QED Audit’s DARPA AIxCC Winning Team is Proving Blockchain Can Be Trusted
Starting a company had been an ongoing goal of Woonsun Song’s, including when he was previously working at a cryptocurrency startup. “This startup had a young founder, and I wondered how this founder was able to have this opportunity to launch a business. And the DARPA AIxCC competition was my opportunity to start a company and contribute to cybersecurity,” said Song.
Song’s journey to founding QED Audit started in 2023 as a computer science graduate student at Georgia Tech. He was conducting research with Taesoo Kim, of the Systems Software Lab, who was preparing to compete in DARPA's Artificial Intelligence Cyber Challenge (AIxCC), a nationwide AI-cybersecurity competition.
Instead of humans competing directly in DARPA AIxCC, when the contest begins, humans step back, and the AI agents they developed start looking for software bugs on their own. “It’s a completely isolated environment for AI,” said Song. The team’s submission paired advanced AI with foundational methods to find and patch software vulnerabilities.
The result? Being part of the winning team of DARPA AIxCC’s in August 2025, gave Song the opportunity to pursue his goal of founding a startup focused on making critical software more secure.
To protect software against threats, QED focuses on blockchain security by delivering AI-powered audits for clients using continuous, automated analysis without sacrificing the depth of human review.
Blockchain creates secure, unchangeable, and verifiable records and has been used for cryptocurrencies like Bitcoin and Ethereum. Song and the QED founding team are working out of the Biltmore Innovation Center, with the mission to “turn software security into infrastructure: always on, reliable, and effortless.”
Establishing the Conditions: Preparing for DARPA AIxCC
At Georgia Tech, Song joined Kim’s international and multi-organizational team of 46 researchers, called Team Atlanta, who were preparing for DARPA AIxCC. The goal of the DARPA AIxCC, which is a two-year competition, is for teams to find as many planted, synthetic bugs as possible in a set of programs using developed and deployed AI agents.
The goal is for teams competing in DARPA AIxCC to build and test the capabilities of autonomous and scalable AI technologies that can advance cybersecurity and protect against malicious hackers that seek to exploit vulnerabilities in critical software, which include those that could cause major financial damage, interruptions in daily operations, or safety risks if compromised.
When describing DARPA AIxCC, Song said, “It’s similar to a ‘capture the flag’ competitive or educational hacking exercise used in cybersecurity.” Adding, “There are a lot of programs that companies use that are open source, meaning anyone can access and review their source code. DARPA collects around 150 of these important, open-source programs, and plants synthetic bugs.” Adding, “It’s using a real problem, but with synthetic bugs.”
Song added that many open-source codes have zero-day vulnerabilities, meaning they existed from when they were developed and were unknown to the developers, which can also be identified in the DARPA AIxCC competition.
Song’s contribution to Team Atlanta, which developed ATLANTIS for the competition, focused on multilanguage programming and hybrid fuzzing, which pairs the rigor of foundational fuzzing methods for finding bugs with advanced AI to find patches. Team Atlanta included researchers from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science & Technology (KAIST), and the Pohang University of Science and Technology (POSTECH).
Song shared that the cybersecurity world is small and competitive and that established companies have internal teams who participate. “In a competition like DARPA AIxCC, we know many of the people who are competing. They are highly skilled in what they do.”
Proof of Concept at DARPA AIxCC
At the final round of DARPA AIxCC in June 2025, it was time for the team to lift their hands off the keyboard and let the autonomous AI agent run its program. “We rolled out our developed program on DARPA servers, and that was it as we waited for the duration of the 48-hour-long competition when programs were running,” said Song.
As the autonomous AI agents are looking for vulnerabilities in the open-source and synthetic software, several metrics, or cyber reasoning systems (CRS) performance elements, are being tallied. These include the number of vulnerabilities found, the number of successful patches, and the total score.
Song and Team Atlanta earned top scores in all metrics of vulnerabilities found and successful patches with a total score of 393. The second- and third-place teams had total scores of 219 and 211, respectively. Team Atlanta was awarded $4 million.
“In addition to the number of bugs found by the autonomous AI agent being an important metric, the AI also must provide a fix for the bug, and to find the bug, and to assess the root cause. And when you do this, you get bonus points. That’s why I think we did well was the bug patching,” said Song.
Automating the process of bug patching has been around before AI and LLMs were being applied for autonomous cybersecurity. One approach is called fuzzing. “Fuzzing is a way to doing random things to a program to make sure it breaks. It was a really good way to find bugs before AI,” said Song, adding, “What our submission to the DARPA AIxCC competition did was combine fuzzing with AI. So the program can crash in a more efficient way.”
With this approach, Team Atlanta earned the achievements for finding the most scoring bundles, the most real-world vulnerabilities patched, and for having a positively scoring proof of vulnerability (PoV) percentage higher than 95%.
Building a Cybersecurity Startup in an Age When AI Both Secures and Breaks Code
Preparing for and winning the DARPA AIxCC competition provided Song with the foundation and momentum to launch QED, taking the next step to close the gap between the vision of cryptocurrency as a reliable and secure form of payment and the trust people have in adopting this new technology.
On a technical level, the experience and perspective Song gained from DARPA AIxCC laid the foundation for QED’s research-driven approach to building AI agents to find and fix bugs and to ensure automated workflows are supported by human review.
In the transition from having an idea to founding a startup, Song is balancing the needs of the present, such as sales, and the future, related to technology tasks and to how AI is rapidly evolving, with both positive and negative impacts on the field of cybersecurity.
As a new founder, Song finds inspiration from talking to QED customers, who provide insights into their problems and next things to work on, as well as with venture capital organizations. “They like to play devil’s advocate,” said Song. “They ask really good questions, which really make me think about the work we are doing and what else we need to consider.”
Regarding the use of AI in cybersecurity, Song also highlights that the speed at which the technology field is changing poses challenges and adds complexity. Song’s advisor, Professor Kim, at Georgia Tech remains not only an advisor to QED, but also a mentor. “He has been in this space for around 20 years. Due to this, he can provide perspective about these times of extreme volatility, including how to keep focusing on what we are good at no matter what the external perspective,” said Song.
Move Fast, Without Breaking Trust
Quod erat demonstrandum is a Latin phrase meaning “that which has been demonstrated”. And proving that cryptocurrency can be reliable, secure, and trustworthy for both financial institutions, companies, and consumers is exactly what QED is working to do.
As cryptocurrency is becoming more integrated into the economy, such as with stablecoins being used in fintech payments and fintech companies using blockchain rails for efficiency, it must become something that people can trust.
QED is supporting clients, including the Ethereum Foundation, while also continuing their research. QED’s technical work explores how to expand on the DARPA AIxCC-winning autonomous vulnerability discovery paired with the human review the team provides of the protocol security across blockchain infrastructure.
“In cryptocurrency hacks, your balance can become zero in a matter of seconds. And this has happened over the past five years,” said Song. “At QED, we allow people to move fast, but not break things.”
