The Paraphrase Project: Designing defense for an era of synthetic biology

Inside synthetic biology

Here is an example of how synthetic biology works in practice: A scientist in Boston—or one in Bangalore, Berlin or Buenos Aires—wants to study a protein that could help treat a rare neurological disorder. To do that, they need a strand of DNA that encodes the protein. They send a request to a DNA synthesis company, one of many labs around the world that print custom DNA on demand. Within days, the company ships back a vial of genetic material, ready to be inserted into cells for exploration in a wet lab.

Before that DNA reaches the lab bench, it passes through a digital checkpoint. Biosecurity screening software scans every order for sequences of concern, typically those linked to toxins or pathogens. These tools compare incoming DNA against regulated databases, often maintained by government agencies.

The challenge is that these government databases aren’t curated by sequence. Part of the mission of the International Gene Synthesis Consortium (IGSC) is to curate a sequence database as a shared resource. In 2025 the IGSC spun out the Sequence Biosecurity Risk Consortium (SBRC), which is working with a broad community of experts to create a curated list of sequences that should be caught by screening systems.

As AI tools become more powerful and accessible, the risk grows that someone could design a protein that slips past the screeners. It might look harmless to the software but behave like a toxin once inside a cell. The consequences could range from accidental lab mishaps to deliberate misuse. The safeguards we rely on may no longer be enough.

Testing the system

To explore this, Horvitz teamed up with Bruce Wittmann, a senior applied scientist at Microsoft with deep expertise in protein engineering and open-source biology tools. Together, they built a pipeline using models like EvoDiff (opens in new tab), which allowed them to generate thousands of synthetic variants of the highly potent toxin ricin. These variants weren’t designed to be more dangerous, but to test the limits of current biosecurity screening systems. 

The process was akin to paraphrasing a sentence: the meaning stays the same, but the words change. In this case, the structure and active sites of the protein were preserved, while the amino acid sequence was rewritten.  

To test their designs, Horvitz and Wittmann enlisted the help of two leading DNA providers: Twist Bioscience and Integrated DNA Technologies (IDT). They worked directly with the companies’ top leadership, including CEOs and chief scientists, to evaluate how well existing screening systems could detect the AI-generated variants.

What they found was sobering. The reformulated sequences made their way through existing filters undetected.  

“I don’t think we were necessarily surprised that it sailed right through,” Wittmann told Microsoft Research blog. “Anything that can be used for good can be used for bad. But providing a solution helps avoid a knee-jerk reaction that prevents the use of these tools for good.”

Protecting the next leap in biology

The discovery underscored the urgency of expanding the initial study to address a critical question: is a solution possible? Horvitz and Wittmann sought to organize a cross-sector team to take on the challenge, with confidentiality and careful management of information hazards key to their success.

That’s where Jake Beal enters the story. A scientist at RTX BBN Technologies, Beal was tasked with developing the digital safeguards that could catch reformulated toxins before they slipped through. BBN—the research arm of RTX Corporation—has a long history of technological firsts, from helping build the internet precursor ARPANET to sending the first email and pioneering secure communications through quantum-based encryption systems.

As one of the companies that makes biosecurity screening software. BBN’s mission was to bring that same spirit of innovation to the Paraphrase Project.

Beal teamed up with Horvitz, Wittmann, and a tight-knit group of colleagues to shape a response that felt both urgent and deliberate. In the early days of their collaboration, Beal and Horvitz found themselves circling a familiar idea. The threat they were facing didn’t just resemble a biological risk—it felt like a cybersecurity flaw. Horvitz leaned into the analogy. Maybe biosecurity tools needed to be treated like software, constantly updated to stay ahead of evolving threats. He imagined a future where AI safety followed the rhythm of a Windows Update, with patches rolling out in the background, keeping systems resilient without disrupting the flow.

Among the questions Beal asked the coalescing Paraphrase team were: Who can we safely tell? How dangerous is this information? On one hand, the risks needed to be communicated. Transparency was essential for the broader scientific and security communities to understand what was possible and what was vulnerable. On the other hand, too much openness could inadvertently empower bad actors.

But, they reasoned, if someone had the tools and expertise to replicate the experiment within a few hours, they were already close enough to the problem to warrant inclusion.

“If someone is already in the room, there’s no point in trying to erect a door behind them,” Beal said. “But there’s also no reason to offer an open door to people on the outside.”

To further refine the response effort, Horvitz turned to Microsoft’s top cybersecurity minds. He consulted with Executive Vice President for Microsoft Security Charlie Bell and team to explore best practices for handling zero-day vulnerabilities. The input from these experts helped steer the team toward a framework borrowed from the cybersecurity playbook—a protocol known as the Computer Emergency Response Team, or CERT.

Horvitz appreciated having experienced cybersecurity voices in the room. Their involvement gave the work a sense of grounding and made it easier to move forward with confidence.

By developing updated detection algorithms trained to catch new variants, they showed the screening systems could be adapted to detect reformulated threats. It was a proof of concept that underscored both the vulnerability and an approach to updating the existing biosecurity screening software.

The path forward

For the DNA synthesis companies involved, the outcome brought a sense of relief. While access to DNA sits at the far end of a long chain of events in any hypothetical biosecurity breach, knowing the vulnerabilities have been identified and patched is reassuring. 

“The public at large wants to be able to trust that companies using these amazing technologies to build new products and services are safe and effective, and have their best interest in mind,” said James Diggans (opens in new tab), vice president of policy and biosecurity at Twist Bioscience and chair for the IGSC. “A big piece of this is making sure you’re a responsible steward of the technology you’re developing.”

What began as a curiosity and concern raised by Eric Horvitz has culminated in a Science paper marking firsts in AI and biosecurity. The study demonstrates how artificial intelligence can “paraphrase” proteins—reworking amino acid sequences with the aim of preserving structure and, potentially, biological function, while altering form. It’s a concept that feels almost linguistic, but the implications are deeply molecular. Alongside this, the study establishes a protocol for red-teaming biosecurity screening tools, reports a global response to an AI-enabled biosecurity zero-day, and presents a framework for managing information hazards—now recognized by Science as a model for publishing sensitive research in a way that balances openness with caution.

But researchers are clear that this is only the beginning. As technologies continue to advance, protective measures must evolve with them. The work will need to be revisited, refined, and reinforced to ensure that innovation does not outpace safety.

It also represents a budding community of scientists committed to working on the defensive tools and models necessary to keep these technologies safe at scale.  And it’s a reminder that in the age of intelligent design, understanding function is just as vital as recognizing form.

“This is about what the sequence does, not just how it looks,” Horvitz said. “Even if two sequences look different, they might still do the same thing—like cause illness or perform the same job in a cell.”

---