864 (2025)

  8. [8]

    Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications (2008)

  9. [9]

    In: International Conference on Decision and Game Theory for Security

    Canann, T.J.: Toward a theory of vulnerability disclosure policy: a hacker’s game. In: International Conference on Decision and Game Theory for Security. pp. 118–

  10. [10]

    Charrier, C., Weiner, R.: How low can you go? an analysis of 2023 time-to-exploit trends. Tech. rep., Mandiant (2024)

  11. [11]

    The Journal of Industrial Economics58(4), 868–894 (2010)

    Choi, J.P., Fershtman, C., Gandal, N.: Network security: Vulnerabilities and dis- closure policy. The Journal of Industrial Economics58(4), 868–894 (2010)

  12. [12]

    arXiv preprint arXiv:2504.06939 (2025)

    Dai, D., Liu, M., Li, A., Cao, J., Wang, Y., Wang, C., Peng, X., Zheng, Z.: Feed- backeval: A benchmark for evaluating large language models in feedback-driven code repair tasks. arXiv preprint arXiv:2504.06939 (2025)

  13. [13]

    Management science9(3), 458–467 (1963)

    Dalkey, N., Helmer, O.: An experimental application of the delphi method to the use of experts. Management science9(3), 458–467 (1963)

  14. [14]

    DeepMind, G.: Frontier safety framework, version 3.1 (2026)

  15. [15]

    Edgescan: 2025 vulnerability statistics report. Tech. rep., Edgescan (2025)

  16. [16]

    Epp, S.: Zero day clock (2026),https://zerodayclock.com/

  17. [17]

    arXiv preprint arXiv:2404.08144 (2024)

    Fang, R., Bindu, R., Gupta, A., Kang, D.: Llm agents can autonomously exploit one-day vulnerabilities. arXiv preprint arXiv:2404.08144 (2024)

  18. [18]

    In: Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004

    Flake, H.: Structural comparison of executable objects. In: Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004. pp. 161–173. Gesellschaft für Informatik eV (2004)

  19. [19]

    Advances in Neural Information Processing Systems 37, 50426–50468 (2024)

    Halawi,D.,Zhang,F.,Yueh-Han,C.,Steinhardt,J.:Approachinghuman-levelfore- casting with language models. Advances in Neural Information Processing Systems 37, 50426–50468 (2024)

  20. [20]

    Holley, B.: The zero-days are numbered (2026),https://blog.mozilla.org/en/ privacy-security/ai-security-zero-day-vulnerabilities/

  21. [21]

    rep., Lockheed Martin Corporation (2011), white paper

    Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defenseinformedbyanalysisofadversarycampaignsandintrusionkillchains.Tech. rep., Lockheed Martin Corporation (2011), white paper

  22. [22]

    Jimenez, C.E., Yang, J., Wettig, A., Yao, S., Pei, K., Press, O., Narasimhan, K.R.: SWE-bench:Canlanguagemodelsresolvereal-worldgithubissues?In:TheTwelfth International Conference on Learning Representations (2024) 20 C. R. Landolt et al

  23. [23]

    John Wiley & Sons (2021)

    Kamhoua, C.A., Kiekintveld, C.D., Fang, F., Zhu, Q.: Game theory and machine learning for cyber security. John Wiley & Sons (2021)

  24. [24]

    arXiv preprint arXiv:2602.08889 (2026)

    Lorenz, T., Fritz, M.: Scalable delphi: Large language models for structured risk estimation. arXiv preprint arXiv:2602.08889 (2026)

  25. [25]

    In: Proceed- ings of the 2010 New Security Paradigms Workshop

    Moore, T., Friedman, A., Procaccia, A.D.: Would a’cyber warrior’protect us: ex- ploring trade-offs between attack and defense of information systems. In: Proceed- ings of the 2010 New Security Paradigms Workshop. pp. 85–94 (2010)

  26. [26]

    In: Globerson, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tomczak, J., Zhang, C

    Mündler, N., Müller, M.N., He, J., Vechev, M.: Swt-bench: Testing and validating real-world bug-fixes with code agents. In: Globerson, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tomczak, J., Zhang, C. (eds.) Advances in Neural Information Processing Systems. vol. 37, pp. 81857–81887. Curran Associates, Inc. (2024)

  27. [27]

    arXiv preprint arXiv:2503.04299 (2025)

    Murray, M., Papadatos, H., Quarks, O., Gimenez, P.F., Campos, S.: Mapping ai benchmark data to quantitative risk estimates through expert elicitation. arXiv preprint arXiv:2503.04299 (2025)

  28. [28]

    OpenAI: Preparedness framework, version 2 (2025)

  29. [29]

    arXiv preprint arXiv:2403.13793 (2024)

    Phuong, M., Aitchison, M., Catt, E., Cogan, S., Kaskasoli, A., Krakovna, V., Lind- ner, D., Rahtz, M., Assael, Y., Hodkinson, S., et al.: Evaluating frontier models for dangerous capabilities. arXiv preprint arXiv:2403.13793 (2024)

  30. [30]

    Rescorla, E.: Is finding security holes a good idea? IEEE Security & Privacy (2005)

  31. [31]

    Science Advances10(45), eadp1528 (2024)

    Schoenegger, P., Tuminauskaite, I., Park, P.S., Bastos, R.V.S., Tetlock, P.E.: Wis- dom of the silicon crowd: Llm ensemble prediction capabilities rival human crowd accuracy. Science Advances10(45), eadp1528 (2024)

  32. [32]

    Proceedings of the national academy of sciences 39(10), 1095–1100 (1953)

    Shapley, L.S.: Stochastic games. Proceedings of the national academy of sciences 39(10), 1095–1100 (1953)

  33. [33]

    arXiv preprint arXiv:2201.05159 (2022)

    Shevlane, T.: Structured access: an emerging paradigm for safe ai deployment. arXiv preprint arXiv:2201.05159 (2022)

  34. [34]

    In: Proceedings of the 2023 ACM conference on fairness, accountability, and trans- parency

    Solaiman, I.: The gradient of generative ai release: Methods and considerations. In: Proceedings of the 2023 ACM conference on fairness, accountability, and trans- parency. pp. 111–122 (2023)

  35. [35]

    arXiv preprint arXiv:1908.09203 (2019)

    Solaiman, I., Brundage, M., Clark, J., Askell, A., Herbert-Voss, A., Wu, J., Rad- ford, A., Krueger, G., Kim, J.W., Kreps, S., et al.: Release strategies and the social impacts of language models. arXiv preprint arXiv:1908.09203 (2019)

  36. [36]

    NIST Special Publication 800-40 Rev

    Souppaya, M., Scarfone, K.: Guide to enterprise patch management planning: Pre- ventive maintenance for technology. NIST Special Publication 800-40 Rev. 4, Na- tional Institute of Standards and Technology (Apr 2022)

  37. [37]

    Cambridge university press (2011)

    Tambe, M.: Security and game theory: algorithms, deployed systems, lessons learned. Cambridge university press (2011)

  38. [38]

    Wang, Z., Schiller, N., Li, H., Narayana, S.S., Nasr, M., Carlini, N., Qi, X., Wallace, E., Bursztein, E., Invernizzi, L., et al.: Exploitgym: Can ai agents turn security vulnerabilities into real attacks? arXiv preprint arXiv:2605.11086 (2026)

  39. [39]

    arXiv preprint arXiv:2506.02548 (2025)

    Wang, Z., Shi, T., He, J., Cai, M., Zhang, J., Song, D.: Cybergym: Evalu- ating ai agents’ real-world cybersecurity capabilities at scale. arXiv preprint arXiv:2506.02548 (2025)

  40. [40]

    Advances in Neural Information Processing Systems38(2026)

    Zhang, A., Ji, J., Menders, C., Dulepet, R., Qin, T., Wang, R., Wu, J., Liao, K., Li, J., Hu, J., et al.: Bountybench: Dollar impact of ai agent attackers and defenders on real-world cybersecurity systems. Advances in Neural Information Processing Systems38(2026)

  41. [41]

    In: International Conference on Learning Representations

    Zhang, A.K., Perry, N., Dulepet, R., Ji, J., Menders, C., Lin, J., Jones, E., Hussein, G., Liu, S., Jasper, D., et al.: Cybench: A framework for evaluating cybersecurity capabilities and risks of language models. In: International Conference on Learning Representations. vol. 2025, pp. 25094–25243 (2025)