The U.S. Air Force plans to integrate formal methods-based tools into the MQ-9 Reaper as part of DARPA’s Resilient Software Systems Capstone program.
A strong and effective military relies on advanced, resilient software to power the weapons and support systems that U.S. service members count on. But much of the Department of Defense’s current IT infrastructure is outdated, built on decades-old security policies and legacy systems that leave critical technologies—ranging from support tools to cutting-edge weapons—exposed to serious cyber threats.
Adversaries are taking advantage of these weaknesses, targeting key infrastructure, stealing sensitive military software, and reverse-engineering systems to undermine national security.
To address these risks, DARPA is developing advanced tools based on formal methods—a mathematically precise approach to software design that helps eliminate vulnerabilities before the code is ever deployed. In collaboration with DARPA, the U.S. Air Force is now applying this method to the MQ-9 Reaper program, aiming to build stronger, more secure software from the ground up.
Formal Methods: Building Security from the Ground Up
Instead of waiting until after software is built to test for weaknesses, formal methods take a different approach—they use mathematical proofs during development to verify that the software behaves exactly as intended. This proactive strategy helps create software that’s secure by design.
Several of DARPA’s formal methods tools have already been adopted by the military for further development and use in real-world operations. However, achieving strong, lasting cyber resilience will require a faster and wider rollout of these tools across defense systems.
Resilient Software Systems Capstone Program: Strengthening Defense Through Smarter Software
To meet the urgent need for more secure military software, DARPA is working closely with all branches of the armed forces through its Resilient Software Systems Capstone program. This initiative supports joint projects that are funded and tested on real operational platforms, with the goal of evaluating how effective formal methods are in terms of resilience, cost, time investment, and required expertise.
Each project will run for about two years and focuses on four key goals:
- Creating software that is secure by design
- Speeding up the Authority to Operate (ATO) approval process
- Simplifying software testing during development
- Producing a comprehensive “Best Practices Guide” to help scale the use of formal methods across the Department of Defense
The current “patch-and-pray” approach to software development in Department of Defense (DOD) systems is no longer acceptable—especially when lives are on the line, says Stephen Kuhn, program manager for DARPA’s Capstone initiative. Instead, DARPA’s Capstone program is offering a more reliable path forward by delivering resilient software tools to both military services and industry partners. The goal is to create secure, dependable systems from the ground up—what Kuhn calls “correct by construction.” This approach not only helps improve software quality but also serves as a blueprint for others to begin integrating these advanced tools into their own systems and development processes.
READ ALSO: World’s oldest impact crater found, rewriting Earth’s ancient history
Leading the way, the U.S. Air Force has chosen the MQ-9 Reaper—developed by General Atomics-Aeronautical Systems Inc. (GA-ASI)—as its pilot platform for implementing these tools.
Traditionally, companies like GA-ASI and DOD program offices have followed standardized industry guidelines when developing secure cyber-physical systems. They typically rely on static code analysis tools to catch manual coding errors that could compromise software stability or open the door to cyberattacks.
However, the reality of working with legacy weapon systems is that even small software updates can be extremely complex, often triggering lengthy rounds of development and cybersecurity testing. In many cases, these processes can stretch out over 12 to 18 months for a single software upgrade—highlighting the need for a faster, more secure, and more efficient development model.
Formal methods are proving effective in reducing the lengthy testing and evaluation phases typically seen in software development. DARPA’s advanced suite of software assurance and cyber resilience tools allows for more verification to happen earlier in the development process—before the software is finalized—rather than waiting until traditional testing stages.
READ ALSO: The “Spacecraft Speedometer” is a novel and cutting-edge method for monitoring satellite movement.
READ ALSO: Rohde & Schwarz first to achieve GCF approval for 5G FR2 RRM standalone mode conformance test cases
These tools are specifically designed to work with existing legacy source code. They can create validated models of how the software behaves, evaluate those behaviors for stability, safety, and resilience, and even generate documentation needed for certifications like Authority to Operate (ATO) and airworthiness approvals.
In short, Program Offices and OEMs now have access to powerful tools that can speed up software development and certification using existing code, supporting broader modernization efforts like the Software Acquisition Pathway.
Air Force Selects MQ-9 Reaper for DARPA Capstone Initiative
The U.S. Air Force has selected the MQ-9 Reaper as the lead platform for its collaboration with DARPA under the Capstone program. The decision was based on the system’s relatively low technical complexity and a more adaptable organizational culture, making it an ideal candidate for testing and implementing new software assurance tools.
“The MQ-9 Capstone program will significantly enhance DARPA’s support by giving us a major boost in delivering robust and resilient weapon system software to the field,” said Oren Edwards, Chief Engineer at the Air Force Life Cycle Management Center’s Medium Altitude UAS Division.
Edwards also addressed a common challenge in digital modernization efforts—the belief that significant time and money must be spent before any progress is visible. “That perception, often tied to the so-called ‘valley of death,’ simply isn’t accurate,” he explained. “While investment is necessary, there’s already a growing ecosystem of government and commercial tools proving otherwise. Our work with DARPA is a clear example of that. By applying DARPA’s assurance acceleration tools earlier in the software development process, we’re not only increasing agility for the MQ-9 but also paving the way for similar improvements in future Air Force and DOD programs.”
In addition to its partnership with the Air Force, DARPA is also conducting Capstone platform experiments in collaboration with the U.S. Navy, Army, and NASA.
