The AI That Found A Bug In The World’s Most Audited Code

Matt Knight spent five years as OpenAI’s CISO. Now he runs what colleagues call “the most interesting job at the company”: leading Aardvark, an AI agent that finds security vulnerabilities the way a human researcher would—by reading code, writing tests, and proposing patches. It recently found a memory corruption bug in OpenSSH, one of the most heavily audited codebases in existence.

In this conversation with a16z’s Joel de la Garza, Matt traces the evolution from GPT-3 (which couldn’t analyze security logs at all) to GPT-4 (which could parse Russian cybercriminal chat logs written in slang) to today’s models that discover bugs humans have missed for decades. They also discussed the XZ Utils backdoor that nearly compromised half the internet and why 3.5 million unfilled security jobs might finally get some relief, and how Aardvark could give open source maintainers a fighting chance against nation-state attackers.

If you enjoyed this episode, please be sure to like, subscribe, and share with your friends.

Follow Matt Knight on X: https://x.com/embeddedsec

Follow Joel de la Garza on LinkedIn: https://www.linkedin.com/in/3448827723723234/

Check out everything a16z is doing with artificial intelligence here, including articles, projects, and more podcasts.

Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.