Google has achieved a cybersecurity milestone by using artificial intelligence to prevent an active exploit attempt in the wild, marking the first time an AI agent has directly foiled a real-world cyberattack before it could cause damage.
The breakthrough came through Google's Big Sleep AI agent, which discovered a critical SQLite vulnerability (CVE-2025-6965) that was already known to threat actors and posed an imminent exploitation risk. By combining threat intelligence with AI-powered vulnerability research, Google successfully "cut off" the attack before it could impact users.
"We believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild," Google wrote.
The Big Sleep agent, developed by Google DeepMind and Project Zero, has been actively hunting unknown security vulnerabilities since its launch, with its first real-world discovery occurring in November 2024.
The AI agent operates by autonomously searching software for security flaws, effectively scaling human security researchers' capabilities. Big Sleep has now discovered multiple real-world vulnerabilities, exceeding Google's initial expectations and demonstrating AI's potential to plug security holes before they impact users.
Google is expanding its AI security arsenal with three distinct tools that address different aspects of cybersecurity defense:
- Big Sleep Agent: An autonomous vulnerability hunter that proactively searches software for unknown security flaws. This AI agent operates continuously, scanning code to discover vulnerabilities before malicious actors can exploit them. Its recent success in preventing the SQLite attack demonstrates its real-world effectiveness.
- Timesketch: Google's open-source digital forensics platform now features agentic capabilities powered by Sec-Gemini. This upgraded system automatically performs initial forensic investigations, dramatically reducing the time analysts spend sifting through incident data and allowing them to focus on complex threat analysis.
- FACADE System: A sophisticated insider threat detection system that has been quietly protecting Google's infrastructure since 2018. Using contrastive learning techniques, FACADE processes billions of daily security events to identify internal threats without requiring historical attack data, making it highly adaptable to new threat patterns.
These developments represent a significant shift in cybersecurity defense strategies, with AI agents freeing security teams to focus on high-complexity threats while dramatically scaling their impact and reach.
Google emphasized that these tools are being developed according to secure-by-design principles, with human oversight and transparency safeguards.
The company is also contributing to industry-wide security improvements through the Coalition for Secure AI (CoSAI) and will donate data from its Secure AI Framework to accelerate collaborative cybersecurity efforts.
As AI-powered attacks become more sophisticated, Google's proactive approach demonstrates how artificial intelligence can give defenders the upper hand in the ongoing cybersecurity arms race.