In cybersecurity, the most dangerous threats are invisible. A silent vulnerability. A hidden bug. A flaw in the logic of a program written years ago that’s waiting to be found by the wrong person at the worst time. An attack takes minutes. Finding and fixing the weakness that let it happen? That could take months, assuming anyone ever finds it at all.
According to the FBI, the agency receives more than 2,000 cybercrime complaints each day, with reported financial damages topping $16 billion annually. The professionals needed to stop them are in short supply. There are nearly 750,000 open cybersecurity jobs in the U.S. alone and 3.5 million worldwide.
That crisis is exactly what Tiffany Bao is working to address. Bao is an assistant professor of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University.
As a member of ASU’s cybersecurity faculty team, Bao is working hard to train students to fill the workforce pipeline. But while the shortage endures, she says we’ll have to address security threats not by hiring more humans, but by teaching computers to think like them.
For this work, Bao has received a prestigious 2025 National Science Foundation Faculty Early Career Development Program (CAREER) Award to support her bold research. Over the next five years, she and her team will develop a tool called SE-bot, a system designed to emulate the decision-making of elite cybersecurity experts.
Her goal? Make one of the most powerful and underused tools in software security accessible to anyone who needs it.
Maze running for machines
“Symbolic execution is incredibly useful,” Bao says. “But it’s complicated. You need a lot of experience and intuition to make it work. My research is about teaching computers to develop something like that kind of intuition on their own.”
Symbolic execution is at the heart of Bao’s innovative new work and at its core is way to look inside a program and ask: What could make this go wrong?
It works by treating inputs, things like usernames, commands or data files, as symbols. Then, it explores all the possible paths the software could take depending on those inputs, tracing every decision point along the way.
“It’s like a logic puzzle,” Bao explains. “Imagine a program is a maze. Symbolic execution tries every path through the maze to find the one that leads to a trap.”
But in the real world, software programs are enormous. Even a small application might contain thousands of branching points. Exploring every possibility becomes painfully slow. To manage that complexity, experts rely on instinct to make educated guesses about which paths to explore and which to skip.
“Human experts know where to look first,” Bao says. “We want to build a machine that can do the same thing, one day perhaps even better.”
Read the full story on Full Circle.