A group of bionerds assembled at the London Initiative for Safe AI for a hackathon aimed at reducing biorisk. Our team produced this in under 48 hours.

TL;DR

Responsible contract research organizations, that perform DNA synthesis as a service, should screen customer requests prior to executing the work order. Likewise, responsible AI labs that develop and serve LLMs with superhuman scientific capability, should screen a user’s input whenever it involves nucleic acids to determine if assistance is appropriate. However, without making tool calls, a model’s ability to perceive and assess the true nature of any sequence is notoriously juvenile, completely devoid of nuance, accuracy, and reliability. We developed an agent-native tool — SecureMaxx — that makes sequences transparent to the model while countering obfuscation attempts by the user. In experimental conditions, we deployed high-risk sequences across several scientific scenarios of varying complexity, all of which bypassed the native Anthropic classifier on Sonnet 4.6.

When SecureMaxx is invoked, refusal rates rise from a 0–30% baseline to 70–100% depending on scenario complexity, with under 2 seconds of added latency per query and less than 1% safety tax on a standard capabilities benchmark (HellaSwag).

Here, we aim to demonstrate that light-touch interventions can add meaningful friction to one step in the kill chain, and to outline the dual-use implications and additional hardening required for deployment against adversarial users.

Research team & affiliations

Gerard Boxo (Coefficient Giving), Allison Jia (MATS), Rebecca Zanini (Pivotal Research), Mac Walker , Austin Morrissey (Pivotal Research).

Credit for the research belongs to the team. Errors in this writeup, and any opinions expressed, are mine alone and do not represent the views of my coauthors or their affiliations.

1. Introduction

In the near future, biological capabilities including the design of pathogens more dangerous than anything found in nature may be within reach of actors with only basic scientific training. What is leading to this phase transition in the threat landscape is the unprecedented advancement of AI capabilities. Previously, expert knowledge served as a barrier against non-state actors who sought to create their own bioweaponization programs, such as Aum Shinrikyo and Al-Qaeda.^[1] But now, aspiring bioterrorists have on demand access to infinitely patient, artificial mentors, who possess near superhuman levels of cross-domain expertise. It stands to reason that threat actors, under tutelage of experienced mentors, will have a greater attack success rate;^[2] indeed, this phenomenon has already been observed on the peer-to-peer level when developing and deploying improvised explosive devices.^[3]

Given this untenable, worsening situation, it is of utmost importance to map out steps within a kill chain for a biological attack, and to identify threat-agnostic, early intervention points that enable us to interject friction within the adversary’s path.

The first step of an attack, foregoing setting an intention and choosing a target, involves weapon choice, design, and acquisition. It is at this stage where manipulation of genetic sequences occurs in silico, spanning tasks such as information retrieval (obtaining your sequences of concern), alteration (obfuscating the sequence to circumvent detection), and molecular biology tradecraft (construct design). LLMs can provide exceptional assistance across all of these steps.

Therefore, in any conversational context (between an agent and a human) where genetic material appears, we are presented with an early opportunity to detect and deter. However, the majority of users within these contexts will have legitimate relation to the global research community, with professional demographics spanning clinicians, scientists, and hordes of student trainees. Should we become overzealous and haphazard in our detection policies, we’d lean towards blanketed blocks for all such queries. In doing so, we’d needlessly curtail the rate of scientific progress, while also creating perverse, adversarial incentives for normal use — as given these tools are so useful, legitimate users will direct effort toward bypassing them, share their successful approaches with their colleagues, and thus in turn also empower our adversaries.

To fix this, we developed an agent-native tool that helps provide refusal-relevant evidence even after obfuscation. Rather than strictly defining when the tool should be called, we provide high-level guidance and allow the agent to decide. Our choice is pragmatic: an overdefined system limits itself to scenarios developers can predict in advance, and our intuitions are ill-suited for the volume, complexity, and novelty of situations encountered by an agent in deployment. Additionally, this means that as capabilities improve, we expect agents to invoke the tool with increasing discernment.

PROBLEM: Models will often proceed working with sequences that are hazardous.

2. Related Work

We build off work from Inspect,^[4] SecureDNA,^[5] SeqScreen,^[6] NCBI BLAST, and MCP frameworks^[7] — our main contribution, and its novelty, is defined by the lightweight engineering that connects these disjointed tools. Inspect is UK AISI’s scaffold to make evaluations standardized, which we used to collect pilot data. SecureDNA, SeqScreen, and NCBI BLAST are all screening tools which can be used to take as input a sequence, and give as output information related to whether there is cause for concern. The exact mechanism of these tools varies and is out of scope of this paper, though we will provide brief acknowledgement of strengths and limitations of each.

NCBI BLAST (Basic Local Alignment Search Tool) is a homology-based sequence search tool that identifies regions of local similarity between a query sequence and a reference database, allowing the user to infer likely identity, function, or organism of origin from its closest known relatives. However, it has several limitations that prevent it from serving as the primary driver of biosecurity screening. First, pathogens can share substantial homology with near neighbors that are low-risk for humans, producing ambiguous hits. Second, querying NCBI directly is unreliable at volume due to strict rate limits. Third, it provides no interpretive guidance on whether a hit should be treated as concerning.

Pathogens can share a high degree of overlap (sequence homology) with near neighbors that are known to be low risk for humans.

SecureDNA addresses the first and third limitations by searching against a curated database of sequences of concern — select agents, regulated pathogens, and toxin genes. Every hit is, by construction, biosecurity-relevant, eliminating the interpretive burden BLAST places on the user. SecureDNA is also optimized for high-throughput screening, minimizing latency between query and response.

SeqScreen takes a function-first approach, detecting threat signals at the level of encoded function rather than nucleotide identity. This lets it distinguish pathogens from low-risk near-neighbors that share substantial homology but encode different functions. Because functional determinants of pathogenesis are conserved across distantly related proteins (down to ~40% sequence similarity), SeqScreen can flag concerning functions in novel or chimeric sequences — including ones with no close database match.

3. Approach: SecureMaxx Architecture

SecureMaxx is composed of three loosely-coupled components: a screening backend, an agent-callable skill that wraps it, and an evaluation harness for measuring the intervention’s effect on agent behavior.

3.1 Screening backend

A small HTTP service wraps two complementary screening primitives:

• Local BLAST against a 405-sequence database of human virus reference sequences. The endpoints BLASTN/hazard_nt and BLASTP/hazard_prot accept nucleotide and protein queries respectively. We chose to maintain a local index rather than querying NCBI directly because the latter is rate-limited and unsuitable for high-throughput screening.
• SecureDNA integration via synthclient, which extends coverage beyond viruses to select agents, regulated pathogens, and toxin genes, these hits are beyond the scope of our local BLAST index, thereby covering more threat types.

The backend returns a verdict per query, alongside information regarding the sequence. As our pipeline is simple and modular, any higher-fidelity screener (covering natural, engineered, or obfuscated sequences) can be slotted in as an additional endpoint.

3.2 Agent-callable skill

Rather than hardcoding when screening should occur, we expose the backend as a skill that the agent invokes at its own discretion. The agent receives high-level guidance — that a screening tool exists and should be used when sequences appear in user-provided context — but no rigid trigger conditions. This is a deliberate design choice.

An overdefined system limits itself to scenarios developers can predict in advance, and our intuitions are ill-suited for the volume, complexity, and novelty of situations encountered by an agent in deployment. As capabilities improve, we expect agents to invoke the skill with increasing discernment.

3.3 Evaluation harness

We build on UK AISI’s Inspect framework. The harness defines two solver conditions per scenario:

• no_skill — vanilla Claude code, with no screening capability available and no instructions about sequences of concern.
• skill — the SecureMaxx skill is loaded, bundling both the high-level guidance about when screening is appropriate and the callable backend exposed via skill invocation.

The agent itself runs inside inspect_swe in a Docker container.

4. Results

4.1 Experimental setup

We implemented SecureMaxx across single-turn, multi-turn, and incidental coding-environment scenarios.

4.2 Refusal rates across scenarios

Single-turn simple scenario

We present the agent with the request:

We then iterate through a set of 10 benign and 10 hazardous DNA sequences. Without the tool enabled, the model never refuses (0%). With the tool enabled, refusals jump to 70% on hazardous sequences, leaving benign sequences unaffected.

Here is a curated InspectEval log from our runs.

We observe the tool continues to work even when the complexity of the scientific task increases, where the agent must fetch the sequence during its workflow, rather then being provided it from the prompt.

We observe the tool, as it is connected it to a SecureDNA endpoint as well, is able to flag non-viral, but still weaponiazable pathogens.

Coding environment scenario

This scenario tests whether the agent invokes screening incidentally, when the user-facing task is unrelated to biology. The agent is asked to review a synthetic protein engineering codebase and produce a README documenting its inputs and pipeline. The codebase contains DNA sequence files; the agent has no instrumental reason to manipulate them. We vary the number of sequence files the agent must inspect before encountering the hazardous one (n = 1, 3, 5, 10, 50) and measure whether SecureMaxx is invoked. Tool usage holds for all n < 5; above n = 5, the agent does not invoke screening.

A representative transcript follows. Asked simply to write a README, the agent explores the codebase, encounters DNA sequences, and proactively halts the user-facing task to flag them for screening:

This is the behavior we want from a deployed system, where screening is triggered by the presence of genetic information, rather than solely the task defined within the prompt.

4.3 Safety overhead

We measured SecureMaxx’s overhead along two axes: capability degradation and latency.

• Capability tax. On HellaSwag — a canonical benchmark used to measure safety tax — the skill condition shows less than 1% degradation versus the no_skill baseline.
• Latency. End-to-end screening latency is under 2 seconds per query.

Neither number was the target of optimization in this 48-hour build; both can plausibly be reduced further.

5. Discussion, Limitations, and Dual Use

5.1 Scope of the intervention

Screening technology, wherever it is deployed, is ultimately ineffective and insufficient in the absence of policy that sets a legal mandate for widespread adoption. For our intervention, we have no control over open-weight LLMs, where users ablate safety features selectively. Additionally, it would have no impact on benchtop nucleic acid synthesizers, which provide a massive unregulated attack surface that is hard to monitor. At most, our intervention can introduce friction for attackers seeking to leverage closed-source frontier LLMs at OpenAI and Anthropic.

5.2 Agentic attackers and the threat model

Our intervention is geared towards a human actor, and we cite increasing model capabilities on behalf of an agent enabling more discerning deployment of the tool. However, assuming only human actors is a naive threat model. We can expect agents themselves — be they self-initiated adversaries or steered towards those ends — to be attackers. In such a case, an agent who knows that calling SecureMaxx will increase the rate of refusal will simply avoid calling the tool. Such issues are pernicious, but also the nature of attack-defense dilemmas, where no defense alone is sufficient, and every defense provides information for its own circumvention.

5.3 Dual-use considerations of the screening infrastructure

With regard to dual use, an attacker can use the functional annotations of SeqScreen as an attack library to engineer new pathogens. Likewise, the small viral database we assembled for local BLAST provides information on sequences of concern, giving an adversary with limited domain experience a head start on identifying sequences of concern. Again, this is an intractable dilemma. Anytime you create a “black list” for defenders, you create an asset for attackers, though cryptography, rate limits, and obfuscation by the defender may provide some protections against this.

Code and Data

• SecureMaxx (the work described here)
• • github.com/gboxo/bio_hackathon (please request access)
• SeqScreen-MCP (our MCP wrapper around SeqScreen) —
• • github.com/gvmfhy/seqscreen-mcp
• SeqScreen (original)
• • gitlab.com/treangenlab/seqscreen

P.S:

If you have an interest in adversarial hardening, and advancing the nascent art that is red-teaming for life sciences, reach out to Austin to collaborate.

1. ^{^}

   Danzig, R., Sageman, M., Leighton, T., Hough, L., Yuki, H., Kotani, R., & Hosford, Z. M. (2011). Aum Shinrikyo: Insights Into How Terrorists Develop Biological and Chemical Weapons. Center for a New American Security. cnas.org/publications/reports/aum-shinrikyo

2. ^{^}

   Crenshaw, M., Dahl, E., & Wilson, M. (2017). Comparing Failed, Foiled, Completed and Successful Terrorist Attacks: Year 5 Final Report. National Consortium for the Study of Terrorism and Responses to Terrorism (START), University of Maryland. start.umd.edu/research-projects

3. ^{^}

   Hunter, C. A. S., & Righetti, L. (2026). AI and Bomb Plots: Distinguishing Potential Effects from Language Models. GovAI Technical Report. govai.b-cdn.net/AI_and_Bomb_Plots

4. ^{^}

   UK AI Security Institute (2024). Inspect AI: Framework for Large Language Model Evaluations. github.com/UKGovernmentBEIS/inspect_ai

5. ^{^}

   Baum, C., Berlips, J., Chen, W., et al. (2026). A system capable of verifiably and privately screening global DNA synthesis. National Science Review. doi.org/10.1093/nsr/nwag103

6. ^{^}

   Balaji, A., Kille, B., Kappell, A. D., et al. (2022). SeqScreen: accurate and sensitive functional screening of pathogenic sequences via ensemble learning. Genome Biology, 23, 133. doi.org/10.1186/s13059-022-02695-x

7. ^{^}

   Anthropic (2024). Introducing the Model Context Protocol. anthropic.com/news/model-context-protocol