AIxCC Part 3 - Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC

In the final episode of our AI Cyber Challenge (AIxCC) series, CRob sits down with Michael Brown, Principal Security Engineer at Trail of Bits, to discuss their runner-up cybersecurity reasoning system, Buttercup. Michael shares how their team took a hybrid approach - combining large language models with conventional software analysis tools like fuzzers - to create a system that exceeded even their own expectations. Learn how Trail of Bits made Buttercup fully open source and accessible to run on a laptop, their commitment to ongoing maintenance with prize winnings, and why they believe AI works best when applied to small, focused problems rather than trying to solve everything at once.

This episode is part 3 of a four-part series on AIxCC:

AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCC

Chapters:
00:04 - Introduction & Welcome
00:12 - About Trail of Bits & Open Source Commitment
03:16 - Buttercup: Second Place in AIxCC
04:20 - The Hybrid Approach Strategy
06:45 - From Skeptic to Believer
09:28 - Surprises & Vindication During Competition
11:36 - Multi-Agent Patching Success
14:46 - Post-Competition Plans
15:26 - Making Buttercup Run on a Laptop
18:22 - The Giant Check & DEF CON
18:59 - How to Access Buttercup on GitHub
21:37 - Enterprise Deployment & Community Support
22:23 - Closing Remarks

Episode links:

Michael Brown’s LinkedIn pageAI Cyber Challenge (AIxCC)Trail of BitsButtercup GitHub RepoOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn