ExploitGym
Progress Over Time
Interactive timeline showing model performance evolution on ExploitGym
ExploitGym Leaderboard
| Context | Cost | License | ||||
|---|---|---|---|---|---|---|
| 1 | GPT-5.6 SolNew OpenAI | — | 1.1M | $5.00 / $30.00 | ||
| 2 | OpenAI | — | 1.1M | $2.50 / $15.00 | ||
| 3 | GPT-5.6 LunaNew OpenAI | — | 1.1M | $1.00 / $6.00 |
What is ExploitGym?
ExploitGym is a large-scale, realistic benchmark built from real-world vulnerabilities across userspace programs, Google's V8 engine, and the Linux kernel. Given a vulnerability and a proof-of-vulnerability input, agents must craft a working end-to-end exploit that achieves unauthorized code execution.
ExploitGym is a text benchmark evaluating models on safety, agents, and code tasks. LLM Stats tracks 3 models on this benchmark, scored on a 0–1 scale. The current average is 0.2, with the leader at 0.3.
Compare leaders on the best AI for safety, best AI for agents and best AI for code leaderboards.
Current leaders
GPT-5.6 Sol from OpenAI currently leads the ExploitGym leaderboard with a score of 0.337 across 3 evaluated AI models.
Source paper
- Title
- ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks?
- Authors
- Zhun Wang, Nico Schiller, Hongwei Li, Srijiith Sesha Narayana, and 12 others
- Published
- arXiv
- 2605.11086
Abstract
AI agents are rapidly gaining capabilities that could significantly reshape cybersecurity, making rigorous evaluation urgent. A critical capability is exploitation: turning a vulnerability, which is not yet an attack, into a concrete security impact, such as unauthorized file access or code execution. Exploitation is a particularly challenging task because it requires low-level program reasoning (e.g., about memory layout), runtime adaptation, and sustained progress over long horizons. Meanwhile, it is inherently dual-use, supporting defensive workflows while lowering the barrier for offense. Despite its importance and diagnostic value, exploitation remains under-evaluated. To address this gap, we introduce ExploitGym, a large-scale, diverse, realistic benchmark on the exploitation capabilities of AI agents. Given a program input that triggers a vulnerability, ExploitGym tasks agents with progressively extending it into a working exploit. The benchmark comprises 898 instances sourced from real-world vulnerabilities across three domains, including userspace programs, Google's V8 JavaScript engine, and the Linux kernel. We vary the security protections applied to each instance, isolating their impact on agent performance. All configurations are packaged in reproducible containerized environments. Our evaluation shows that while exploitation remains challenging, frontier models can successfully exploit a non-trivial fraction of vulnerabilities. For example, the strongest configurations are Anthropic's latest model Claude Mythos Preview and OpenAI's GPT-5.5, which produce working exploits for 157 and 120 instances, respectively. Notably, even with widely used defenses enabled, models retain non-trivial success rates. These results establish ExploitGym as an effective testbed for exploitation and highlight the growing cybersecurity risks posed by increasingly capable AI agents.
FAQ
Common questions about the ExploitGym benchmark and leaderboard.