SEC-bench

📣 News

• [Dec 2025]: OSS-Fuzz instances are now integrated into SEC-bench!
• [Sep 2025]: SEC-bench has been accepted to NeurIPS 2025!
• [June 2025]: We release the SEC-bench benchmark with PoC Generation and Vulnerability Patching tasks
• [June 2025]: SEC-bench dataset is now available on HuggingFace!

SEC-bench Overview

SEC-bench is the first fully automated benchmarking framework for evaluating LLM agents on authentic security engineering tasks.

SEC-bench employs a novel multi-agent scaffold that automatically:

• 1 Constructs code repositories with harnesses from CVE reports
• 2 Reproduces vulnerabilities in isolated Docker environments
• 3 Generates gold patches for reliable evaluation

The benchmark includes two main tasks: PoC Generation (generating proof-of-concept exploits) and Vulnerability Patching (fixing security vulnerabilities).

PoC Generation Task

PoC Generation evaluates the ability of LLM agents to craft proof-of-concept (PoC) artifacts that trigger specified vulnerabilities. A submission is considered successful only if it creates a working PoC artifact that triggers a valid sanitizer error.

Evaluation Modes:

SEC-bench supports three evaluation modes with varying levels of information provided to agents:

Note: Current leaderboard results are evaluated using the poc-san mode. Read more about evaluation modes in our blog post.

Vulnerability Patching Task

Vulnerability Patching evaluates the ability of LLM agents to generate patches that fix security vulnerabilities in real-world software projects.

Given a CVE description and the vulnerable code repository, LLM agents must:

• Understand the root cause of the vulnerability
• Locate the vulnerable code in the repository
• Generate a correct patch that fixes the vulnerability without breaking functionality