Federal-Need Application · Autonomous Cyber-Defense

AUTHREX-AGENT-CYBER

Autonomous cyber-defense authority governance.

After DARPA's AI Cyber Challenge, autonomous cyber-reasoning systems can find and patch software flaws at machine speed. That is a defensive breakthrough, and a new risk: may an autonomous system patch a live water-treatment or power-grid controller on its own? AUTHREX-AGENT-CYBER governs that question, treating the cyber-reasoning system as a black box and governing only the action. Governance only, no offensive function.

4
Traced Scenarios
4
Authority Tiers
0
Offensive Functions
2025
AIxCC Anchor Event
The Concept

What AUTHREX-AGENT-CYBER actually does.

DARPA's AI Cyber Challenge (DEF CON 33, 2025) proved that autonomous cyber-reasoning systems can find and fix vulnerabilities in real software with no human in the loop. Those systems are now being pointed at critical infrastructure to patch it defensively at machine speed. The unanswered question is one of authority, not capability: a system that can autonomously rewrite the code running a power grid can also autonomously break it.

AUTHREX-AGENT-CYBER governs the patch. When an autonomous cyber-reasoning system proposes "I found flaw X, here is patch Y," the pipeline checks the patch's provenance (SATA), screens whether the proposed action is actually consistent with the stated finding, the signature of a poisoned or manipulated system (ADARA), and then sets authority by the criticality of the target (HMAA). The same patch gets a different outcome depending on what it touches: applied to an isolated test target it may execute autonomously; applied to a live operational-technology controller it drops to a lower tier and hands off to a human with rollback pre-armed; if the proposed action is inconsistent with the finding (evidence of manipulation), it is aborted before any target is touched.

The cyber-reasoning system itself is never modified, inspected, or trusted, it is a black box. AUTHREX governs only whether its proposed action is authorized to execute, where, and with what recovery path. There is no offensive function anywhere in this application.

The Benefit, and Who It Serves

Who needs this, and why.

Defensive Cyber Teams

A blue team can deploy autonomous patching against fast-moving threats without granting the autonomous system unmediated authority to rewrite production systems. High-criticality patches slow down for human confirmation; everything is logged.

Infrastructure Defenders

Defenders of power, water, and pipeline systems get the speed of autonomous patching with a guarantee that a patch to a live controller cannot execute without a human in the loop and a pre-armed rollback.

IC & Defense

Intelligence and defense organizations get an authority layer that is compatible with the Five Eyes guidance on agentic AI, expressed as an enforceable decision (execute / handoff / abort) rather than a policy aspiration.

How It Benefits the U.S. Government

The national-importance case.

Autonomous cyber-defense is a stated U.S. priority, and the AIxCC result made the authority question urgent and concrete.

It answers a question AIxCC opened

DARPA proved autonomous cyber-reasoning works. The immediate follow-on question, who authorizes an autonomous patch to a live system, is exactly what AGENT-CYBER governs. It is the missing authority layer above a capability the government just demonstrated.

It aligns with Five Eyes guidance

The Five Eyes "Careful Adoption of Agentic AI Services" (1 May 2026) calls for careful, bounded adoption of autonomous agents. AGENT-CYBER is a concrete bounding mechanism: tiered authority, human handoff, pre-armed rollback, signed audit.

It is defensive by construction

The application has zero offensive function. It governs whether a defensive patch may execute. That makes it adoptable under defensive-cyber authorities without raising offensive-capability concerns.

It maps to supply-chain law

NDAA §1513 addresses AI-specific threats and supply-chain risk. An autonomous patching agent is itself a supply-chain actor; AGENT-CYBER provides the provenance attestation and audit trail that §1513 concerns call for.

The DARPA Questions · Heilmeier Catechism

Answered, plainly.

1 · What are you trying to do?
Govern whether an autonomous cyber-reasoning system is allowed to apply a patch to a given target, scaled by how critical that target is. No jargon: decide if the robot defender is allowed to touch the real thing, or only the test copy.
2 · How is it done today, and what are the limits?
Today, autonomous patching is either gated by blanket human review (slow, defeating the speed advantage) or ungated (dangerous on critical systems). There is no criticality-aware authority layer that keeps the speed where it is safe and inserts a human where it is not.
3 · What is new in your approach?
Treating the cyber-reasoning system as a black box and governing only its action, plus screening for finding/action inconsistency (the signature of a poisoned system) and setting authority by target criticality. The defender's speed is preserved on low-criticality targets and bounded on high-criticality ones.
4 · Who cares? If you succeed, what difference does it make?
Defensive cyber teams, infrastructure defenders, and the IC care. If it works, autonomous defenders can operate at machine speed where it is safe, while a live grid controller is never patched without a human and a rollback.
5 · What are the risks?
The main risks are mis-classifying target criticality and an adversary crafting a finding/action pair that passes the consistency screen. The simulation exposes the decision logic for exactly these challenges; the consistency screen is a research surface, not a solved problem.
6 · How much will it cost?
The governance logic is software; the signing root is the commodity BLADE-AGENT-HSM (about $199 in parts). The cyber-reasoning system is whatever the operator already runs, AGENT-CYBER does not build or replace it.
7 · How long will it take?
The reference architecture, four traced scenarios, and simulation exist now (TRL 3-4) and are live on the AUTHREX-AGENT page. Independent validation against a real cyber-reasoning system is the next milestone.
8 · What are the midterm and final exams?
Midterm: the gate correctly aborts a poisoned finding and hands off a live-OT patch in simulation. Final: the gate runs in-line with a real autonomous cyber-reasoning system, correctly tiering patches by target criticality.
9 · What is explicitly out of scope?
No offensive function of any kind. AGENT-CYBER does not find vulnerabilities, does not write patches, and does not attack anything. It governs whether a defensive patch may execute. Independent research, no agency adoption implied.
Try It · Interactive Simulation

Authorize the defender.

An autonomous cyber-reasoning system proposes a patch. Pick the scenario and run it: the same proposed action gets a different outcome depending on the target and the integrity of the finding. Illustrative simulation of the authority logic, governance only, no offensive function, not operational validation.

◇ AUTHORIZE THE DEFENDER · SIMULATOR
Pick a patch scenario · run it · see the authority decision
Autonomous Patch Proposal
1
SATA
Patch provenance attested
2
ADARA
Finding / action consistency screened
3
MAIVA
Multi-system integrity confirmed
4
HMAA
Authority tier set by target criticality
Illustrative simulation of the cyber-defense authority logic. Synthetic scenarios; no real system is patched. Governance only, no offensive function. Every decision would be committed to the signed ledger.
Formal-Methods Foundation

The authority logic is model-checked, not just described.

Every AUTHREX application shares one verified core. The HMAA authority state machine is specified in TLA+ and exhaustively model-checked: 48,751 reachable states verified, with 8 of 9 safety properties holding (no skip-ahead, monotonic downgrade, no zombie tier, among them). The ninth, the MAIVA CriticalSafe invariant, is flagged as a known violation in the issue register rather than hidden, which is the honest state of the work. The model checker also caught a real S5 view-change regression during development, evidence the method finds defects rather than rubber-stamping them.

48,751
Reachable States
8 / 9
Safety Properties Hold
1
Known Violation, Logged
TLA+
Formal Spec
TLA+ spec & Rover testbed → Full verification detail on AUTHREX-AGENT →
Anchors & Honest Limitations

What this rests on, and what it is not.

Federal anchors: Five Eyes "Careful Adoption of Agentic AI Services" (1 May 2026); DARPA AI Cyber Challenge (DEF CON 33, 2025); NDAA §1513; NIST AI 600-1 Generative AI Profile. Folds in AUTHREX-ZTAGENT and AUTHREX-MCPGOV as cited variants.

See the live use case on AUTHREX-AGENT → Hardware Anchor: BLADE-AGENT-HSM →
  • This is a reference architecture at TRL 3-4. It is specified and simulated, not fielded with a real autonomous cyber-reasoning system.
  • The finding/action consistency screen is an open research surface; a sufficiently crafted adversarial pair is a real risk, stated openly.
  • The criticality-to-tier mapping is one researcher's analytical judgment, released for independent review.
  • Governance only. No offensive function. All scenarios are synthetic; no real system is patched. No agency adoption or endorsement implied.