Google’s AI-powered security tool, Big Sleep, has identified its first batch of software vulnerabilities, marking a significant step forward in automated cyber defense.

On Monday, Heather Adkins, Google’s Vice President of Security, announced that the large language model-driven bug hunter uncovered 20 security flaws in a range of widely used open-source software projects.

Developed by DeepMind in collaboration with Google’s elite Project Zero hacking team, Big Sleep flagged vulnerabilities in tools such as FFmpeg, a popular audio and video processing library, and ImageMagick, a widely used image-editing suite.

Although the exact nature and severity of the flaws remain undisclosed—standard protocol until patches are released—the discovery is being hailed as a milestone in AI-assisted vulnerability research.

“To ensure high-quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” said Kimberly Samra, a Google spokesperson.

Royal Hansen, Google’s VP of Engineering, described the development as “a new frontier in automated vulnerability discovery” in a post on X (formerly Twitter).

Big Sleep joins a growing roster of AI bug hunters, including RunSybil and XBOW, the latter of which recently topped HackerOne’s U.S. leaderboard. These tools rely on machine learning models to identify potential exploits, though human oversight is still essential to confirm accuracy.

While the promise is clear, challenges remain. Some developers have reported AI-generated bug reports that turned out to be false positives—leading to growing concerns about the reliability of such tools.

“There’s a lot of stuff that looks like gold, but it’s actually just crap,” said Vlad Ionescu, CTO of RunSybil. Still, he acknowledged Big Sleep as a “legit” project backed by deep expertise and resources.

As AI continues to evolve, its role in cybersecurity is becoming both more powerful—and more complex.