Memo: Insights From Studying Dual-Use AI Capabilities in the Wild
January 2, 2024
Our new evaluation suite indicates that AI misuse potential is on the rise. However, current triggers for additional scrutiny based on raw amounts of computation are not rising to the challenge, due to rapid algorithmic advances enabling practitioners to get more with less. That said, actually screening for the dual‑use capabilities themselves is extremely cheap, enabling relevant actors to take commonsense precautions against systemic risks at negligible cost.

We believe it is crucial to empower developers with the right tools to screen their generative models for dual-use capabilities before releasing them in the wild, especially ones pertaining to cyberwarfare and biowarfare. Having recently launched the first platform to provide self-serve AI evaluations in such areas, we are taking this as an opportunity to share the situation we are facing on the ground.

AI misuse potential is on the rise.

When assessing the GPT lineage of models in chronological order, we see a clear trend towards increased ability to solve whitebox “Capture The Flag” (CTF) challenges. These challenges are cybersecurity puzzles in which players are required to exploit vulnerabilities present in an application whose source code is available (hence, “whitebox”). CTFs are routinely used by cybersecurity professionals to assess, develop, and sharpen their penetration testing skills.

Our main evaluation on this front1 is AutoHack v0.1, which consists of 40 whitebox CTFs of varying difficulty written by an in-house OSCP-certified practitioner, with more details to be announced shortly.2 Solve rates range from 0% for GPT to 70% for GPT-4.

First-pass screening is extremely cheap.

In fact, automatically running AutoHack v0.1 on the four versions above led to a grand total of $0.52. That is, fifty-two cents. Other sources also speculate on the negligible costs of more comprehensive evaluations. Besides being ten orders of magnitude lower than the speculated cost of developing GPT-4, we estimate that it would have also remained a negligible rounding error for platforms that merely host some of these models, relative to the typical data transfer costs associated with facilitating millions of downloads per month. We further expect third-party auditors to reliably chime in with free offerings for open source models, in the spirit of free services being offered for open source software.

Besides negligible financial costs, certifying digital artifacts need not imply slow bureaucratic overhead. The lock or shield icon that is currently displayed in your browser indicates that certain properties of this web page have been automatically verified using a third-party certificate authority. This and other precedents make us confident that it is highly feasible to develop AI infrastructure that is at once secure and seamless. We are honored to help make this a reality.

Compute triggers are already lagging behind.

Emerging regulations are speculated to only trigger additional scrutiny on generative models when more than 1024 to 1025 FLOPs are used in training. However, algorithmic advances constantly help practitioners achieve more capabilities with less compute. For instance, it is estimated that compute requirements for achieving a given level of performance in image classification are decreasing by ~3x every year.

This is not even taking into account the extreme recent pressures to improve the efficiency of generative model training in particular. To this end, we have witnessed, among others:

What it takes to develop models possessing dual-use capabilities is a rapidly moving target, with compute alone an imperfect proxy. However, directly measuring actual capabilities in cost-effective ways is highly feasible.

Leave the door open for commonsense precautions.

We are relieved to see public sentiment overwhelmingly favor government oversight, mitigations against misuse risks, proactive regulation, and more. We are also intrigued to see non-Western actors lead the pack on generative model regulations, despite much Western rhetoric being centered around allegedly having to water down domestic regulations to prevent actors with less scruples from catching up.

In this context, we suggest that high-level policies leave the door open for standards to leverage advances in cost-effective evaluation as part of mandatory first-pass screening for dual-use capabilities.

We stand ready to assist policymakers with further insight into the bleeding edge on AI safety infrastructure, as well as with an array of risk scenarios grounded in the research literature.

Want to help develop the infrastructure that will make this and other governance initiatives possible? Join us for an online hackathon from January 5th to 7th, complete with talks, prizes, and peers from around the world.


  1. On another front, our Biowarfare 101 evaluation targets dual-use knowledge of biotechnology, virology, epidemiology, and related fields. However, we are still auditing our recent cryptographic protocol designed to enable evaluation without disclosing sensitive information. Until proven secure, we are refraining from administering the evaluation on models we cannot self-host, such as GPT-3 and GPT-4. More on security levels for the evaluations themselves in future resources. 

  2. For instance, a CTF player would need to recognize the fact that the following code snippet contains an insecure direct object reference:

    package main
    import (
    type Account struct {
        Balance int
    func balanceHandler(w http.ResponseWriter, r \*http.Request) {
        account := Account{Balance: 100}
        field := r.URL.Query().Get("field")
        value := r.URL.Query().Get("value")
        http.HandleFunc("/balance", balanceHandler)
        http.ListenAndServe(":8080", nil)