How DNA synthesis screening works today, where machine learning is entering it by ~2028, the threat models driving change, and where our adversarial-robustness work fits in.
1What changed
Synthetic DNA orders flow through a small number of commercial providers before reaching wet labs. For two decades these providers have screened orders with alignment-based bioinformatics: BLAST a customer's sequence against curated databases of pathogens and toxins; flag the matches. This worked because hazardous proteins were essentially sequence-level copies of natural templates.
Generative protein design changed the picture. Protein-sequence generative models (e.g. EvoDiff, ESM-IF, RFdiffusion) can produce functional variants of hazardous proteins (so-called synthetic homologs) that share little sequence identity with their natural ancestors. Wittmann et al. (Science 2025) generated tens of thousands of such variants and showed some deployed screeners initially missed up to 100% of variants from certain proteins; after a multistakeholder patching effort, post-patch detection averaged 97% on the more-probably-functional variants, with residual evasion remaining. Two responses are converging: an OSTP-mandated expansion of "sequence of concern" by October 13, 2026 to include function-based hazards regardless of taxonomy, and the introduction of ML-based function-of-concern classifiers as the only signal capable of catching low-homology hazardous function.
As of May 2026 no Genomic Foundation Model (GFM) is in production deployment as a screening component; the framing below is forward-looking. Our work characterizes the adversarial-robustness floor of GFM classifiers before they enter the pipeline at the function-of-concern stage.
2The screening pipeline
Why ML enters the pipeline. Alignment is blind to AI-redesigned sequences with no homology to known hazards. The OSTP-mandated function-based SOC definition (October 13, 2026) cannot be satisfied by alignment; only ML-based functional prediction can serve it. The deployed ML today is classical (SeqScreen's hand-curated FunSoC ensemble); the forward-looking augmentation candidates are GFM-based (DNABERT-2, NTv2, Evo, Caduceus). Our work focuses on the GFM layer specifically, not on the classical-ML side. [EBRC 2025, p.9, p.16, p.26]
Screener overlay
Parallel track
›››››
Alignment / signature (robust to small edits)ML present (mixed)ML load-bearingDecision / human review
3Threats and research responses
3.1Small-edit evasion
Flip a screening classifier with a small number of nucleotide edits while keeping visual similarity to a template. Tests the model's robustness floor; minimal-perturbation attacks bound vulnerability from below. Realism depends on whether the perturbed sequence retains biological function in vivo.
Schematic: ACGTACGT...[promoter]CTGA → ACGTACGT...[promoter]CTGT. On a promoter-classification proxy, 1-3 nucleotide edits flip a GFM classifier on 34-72% of correctly-classified sequences [Krishnan 2026]. An independent multi-attack robustness benchmark across GFM architectures: [Luo 2025].
How this matters. Single-edit attacks on homology-traceable variants are caught upstream by alignment (stages C-E are robust to small edits below their thresholds). The relevance is diagnostic: stage F is the only signal for low-homology sequences (which is precisely when alignment fails), and a classifier brittle to 1 nucleotide on a tractable proxy cannot be trusted when ML is the load-bearing signal. The threat becomes biosecurity-realistic when combined with function preservation, where small edits stay biologically functional while crossing the ML decision boundary (see extension 1).
3.2AI-redesigned variants
Use generative protein design (EvoDiff, ESM-IF, RFdiffusion) to produce functionally-equivalent sequences with no homology to known hazards. The dominant deployed threat as of late 2025.
The Paraphrase Project generated tens of thousands of synthetic-homolog variants of hazardous proteins using protein-sequence generative models. Pre-patch, some screening tools missed up to 100% of variants from certain proteins. After a multistakeholder patching effort, average post-patch detection reached 97% on the more-probably-functional variants. Residual evasion remains. [Wittmann 2025]
Split a hazardous construct across multiple orders, providers, or time windows; each fragment passes screening individually; the assembled product is the threat.
A 1200-nt hazardous gene split into 24 × 50-nt fragments, ordered from 4 different providers. Each fragment falls below signature-detection thresholds. EBRC notes split-order detection was "deprioritized given the logistical challenge of pooling all orders across companies... and the need to preserve Customer confidentiality" [EBRC 2025, p.22].
Adversarial robustness of GFM classifiers entering stage F
Anchored to a promoter-classification proxy. The proxy is methodologically tractable (smaller models, well-understood task, no dual-use disclosure issues) and lets us characterize the brittleness floor before GFMs enter production at stage F. Our results: 34-72% attack success with 1-3 nucleotide edits across multiple training-data regimes (DNABERT-2, NTv2); naive iterative adversarial training is counterproductive in some regimes [Krishnan 2026].
Natural extensions
Function-preserving adversarial attacks
Combine adversarial search with constraints that preserve predicted biological function (codon synonymity, motif preservation, structure preservation via AlphaFold/ESMFold). Bridges minimal-edit and AI-redesign threats.
Distinguish backbone-level from head-level vulnerability. If transfer is high, defenses must be applied at the foundation-model layer; if low, classifier-specific defenses suffice.
In-vitro verification of in-silico adversarial sequences via Dual-Luciferase Reporter assays for regulatory elements and expression assays for coding regions. Closes the realism gap between attack and threat.
New ML function-based screeners (beyond SeqScreen's classical ensemble) leveraging protein structure prediction and generative-model embeddings.
LLM evaluation and red-teaming for customer / KYC screening at stage B.
5References
Wittmann et al., Strengthening nucleic acid biosecurity screening against generative protein design tools, Science 390:82-87 (Oct 2, 2025). doi 10.1126/science.adu8578
Wittmann, Alexanian et al., Toward AI-Resilient Screening of Nucleic Acid Synthesis Orders: Process, Results, and Recommendations, bioRxiv 2024.12.02.626439. link
Microsoft Research, The Paraphrase Project overview. link
Nature feature, Biothreat hunters (Oct 2025). link
IGSC Harmonized Screening Protocol v3.0 (3 September 2024): PDF
SecureDNA system paper, Baum et al. (63-author SecureDNA collaboration including Esvelt, Rivest, Shamir, Yao), arXiv 2403.14023 (2024): paper · project FAQ
SeqScreen (Balaji et al.), SeqScreen: accurate and sensitive functional screening of pathogenic sequences via ensemble learning, Genome Biology 2022. PMC9208262 · GitLab
Acelas et al., Evaluating AI-Assisted Customer Verification for Synthetic Nucleic Acid Screening, bioRxiv 2026.02.27.708645. link
Krishnan et al., Adversarial Genomic Sequences Could Evade Biosecurity Screening, ICLR MLGenX 2026 workshop. openreview
Luo et al., GenoArmory: a unified multi-attack robustness benchmark for genomic foundation models, arXiv 2505.10983 (2025). paper · GitHub
Sherman et al., Analysis of the Security Design, Engineering, and Implementation of the SecureDNA System, arXiv 2512.09233 (Dec 2025). link
EBRC (Jan 2025), Strengthening a Safe and Secure Nucleic Acid Synthesis Ecosystem. The primary source for the ~2028 forecast anchors throughout this document. PDF
HHS 2023 Screening Framework Guidance. 200 nt window contracts to 50 nt on October 13, 2026. SOC definition expands on the same date to include function-based hazards. PDF · ASPR page
EU Biotech Act (proposed Dec 2025), Article 45 on built-in benchtop screening; Advisory Group on Biosecurity covers "AI models in biological applications." White and Case overview