A research initiative led by Microsoft, known as the Paraphrase Project, has demonstrated that artificial intelligence can be used to redesign biological toxins in ways that evade current biosecurity screening software. The project, detailed in a paper published in the journal Science, identified a “biological zero-day”—a previously unknown vulnerability—and developed a defense for it by applying principles from cybersecurity.
The initial concern, raised by Microsoft’s Eric Horvitz, was that open-source AI tools could theoretically be used to reengineer toxins that would be invisible to existing biosecurity systems.
How synthetic biology and its safeguards work
The field of synthetic biology allows scientists to order custom-printed strands of DNA from synthesis companies. Before a company ships the genetic material, it runs the requested DNA sequence through biosecurity screening software. This software compares the sequence against regulated databases of known threats, such as toxins or pathogens, to prevent misuse.
The International Gene Synthesis Consortium (IGSC) helps curate these databases. However, as AI tools become more powerful, the risk increases that someone could design a novel protein that looks harmless to the software but behaves like a toxin once created.
Testing the system with a biological zero-day
To investigate this risk, Horvitz teamed up with Microsoft senior applied scientist Bruce Wittmann. They used an AI model called EvoDiff to generate thousands of synthetic variants of the potent toxin ricin. The goal was not to make the toxin more dangerous, but to test the limits of current screening systems.
The process was akin to paraphrasing a sentence: the meaning (the protein’s function and active sites) remains the same, but the words (the amino acid sequence) change.
When these reformulated sequences were tested against the screening systems of two leading DNA synthesis companies, Twist Bioscience and Integrated DNA Technologies, they passed through undetected.
“I don’t think we were necessarily surprised that it sailed right through. Anything that can be used for good can be used for bad. But providing a solution helps avoid a knee-jerk reaction that prevents the use of these tools for good.”
Wittmann told the Microsoft Research blog.
Developing a defense using a cybersecurity framework
After proving the vulnerability, the team worked to create a solution. Jake Beal, a scientist at RTX BBN Technologies, was tasked with developing digital safeguards that could catch these reformulated toxins. The project adopted a framework from the cybersecurity playbook, treating the biological vulnerability like a software zero-day and organizing a response similar to a Computer Emergency Response Team (CERT).
The solution was to develop updated detection algorithms. The key shift was to move beyond simply checking what a DNA sequence looks like and toward a deeper, semantic understanding of what the protein it codes for actually does. By training the screening systems to recognize the functional characteristics of a threat, they were able to detect the AI-generated variants.
The path forward and responsible disclosure
The project successfully demonstrated both the existence of the vulnerability and a viable path to patching it. The outcome was a relief for the DNA synthesis companies involved.
“The public at large wants to be able to trust that companies using these amazing technologies to build new products and services are safe and effective, and have their best interest in mind. A big piece of this is making sure you’re a responsible steward of the technology you’re developing.”
said James Diggans, vice president of policy and biosecurity at Twist Bioscience.
The Paraphrase Project established a protocol for red-teaming biosecurity tools and managed a global response to an AI-enabled biosecurity threat. It also serves as a model for how to publish sensitive research in a way that balances openness with caution.
Researchers are clear that this is only the beginning. As technology advances, protective measures must evolve with it. The project highlights the need for a continuous, adaptive approach to biosecurity.
“This is about what the sequence does, not just how it looks. Even if two sequences look different, they might still do the same thing—like cause illness or perform the same job in a cell.”
said Horvitz.
