Article

Tracing Engineered Biothreats with AI Forensics: Five Steps to Improve Attribution

Bulletin of the Atomic Scientists

By Anemone Franz

December 2, 2025

The 2001 anthrax letter attacks in the United States, the 2007 United Kingdom foot-and-mouth outbreak, and the COVID-19 pandemic have something in common: Investigators have struggled to determine their origins despite extensive efforts. This highlights a critical gap in biosecurity capabilities—the limitations of modern forensics in reliably tracing biological threats back to their sources.

When a novel pathogen emerges, investigators face a cascade of urgent questions: What is it, something familiar or entirely new? Did it come from a natural spillover event, a laboratory accident, or a deliberate attack? And if evidence points to non-natural origins, who created it?

This final question is becoming increasingly important as biotechnology advances. The risks are growing along two dimensions. First, as more laboratories conduct high-risk pathogen research, the likelihood of accidents involving dangerous engineered organisms increases. Second, advancing biotechnology may enable bad actors to design pathogens that spread more efficiently or prove more deadly than anything nature has produced. In either scenario—deliberate attack or accidental release—the ability to trace threats to their source is crucial.

Genetic engineering detection and attribution capabilities can determine whether a pathogen has been modified—and if it has, attribution can help experts trace the modifications back to their source.

Fortunately, recent advances in machine learning and genomics offer promising paths forward. We have five recommendations for improving genetic engineering detection and attribution.

Why genetic attribution matters. Reliable detection and attribution technologies would significantly strengthen biosecurity in several ways. They would act as a deterrent against bad actors whose designs could be traced back to them; enable accountability through diplomatic or legal action; and potentially inform rapid response by revealing crucial characteristics about a pathogen’s design and the creator’s objectives.

Here’s why attribution is possible: Genetic engineering techniques can leave traces—characteristic patterns ranging from obvious insertions of foreign genes to subtle replacements of individual bases that make up genetic codes. There’s a plethora of techniques and choices involved in engineering a genetic sequence. These design choices leave behind genetic fingerprints that could identify the designer.

Over the past few years, various papers have shown that artificial intelligence techniques are remarkably effective for finding these fingerprints. Most of this research has used plasmids to train attribution systems. Plasmids are small bacterial DNA molecules that are frequently used in genetic engineering. AI systems are trained on thousands of plasmid sequences along with information about host species and other characteristics, enabling AI to automatically identify lab-specific patterns in the engineered sequences. In a 2021 genetic engineering attribution challenge, the best system trained through this process identified the correct laboratory among over 1,300 possibilities in 81.9 percent of cases.

While these results are promising, genetic engineering attribution is far from a solved problem. Real-world attribution faces far greater challenges than identifying plasmids in a controlled academic repository. During an actual biological incident, investigators may have to work with degraded samples, incomplete sequences, and adversaries actively trying to obscure their tracks. Here are our recommendations for improved detection and attribution:

Build comprehensive detection datasets. Unlike academic studies that analyze sequences already known to be engineered, real-life forensic investigations must first determine whether genetic engineering occurred at all. Current engineering detection systems for pathogens typically specialize in a particular form of engineering, such as large insertions of foreign gene content, and struggle to detect a wider range of engineering practices.

A critical first step toward a more generalized detection system is building comprehensive datasets of both natural and engineered genetic sequences (DNA or RNA) of pathogens. These datasets should include both complete genomes and short genetic fragments. Fragment-based testing is particularly important for environmental monitoring applications like wastewater surveillance, where sequencing produces many small genetic fragments rather than complete genomes. Another major challenge is that existing databases of natural sequences are often contaminated with incorrectly labeled engineered material and require careful curation.

Building robust detection capabilities would provide a crucial foundation for genetic engineering attribution. Developing comprehensive datasets represents the essential first step toward making both detection and attribution operationally viable.

Train reliable attribution systems for pathogens. Attribution systems for pathogens face a similar data bottleneck: Publicly available engineered pathogen genomes are scarce and insufficient for training robust machine-learning models. Attribution systems that are predominantly trained on plasmids will, at best, have limited accuracy for pathogen genomes.

Viral vectors offer a promising starting point. These engineered viral particles, widely used in research and medicine to deliver genetic materials, are modified to prevent replication, thus making them safer to use. The global plasmid repository Addgene currently hosts over 1,000 viral vectors. We estimate that developing a highly capable genetic engineering attribution system for viral vectors would require Addgene or a similar initiative to scale this dataset by one or two orders of magnitude, covering at least 10 data points from each of several thousand laboratories.

Expand laboratory coverage to Biosafety Level 3 and higher. Any system trained on publicly available data faces a fundamental limitation: It can only identify laboratories that contribute training sequences—typically academic repositories. The laboratories that pose the greatest biosecurity and biosafety risks—those working with dangerous pathogens at Biosafety Level 3 and higher—are notably absent from repositories like Addgene.

We therefore recommend collecting engineered sequences from laboratories at Biosafety Level 3 and higher. Creating such datasets poses a significant biosecurity risk in itself, requiring strict access control and monitoring to prevent misuse. The security risk associated with publishing research on these datasets means academics may no longer be best suited to develop new attribution systems for them. At this point, government agencies may have to take over and carry this work forward outside the public domain.

Develop attribution for covert laboratories. It may be impossible to collect data from secret laboratories of state or non-state actors. To address risks from covert operations, we recommend expanding attribution beyond individual labs to target countries or regions. Investigators might be able to leverage training data from registered laboratories in the same region, as these facilities likely share methodological practices with nearby covert laboratories.

An early proof-of-concept comes from a 2020 study by MIT researchers who accurately predicted the nation of origin for engineered plasmids with over 75 percent accuracy across 33 countries. We recommend further developing systems that can attribute sequences to nations, regions, and potentially even individual scientists.

Prioritize transparency. Attribution systems that can trace sequences back to covert laboratories are vital for deterring bad actors from using biological weapons. However, using attribution evidence after an incident—for example, to prosecute a terrorist group or state actor—presents additional challenges. Would governments trust the result enough to issue diplomatic sanctions or press criminal charges?

For genetic engineering attribution to be credible, it is important to understand how these systems make predictions. Current AI systems for genetic engineering attribution operate mostly as “black boxes”—they are accurate but arrive at their predictions in ways humans cannot verify. Transparent systems would allow investigators to examine why a system reached a particular conclusion, verifying whether it relied on genuinely distinctive features. This matters because opaque systems can produce confident but flawed attributions—for instance, identifying a laboratory based on a DNA sequence that appears unique but is actually common in contamination found across many labs.

There are signs that transparent attribution is feasible: Researchers from Rice University developed PlasmidHawk, an attribution system achieving near state-of-the-art performance while also identifying the specific DNA fragments that supported its laboratory predictions.

While systems like PlasmidHawk are inherently interpretable systems, another possible approach is to build better interpretability into black-box models. Both approaches are worth pursuing. Interpretability should be a core goal for attribution systems, ensuring they provide defensible reasoning alongside their predictions.

Limitations of genetic engineering attribution. Genetic engineering attribution systems face constraints that limit their effectiveness as a standalone biosecurity tool. Some engineering techniques leave no detectable signatures: Modern methods can join DNA fragments without leaving scars, while traditional approaches like serial passage could evolve pathogens toward desired traits through selective pressure alone, without directly modifying genetic sequences.

Even when engineering is detected, genomic evidence alone is unlikely to definitively identify perpetrators. Reliable attribution will likely require multiple lines of evidence, such as geographic emergence patterns, epidemiological data, and intelligence sources. Sophisticated adversaries may also deliberately employ evasion techniques or plant false signatures to mislead investigators.

These limitations mean attribution should be viewed as one component of a broader forensic approach rather than a complete solution. While these limitations are significant, they represent challenges to overcome rather than reasons to abandon attribution.

A critical capability. The persistent uncertainties surrounding past outbreaks—the COVID-19 pandemic being a particularly salient example—have eroded public trust, strained international relations, and left critical security questions unanswered. To avoid repeating these failures as genetic engineering becomes more accessible, the United States needs forensic capabilities that can trace engineered threats back to their sources—providing evidence for accountability, intelligence for response efforts, and deterrence against future attacks.

The technologies needed are advancing rapidly, and the recommendations outlined here chart a path toward operational attribution systems. While genetic engineering attribution won’t solve every biosecurity challenge, it represents a critical capability that shouldn’t be neglected. In an era of heightened biological risk, the ability to reliably identify the origins of engineered pathogens could make the difference between uncertainty and accountability when the next crisis strikes.