Microsoft researchers discovered that AI protein design tools can generate thousands of toxin variants that evade commercial DNA synthesis screening systems, according to a study published in Science in October 2024.
The team used red-teaming methods borrowed from cybersecurity to test whether open-source AI models could redesign harmful proteins in ways that preserve their dangerous functions while dodging sequence-based detection filters. They succeeded. Using tools like RFdiffusion and ProteinMPNN, developed partly by Nobel laureate David Baker’s lab, the researchers produced over 75,000 synthetic variants of toxic proteins. Most slipped through undetected.
Current biosecurity screening relies on matching DNA orders against databases of known hazardous sequences. The AI models exploited this by generating proteins with novel sequences that fold into similar three-dimensional structures. The shape matters more than the sequence for biological function, and the screening tools were blind to this structural similarity.
Microsoft disclosed the vulnerability to DNA synthesis companies and biosecurity software providers, then spent 10 months working with them to patch the systems. The collaboration involved multiple firms and was conducted quietly to prevent exploitation during the fix window. The updated screening now catches roughly 97% of the most dangerous AI-generated variants.
That still leaves about 3% undetected. The gap reflects a fundamental challenge: AI can iterate through protein design space faster than databases can catalogue threats. As generative models improve, the window for evading detection may widen again unless screening evolves from sequence matching to structure and function prediction.
The research sits at the intersection of two accelerating trends. Synthetic biology has made custom DNA synthesis cheap and accessible, with dozens of companies offering mail-order gene fragments. Meanwhile, AI tools for protein engineering have become powerful enough to redesign enzymes, antibodies, and yes, toxins with minimal expertise required.
Microsoft’s red team approach treated biosecurity software like any other system worth probing for weaknesses. The method proved effective but also exposed how reactive current defenses remain. The researchers found the exploit, reported it responsibly, and helped deploy fixes across the industry. The next group to discover similar vulnerabilities may not do the same.
The Science paper recommends ongoing collaboration between AI developers, synthetic biology companies, and biosecurity experts. It also suggests regulatory frameworks may need updating to account for AI-assisted design techniques that outpace existing safeguards. Several countries already require DNA synthesis firms to screen orders, but enforcement varies and AI-generated sequences add new complexity.