Thank you for your feedback.

On the point that the paper is unsuitable as a benchmark, we respectfully disagree, as there are no other papers taking a systematic, literature-grounded approach to the challenge curation process – our incorporation of the ATT&CK categories. These categories are used in cybersecurity literature and practical applications and from what we can see, a structure for evaluation such as this is not currently represented in the literature. As an addendum, a recent literature review of cyber capabilities evaluation literature, whose authors we recently spoke with, identified the lack of systematic evaluation as a key limitation to the existing literature. After we spoke with them, they mentioned that we indeed captured one of their biggest points of critique.

On experiments, we feel that the range of models and tasks used was wide, representing most state-of-the-art models, including open source models, as well as focusing on representativeness of the challenges as we have mentioned above. Could you share some experiments that you would be interesting for us to run?

A sincere thank you for engaging with our work so thoroughly. We address your comments on the weaknesses below:

On Weaknesses

1. For understanding the challenges in greater detail, please take a look at our run visualizer website: https://copper-autonomy-deteriorate.github.io/ To see details of each run, click into each run (i.e. Run 15388). You may have to wait for some time for the results to load. Afterwards, the runs are visible in the pane that appears to the side. To address your point on the disparity in the perceived difficulty of the challenges, you make a great point about how what is easy to a human may not be easy to an agent. Although nmap is an easy tool for a human to use, it is brittle in that the challenge requires adherence to the communication protocol to invoke the tool and parse its outputs successfully, which is a big hurdle for smaller models. Please see the answer to question 3 for more discussion.

2. Concretely, each run is fully specified by a configuration file that contains the docker container(s) needed, setup files, starting prompt for the LM agent, etc. For instance, for the nmap challenge, the spec may be found here: https://github.com/copper-autonomy-deteriorate/outline-chord-transmission/blob/main/task_configs/nmap.toml Additionally, the full specifications of each challenge are in this folder of our Github Repository: https://github.com/copper-autonomy-deteriorate/outline-chord-transmission/blob/main/task_configs/ This is with the exception of our 4 excluded challenges: dfbit, bashhistory, sshhijack, cnc.

3. We have updated the README with more detailed instructions of how to run some sample challenges. (link)

On Questions

1. For every challenge, together with the definition itself (environment, goal, max number of turns, etc), a range of prompts is created manually. This set of prompts is intended to cover a range of conceptual framings (offensive agent, security competition, abstract problem) and communication protocols (as some models are very sensitive to formatting). For some challenges, the prompts also include hints, in order to extract a more meaningful signal from run logs. All in all, coming up with the set of different prompts+protocols is intended to represent a good-faith attempt at crossing the elicitation gap of prompt engineering. Future work could include automated prompt optimization a-la https://arxiv.org/pdf/2305.03495.
2. Specific environment requirements are encoded in the challenge definition TOML files. A challenge is assumed to need 1 or more docker containers joined in a network, with each container having their own files (including the Dockerfile from which the image is built), and container-level metadata, such as its network IP address or the necessary RAM size.
3. We think there’s several non-trivial factors at play here:
   1. The question of definitions of “success” and “fail”. On the level of individual runs, stochasticity of LLMs has significant influence. While a weaker model is unlikely to solve a hard challenge end-to-end by rolling a lucky token, a stronger model can definitely go into unhelpful rabbit holes. The bashhist challenge is basically a sanity check, with the answer hidden in a sea of red herrings, necessitating a degree of perspective from the model. Still, from the logs we can see that many strong models get misled and run out of tokens.
   2. In our view, for a given model and a challenge, the most meaningful problem framing is “Can the challenge be solved at all even once, given strong elicitation and many runs?”. It is only bottlenecks on challenge creation and token budgets that force us to rely on measures like Average Success Rate, which is more likely to exhibit the behavior you point out.
   3. But most importantly, what is easy or hard for a human cybersecurity practitioner is not necessarily the same for LLMs. While there’s a slew of trivial failings that some LLMs display (failure to follow the protocol, messing up the environment state, not being able to use TUI elements like “press c to continue”, etc.), the issue is much deeper. The text format, communication protocols, turn limitations, and inherent differences between how humans and LLMs interact with the environment make direct comparisons of challenge difficulty hard. We conjecture that any motivated human practitioner will be able to solve all challenges in our set, given time and tools, but even the strongest model will struggle to solve all of them, all the time, in the message budget allotted.

Dear reviewer,

We appreciate your positive perspective on our work's future potential and our experiments. Regarding your concerns:

You mention that our paper does not introduce new approaches within the topic of “alignment, fairness, safety, privacy, and societal considerations”. We respectfully disagree, as there are no other papers taking a systematic, literature-grounded approach to the challenge curation process – our incorporation of the ATT&CK categories. These categories are used in cybersecurity literature and practical applications and from what we can see, a structure for evaluation such as this is not currently represented in the literature. As an addendum, a recent literature review of cyber capabilities evaluation literature, whose authors we recently spoke with, identified the lack of systematic evaluation as a key limitation to the existing literature. After we spoke with them, they mentioned that we indeed captured one of their biggest points of critique.

Weaknesses

1. We reference these benchmarks in the Related Works section, but you are correct that we can make it clearer in the methodology section as well. The evidence for this claim is in the scaffolding we have built. Whereas existing benchmarks often use a question-answering structure (e.g. the WMDP benchmark), we use a realistic simulation of a network of multiple computers that the AI agent interacts with. Whereas we cannot be confident that an agent who answers a question about extracting passwords from the bash history correctly can actually extract said information in a real-world setting, I can be confident that the same agent can extract passwords from the bash history if they're able to do it in a realistic multi-step interactive simulation, such as what the 3cb harness provides.

2. We do not construct the challenges from existing material. Whereas similar work copy existing challenges from the web (see e.g. SWE-bench, CyBench, and others), we create our own original challenges guided by the spirit of the tactic categories. I.e., they are novel in design and avoid being in the training dataset of any models.

3. Yes, the challenges are publicly released on both Github: https://github.com/copper-autonomy-deteriorate/outline-chord-transmission/ and in an interactive format (demonstration) on our website https://copper-autonomy-deteriorate.github.io/.

4. There’s a long list of next steps one can take from our work in this paper. However, we will argue that we adequately cover the novelty of introducing a proper systematic design to the challenge creation process and that the validation of said approach is represented in the paper through the results we present. While it would be very interesting to dive deeper into the results, our further explorations (e.g. clustering of the challenge runs and visualization of these, manual investigations of the runs, etc.) are not included due to the page limit. Additionally, it's not crucial to the arguments we present. To expand on the next steps you propose:

Can specialized LLMs/Agents do better than e.g. vanilla gpt-4o? They probably would! However, what we also show is that despite the differences in training approaches for the models (some more on code than others), the best ones are still the largest ones (GPT-4o and Claude).

Why do some models succeed and some don't? We include analyses of the elicitation gaps in our research to try to extract the most capable versions of each model. As mentioned in the paper, the best-performing combinations for each model is included in the results and we have these results, though we prioritized other parts of our experiments in the main paper.

Dear Reviewer,

Thank you for your continued engagement with our work.

I do not see much advance in ML or AI here

Benchmarks, by design, do not typically advance ML/AI capabilities directly, giving "no new technique in safety, alignment, privacy, or social considerations". Rather, they serve the crucial scientific function of measuring and understanding current capabilities. Just as GLUE and SuperGLUE didn't advance language model capabilities directly but provided essential insights into model performance, our benchmark provides systematic understanding of where current AI systems stand regarding multi-step reasoning in practical scenarios about highly relevant and impactful cyber-offense scenarios, and should be judged on this basis.

Our benchmark makes several key contributions to ML/AI research by:

1. Providing the first systematic evaluation framework for complex, multi-step reasoning in interactive scenarios with our outlined taxonomy, providing a roadmap to comprehensive coverage of cyber attacks by AIs.
2. Revealing important insights about current model capabilities and limitations
3. Establishing reproducible metrics for tracking progress in this domain

We would welcome specific suggestions for better communicating these contributions in the paper.

Best regards, The Authors