Coldron

Leonardo Párraga, Angie Giraldo, Víctor Gelves

En Colombia, los grupos armados ilegales ya atacan con drones comerciales modificados y ya han herido y matado a civiles. Una pregunta decide cómo gobernar esta amenaza: ¿quién elige el blanco y aprieta el gatillo? Hoy, siempre un humano: con ColDron, un dataset abierto de 42 ataques documentados, mostramos que el 100% son drones operados por control remoto, sin autonomía. Pero esa situación está por cambiar, y no sólo por los grupos ilegales sino por la respuesta del Estado: un sistema antidrones de ~US$1.668 millones capaz de neutralizar blancos de forma automática, y la posible adquisición de targeting con IA. La experiencia de Ucrania, Rusia e Irán muestra que la autonomía llega al conflicto armado mucho más rápido de lo que los marcos de gobernanza anticipan. Esa es la ventana de prevención: hay que fijar las reglas antes de que el salto ocurra. Aportamos tres herramientas, todas creaciones originales de este trabajo: ColDron (el dataset que documenta el daño y prueba la ausencia de autonomía); LIMAA (Lista Integral de Materiales de Autonomía del Arma; en inglés Weapon-Autonomy Bill of Materials, WABOM), una “ficha técnica” legible por máquina del control humano de un arma, que un diagrama de flujo clasifica en un nivel de riesgo mediante el esquema NRCH (Niveles de Riesgo por Control Humano; en inglés Human-Control Risk Tiering, HCRT); y un protocolo de control humano significativo para las operaciones militares colombianas, anclado en obligaciones vigentes (DIH, revisión del Artículo 36, Comunicado de Belén). El aporte transversal: llevar las herramientas técnicas de la seguridad de la IA al dominio de las armas autónomas letales (SAAL), desde un país donde el daño no es hipotético.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Very good and relevant article in an area that is extremely understudied from the perspective of AI Safety. Excellent evidence base of current drone use in Colombia, while linking to important contextual elements such as the "false positives" case and the current political context which demonstrate the urgency of adopting governance frameworks for the use of AI in weaponry in Colombia, and elsewhere.

Good to see the authors recognize the difference in impact between global South/global North countries, with examples from Latin America and other regions around the world. The policy proposals for the Colombian contexts address specific stakeholders and legal and international frameworks, making the article actionable, which is very valuable. While some stakeholders stay away from this issue considering it too "polemic", you take a brave and well-researched stance with this article, I sincerely congratulate all the authors for your effort.

To take your forward, I would suggest:

* Incorporating the notion of "decision support systems" which are also problematic while not being fully autonomous weapons

* Adding concrete examples from Gaza, which have been extremely well documented included by various UN Special Rapporteurs. Every article on these issues should acknowledge this is which is the widest use of AI in weaponry so far.

* Reformulate or explain what is meant by saying that "the problem is not AI but its use"; AI carries its own well known challenges and bias, and its use in the critical functions of weapons is in itself against the dignity of human beings.

* Include IHL experts in your work to fine-tune the link to current international debates on AI in the military domain and some concepts. For instance, while impact to civilians is the main concern, war crimes can also be committed against military objectives if not in accordance with IHL, these should be regulated too.

* Mention the humanitarian impact and perspectives from victims and currently affected communities, whose voice should be centered .

* It would also be interesting for you to at least mention how some tech companies and heavily militarized countries are hijacking the international processes thus resulting in no negotiating mandate on the issue of autonomy in weapons systems in spite of the call of a majority of countries.

Thank you so much for this article, I truly enjoyed reading it. I look forward to following your research, sharing the final article with colleagues, and sincerely encourage you to continue and disseminate your work in this area.

ColDron's most important next step is connecting it to a structured data source (like ACLED) for coverage expansion and temporal validation, which the team already identifies. But there is a methodological issue worth addressing directly: the 100% T3 result, while correctly interpreted as evidence that the prevention window remains open, also means that LIMAA's tiering capability is demonstrated only on constructed examples.

The eight-clause operational protocol is the contribution that is hardest for an outsider to evaluate, because it is not tested against any real operational scenario. This would transform the protocol from a normative proposal into an empirically grounded one.

On the political analysis: the discussion of the incoming administration and the JEP is appropriately framed as a risk analysis based on declared positions. However, this section is also the one most likely to affect whether the Colombian Ministry of Defense engages with the paper or dismisses it. A brief note on how LIMAA/NRCH creates incentives for States even when political will is limited — for example, through procurement conditionality from arms exporters who require Article 36 reviews — would make the argument more durable against political changes.

Finally, the conclusion appears to be cut off mid-sentence. Please review the final page before publication.

Cite this work

@misc {

title={

(HckPrj) Coldron

},

author={

Leonardo Párraga, Angie Giraldo, Víctor Gelves

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.