Big Sleep: From Research Lab to Front-Line Defender
In October 2024, Google DeepMind and Project Zero unveiled Big Sleep, an agentic AI framework designed to hunt zero-day vulnerabilities. After discovering a specific kind of coding error (a “stack buffer underflow”) in SQLite that could create a security hole (patched before release), Big Sleep set its sights on active threats.
October 2024 – First real-world flaw found by Big Sleep: a stack buffer underflow in SQLite missed by OSS-Fuzz.
November 2024 – Google publishes a white paper on securing AI agents with a “hybrid defense-in-depth” strategy, which means mixing smart AI defenses with traditional, rule-based security.
July 15 2025 – Big Sleep isolated and blocked CVE-2025-6965, a critical bug in SQLite where a number calculation goes wrong (“integer-overflow”), potentially crashing the system or letting hackers in. This was known only to threat actors, and the block happened before any exploit reached production.
How It Worked
Threat-Intelligence Fusion Google Threat Intelligence noticed unusual chatter and scanning activity targeting SQLite. Indicators alone couldn’t pinpoint the flaw.
Automated Code Probing Big Sleep fed the SQLite software code into an LLM that was specially trained on billions of lines of code, autonomously generating and testing malicious payloads.
Precision Isolation Within minutes, the agent flagged the exact function causing the overflow and assessed real-world exploitability.
Human-In-The-Loop Verification Project Zero analysts reproduced the bug, verified Big Sleep’s findings, and issued a patch—neutralizing the threat in under 48 hours.
Why This Is a Game-Changer
Cybersecurity has long suffered the “patch gap”—the interval between discovery and mitigation when hackers strike. Big Sleep flips the script: it predicts imminent exploitation and blocks attacks at machine speed. This breakthrough signals the end of alert fatigue and the dawn of autonomous protection.
EU’s GPAI Guidelines: Setting the Guardrails
Just three days after Big Sleep’s victory, on July 18 2025, the European Commission published Guidelines for providers of General-Purpose AI (GPAI) under the AI Act. These clarify obligations that take effect on August 2, 2025:
Defining GPAI: Models powerful enough to perform an enormous number of calculations (surpassing 1023 FLOPs, or floating-point operations) are presumed GPAI. Extremely powerful models that can perform 100 times that amount (above 1025 FLOPs) are considered a systemic risk and require stricter controls.
Documentation & Transparency: Providers must maintain life-cycle technical documentation, publish training-data summaries, and clarify copyright compliance.
Risk Mitigation & Reporting: Systemic-risk models must undergo evaluations, incident reporting, and robust cybersecurity measures.
Phased Compliance: New models must comply immediately upon market entry (Aug 2 2025); enforcement powers kick in Aug 2 2026. Pre-existing models have until Aug 2 2027 to meet standards.
What You Need to Know
Enterprises adopting GPAI must audit model FLOPs (floating-point operations per second), update documentation, and implement copyright policies now.
Developers of open-source models should verify exemptions but remain ready for transparency requirements.
Security Teams should explore integrating agentic AI—Big Sleep’s success shows defenders gain asymmetric advantages when machines take the lead.
Key milestones of Big Sleep and EU GPAI guidelines
Ahead of the Curve
Whether you’re writing your first “Hello, World!” or safeguarding a global SaaS platform, these developments matter. The shift from reactive to predictive defense demands new skills and governance:
Build layered security systems that use both smart AI agents and traditional, rule-based protections.
Train analysts to oversee and audit AI-driven mitigation.
Align AI governance with evolving EU rules, ensuring compliance and transparency.
You heard it here first: AI is not just a tool for analysis—it’s a cyber sentry. Big Sleep’s interception of CVE-2025-6965 and the EU’s GPAI framework in the same week marks a watershed in digital defense.
This means that autonomous protection is here to stay.