Hi, I'm Andrew Fasano — a senior cyber researcher working at the intersection of AI and cyber, figuring out how capable leading models are and what to do about it.

My research is less about running benchmarks and more about figuring out what to measure in the first place. That can mean designing new benchmarks grounded in realistic threat models, or spending weeks with a single model deployed as a coding agent, pushing past automated scores to find real vulnerabilities and to build working exploits.

My work today remains focused on the same question I've worked on for over a decade: how do you rigorously evaluate cyber capability when ground truth is hard to come by? Most recently, I led the cyber workstream at NIST's Center for AI Standards and Innovation (CAISI), assessing the hacking capabilities of frontier AI models — briefing senior USG stakeholders including the White House, and convening the TRAINS interagency taskforce to debate methodology and the significance of results with experts across government. Before that, at MIT Lincoln Laboratory's Cyber System Assessments Group, I built benchmarks for vulnerability discovery, helped define the field of firmware rehosting, and developed dynamic-analysis platforms used across the security research community. My roots in the cyber community go back to RPISEC, and I later led a joint RPISEC + MIT-LL team to a top-10 finish at DEF CON CTF finals.

Recently

2026.05
Found and disclosed vulnerabilities in the Linux kernel, Windows kernel, Exim, and Dnsmasq.
2025.09
OpenAI publicly described my finding in ChatGPT Agent as a "sophisticated exploit chain combining traditional software vulnerabilities with AI vulnerabilities."
2024.08
Presented "A Reverse Engineer's Guide to Mechanistic Interpretability" at DEF CON, on understanding the internals of large language models.

Projects

Talks

Awards

R&D100 Award
2020.09
LAVA was awarded an R&D100 award for its impact advancing the state of the art in vulnerability discovery and enabling rigorous, large-scale evaluation of automated security tools.
MIT Lincoln Scholar Award
2019.09
Selected to receive special funding through a competitive process to pursue advanced research in cybersecurity and dynamic program analysis.
MIT Lincoln Laboratory Team Award
2017.06
Recognized for outstanding technical achievement in advancing cybersecurity research and tooling development.

Disclaimer

This is a personal website. The views expressed here are my own and do not represent the views of my employer or any other organization.