Google’s AI tool ‘Big Sleep’ flags 20 security flaws in open source software without human input.
Developed by DeepMind in collaboration with the company’s elite Project Zero team, the AI tool marks a significant step in automating security research. The newly identified vulnerabilities were found in tools such as FFmpeg and ImageMagick, widely used for processing multimedia files. Google has not yet disclosed the technical specifics of the issues but confirmed that the flaws were both identified and reproduced by the AI itself. A human analyst later reviewed and verified the reports before submission.
“This is not about replacing human security researchers, but about augmenting their capabilities,” a Google spokesperson said. “Our AI bug hunter can perform thousands of tests in the time it takes a human to run a few. This allows our security teams to focus on the more intricate and strategic aspects of cybersecurity, while the AI handles the repetitive and time-consuming work.”
AI-led discovery, human-reviewed process
Big Sleep’s findings were publicly shared by Heather Adkins, Google’s Vice President of Security, in a post on X (formerly Twitter). “Today as part of our commitment to transparency in this space, we are proud to announce that we have reported the first 20 vulnerabilities discovered using our AI-based ‘Big Sleep’ system powered by Gemini,” wrote Adkins.
The vulnerabilities span a range of open source libraries as well as components used internally by Google. Although still early in deployment, the system is being positioned as a scalable tool that can consistently assist in surfacing previously overlooked issues.
Unlike traditional vulnerability scanning tools, Big Sleep simulates the behaviour of malicious users. It analyses codebases and network services to probe for weaknesses, adaptively learning from its environment and evolving its methods to expose more complex, layered issues.
Big Sleep joins a growing list of AI-based bug-hunting tools such as RunSybil and XBOW, the latter of which recently topped the HackerOne bug bounty leaderboard in the United States. Experts remain optimistic but cautious about AI’s growing involvement in vulnerability research.
Despite that, industry figures are backing Big Sleep’s credibility. Vlad Ionescu, co-founder of RunSybil, described it as “a serious project backed by the right expertise and infrastructure.”
