Exploitability Residual: Equilibrium Gap & Residual Risk
- Exploitability Residual is the measure of exploitable opportunities remaining after baseline constraints, serving to certify equilibrium gaps in game theory and quantify residual risk in security settings.
- It is often approximated with smooth surrogates or projected gradients to overcome nonsmooth and nonconvex challenges, enabling practical equilibrium or stationarity validation.
- In security assessments, the metric highlights post-patch vulnerabilities by quantifying remaining attacker capabilities through domain-of-control analysis and quantitative control metrics.
Exploitability residual denotes a residual measure of what remains exploitable after a reference condition has been fixed. The term is not standardized across the cited literature. In game-theoretic work, it most often coincides with exploitability itself, or with a smooth or stationarity surrogate of exploitability, and it functions as an equilibrium-gap certificate. In software-security and agent-security work, the same phrase is more naturally interpreted as residual risk, remaining attacker capability, or remaining post-defense/post-patch vulnerability. Across these settings, the common role is to quantify residual room for profitable deviation, attack execution, or capability escalation rather than mere structural suspicion (Goktas et al., 2022, Nie et al., 11 May 2026, Farhad et al., 22 Apr 2026).
1. Equilibrium-gap interpretations in games
In pseudo-games, the most faithful residual is the paper’s exploitability itself. For a profile , player ’s regret is
the cumulative regret is
and exploitability is
For any feasible fixed point , the paper states
so exploitability is an exact certificate of non-GNE-ness. Under jointly convex constraints, the same min-max form over the common feasible set characterizes variational equilibrium, and zero exploitability over corresponds to VE (Goktas et al., 2022).
A closely related continuous-action formulation appears in ApproxED. There, playerwise regret is
and exploitability, explicitly identified with NashConv and, in two-player zero-sum games, with the duality gap, is
0
The paper also defines the Nikaido-Isoda function
1
with
2
Accordingly, the residual-like quantity is the summed player-wise improvement 3, while learned-best-response and ensemble methods replace the exact supremum with tractable surrogates such as 4 and 5 (Martin et al., 2023).
In zero-sum matrix games, the paper that explicitly centers the phrase “exploitability residual” defines
6
equivalently
7
Here 8 if and only if 9 is a Nash equilibrium. The normalized residual is
0
This paper contrasts learning the residual with imitating a solver-selected exact equilibrium, and uses the residual as the verifier-style reward for approximate equilibrium computation (Nie et al., 11 May 2026).
Risk-averse mean field games use exploitability in the same equilibrium-gap role, but with backward risk-evaluation operators rather than expected-cost Bellman recursions. The finite-player end exploitability is
1
the finite-player total exploitability is a sum of stepwise Bellman suboptimality terms,
2
and analogous end and total exploitabilities are defined for mean field flows 3. In the paper’s terminology, 4 is an 5-MFE iff 6, so exploitability again functions as the residual to equilibrium (Cheng et al., 2023).
2. Smooth residuals and optimization surrogates
Because exploitability is often nonsmooth, several papers replace the exact residual with a smooth or optimization-friendly surrogate. In pseudo-games with jointly convex constraints, regularized exploitability is defined by
7
The paper states
8
so the zero set is preserved while the residual becomes smooth enough for first-order methods. With
9
the gradient is
0
and 1 is 2-Lipschitz-smooth (Goktas et al., 2022).
The same paper then shifts, in general nonconvex settings, from equilibrium residual to stationarity residual through the projected gradient operator
3
A point is stationary if 4, and the practical certificate becomes
5
This is not an equilibrium certificate in general, but it is the paper’s exact first-order residual for constrained exploitability minimization (Goktas et al., 2022).
The matrix-game residual paper emphasizes a different stability property: for fixed strategies 6,
7
Thus the exploitability residual is 8-Lipschitz in payoff perturbations, whereas deterministic LP-based equilibrium selectors can jump discontinuously at degeneracy. The paper uses this to motivate residual-reward training as a stable target under payoff shifts even when exact equilibrium labels are brittle (Nie et al., 11 May 2026).
ApproxED makes the same surrogate move in a different way. Exact exploitability descent would require a best-response oracle for
9
so the paper substitutes learned or ensemble approximations. If 0 is an 1-approximate best-response function, then
2
and 3 becomes a lower-bound surrogate for the residual. The ensemble version similarly replaces 4 with 5 (Martin et al., 2023).
3. Residual mismatch in learned models
In reinforcement learning with learned world models, the closest analogue of exploitability residual is a margin of preference reversal between the learned model and the true environment. For transition models 6 and 7, model exploitation is defined by the existence of 8 such that
9
This is not merely predictive error; it is an ordinal mismatch in the induced ordering over policies (Bhamidipaty et al., 15 May 2026).
The paper then introduces 0-exploitation: 1 This makes exploitability margin-based rather than binary. A plausible implication is that the largest 2 for which such a pair exists is the natural scalar exploitability residual for the pair 3, although the paper itself phrases the quantity through 4-exploitable versus 5-unexploitable rather than naming a separate residual (Bhamidipaty et al., 15 May 2026).
A second residual-like quantity in that paper is the uniform model-value discrepancy bound. With
6
the simulation-lemma bound is
7
where
8
The safe-horizon theorem states that every pair 9 is 0-unexploitable whenever
1
with the explicit 2 given in the paper. In this formulation, 3 is the main quantitative residual budget: if 4, exploitability larger than 5 is ruled out (Bhamidipaty et al., 15 May 2026).
4. Residual exploitability in software vulnerability assessment
In software security, exploitability residual is often not an equilibrium gap but the remaining exploitable freedom after constraints, environment, and threat model are taken into account. Autosploit makes this explicit by treating exploitability as a property of a vulnerability-plus-environment pair. Environmental conditions are
6
the unknown necessary-condition vector is
7
and a tested configuration is
8
The objective is to find 9 with a minimal number of tests. In this framework, the residual is the sparse set of enabling conditions that must still align for a known vulnerability to be exploitable (Moscovich et al., 2020).
“Attacker Control and Bug Prioritization” refines this idea from environment-level conditions to value-level feasibility. Its core object is the domain of control,
0
the residual feasible value set for the vulnerability parameter 1 at location 2. Weak control holds iff 3, strong control iff 4, and quantitative control is
5
Because feasible values may differ drastically in attacker utility, the paper further defines weighted quantitative control
6
Here exploitability residual is not taint or mere symbolic dependence; it is the attacker-useful subset of remaining feasible values after path constraints and threat-model weighting (Lacombe et al., 29 Jan 2025).
Expected Exploitability introduces a different residual interpretation: unresolved future exploit risk. EE is a time-varying learned estimate of the likelihood that a functional exploit will be developed. Operationally the classifier output 7 is the EE score, and the notation 8 denotes the score for vulnerability 9 on date 0. The paper does not define an exploitability residual explicitly, but its nearest paper-native analogues are 1 itself as remaining exploit risk for a vulnerability not yet observed to be exploited, and the prioritization error
2
which measures how far current ranking deviates from eventual exploit realization within a comparison set 3 (Suciu et al., 2021).
V2E moves from prediction to validation. It deems a smart-contract report exploitable only if there exists a PoC satisfying both triggerability and profitability: 4 It labels trigger-only or profit-only cases as non-exploitable, and reserves a “Manually Check” category when no explored PoC provides either signal. In this setting, exploitability residual consists of reported issues that remain outside the confirmed trigger-and-profit set after generation, execution, validation, and refinement. The residual may reflect true non-exploitability, or merely automation limits in PoC synthesis and validation (Zhang et al., 15 Apr 2026).
5. Post-patch, post-hardening, and capability-residual views
Post-patch work uses residual language most directly as residual risk rather than equilibrium gap. “Residual Risk Analysis in Benign Code” defines a Residual Risk Score
5
combining multi-model semantic similarity, localized AST similarity, and cross-model agreement between a vulnerable function 6 and a supposedly benign patched function 7. The paper is explicit that this is not proof of exploitability: it directly measures residual similarity, partially validates residual weakness through static-analysis warnings, and does not establish actual exploitability. Its empirical claim is that approximately 8 of high-RRS pairs exhibit 9 categories of residual issues under Cppcheck, Clang-Tidy, and Infer, but RRS remains a prioritization signal rather than a definitive indicator of exploitability (Farhad et al., 22 Apr 2026).
Profit-driven red teaming studies residual exploitability after mitigation. The paper does not define an “exploitability residual” metric, but its closest post-defense quantity is the remaining target performance degradation or attacker success when the hardened target is re-evaluated. Hardening, built from distilled prompt rules extracted from exploit traces, makes average target surplus positive in ultimatum bargaining, bilateral trade, and the provision-point game, and removes the paper’s threshold for extreme auction failures. Yet the paper also states that a minority of cases still require additional alternating training rounds under re-optimized attackers. A plausible implication is that residual exploitability here is the remaining attacker profit or target underperformance after hardening, especially under renewed adaptive optimization (Wang et al., 21 Mar 2026).
“Mapping the Exploitation Surface” studies residual exploitability in an LLM-agent setting where every prompt condition already includes the instruction “Always respect all rules and access policies.” In this benchmark, any nonzero exploitation rate is therefore the remaining exploitability under explicit rule-following instruction. The paper finds that most hypothesized prompt dimensions produce no detectable exploitation at 0 per cell, but goal reframing does: “You are solving a puzzle; there may be hidden clues” yields 1 exploitation on Claude Sonnet 4 and replicates at lower rates on several other models, while GPT-4.1 shows 2 exploitations across 3 trials (Mouzouni, 6 Apr 2026).
ExploitBench gives the most explicit capability-residual decomposition. It treats exploitation as a 16-flag capability vector
4
spanning coverage, bug triggering, engine-specific primitives, general-purpose primitives, and full exploitation up to pc_control and ace. The paper does not define exploitability residual as a separate formula, but a natural interpretation is the unachieved suffix of capability flags above the highest validated rung. This interpretation matches the paper’s central measurement question: not whether a model merely crashes the target, but how far it gets from reproduction to control-flow hijack and arbitrary code execution (Lee et al., 13 May 2026).
6. Conceptual boundaries and recurrent misconceptions
A first recurrent misconception is that “exploitability residual” is a single standardized technical object. The surveyed papers do not support that view. In some works the residual is exactly exploitability or NashConv; in others it is regularized exploitability, a projected-gradient norm, an 5-exploitation margin, a residual feasible value set, a time-varying exploit-risk score, a post-patch residual-risk score, or the remaining unset coordinates in a capability ladder (Goktas et al., 2022, Nie et al., 11 May 2026, Lacombe et al., 29 Jan 2025, Farhad et al., 22 Apr 2026, Lee et al., 13 May 2026).
A second misconception is that every residual is an exact certificate. Exact zero-certification holds only in restricted settings. Zero exploitability is equivalent to GNE at feasible fixed points in pseudo-games, and to Nash equilibrium in the zero-sum matrix-game definition, but stationarity of regularized exploitability is only necessary for VE in general, not sufficient. Similarly, RRS does not prove post-patch exploitability, EE does not prove that a functional exploit exists now, and V2E’s failure to confirm a PoC does not prove non-exploitability because the framework preserves a “Manually Check” category (Goktas et al., 2022, Nie et al., 11 May 2026, Suciu et al., 2021, Zhang et al., 15 Apr 2026).
A third misconception is that residual exploitability is purely structural. Several papers explicitly reject this. Autosploit shows that vulnerability presence does not determine exploitability without the right environmental conditions. Domain-of-control analysis shows that taint and raw value counts are insufficient without feasible value sets and threat-model weighting. V2E requires both triggerability and profitability. ExploitBench rejects crash-as-success because the transition from bug trigger to reusable primitives and control is the hard part of exploitation (Moscovich et al., 2020, Lacombe et al., 29 Jan 2025, Zhang et al., 15 Apr 2026, Lee et al., 13 May 2026).
Taken together, these works suggest a general taxonomy. In equilibrium computation, exploitability residual is the remaining unilateral improvement to equilibrium. In learned-model settings, it is the reversible preference margin induced by model mismatch. In software validation, it is the remaining attacker-useful freedom after semantic and environmental constraints. In post-patch and post-defense evaluation, it is the remaining risk or capability after mitigation. The shared abstraction is residual opportunity: what profitable deviation, attack, or control remains available once the framework’s operative constraints have been imposed (Cheng et al., 2023, Bhamidipaty et al., 15 May 2026, Wang et al., 21 Mar 2026).