Papers
Topics
Authors
Recent
Search
2000 character limit reached

Exploitability Residual: Equilibrium Gap & Residual Risk

Updated 5 July 2026
  • Exploitability Residual is the measure of exploitable opportunities remaining after baseline constraints, serving to certify equilibrium gaps in game theory and quantify residual risk in security settings.
  • It is often approximated with smooth surrogates or projected gradients to overcome nonsmooth and nonconvex challenges, enabling practical equilibrium or stationarity validation.
  • In security assessments, the metric highlights post-patch vulnerabilities by quantifying remaining attacker capabilities through domain-of-control analysis and quantitative control metrics.

Exploitability residual denotes a residual measure of what remains exploitable after a reference condition has been fixed. The term is not standardized across the cited literature. In game-theoretic work, it most often coincides with exploitability itself, or with a smooth or stationarity surrogate of exploitability, and it functions as an equilibrium-gap certificate. In software-security and agent-security work, the same phrase is more naturally interpreted as residual risk, remaining attacker capability, or remaining post-defense/post-patch vulnerability. Across these settings, the common role is to quantify residual room for profitable deviation, attack execution, or capability escalation rather than mere structural suspicion (Goktas et al., 2022, Nie et al., 11 May 2026, Farhad et al., 22 Apr 2026).

1. Equilibrium-gap interpretations in games

In pseudo-games, the most faithful residual is the paper’s exploitability itself. For a profile aa, player ii’s regret is

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),

the cumulative regret is

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),

and exploitability is

Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).

For any feasible fixed point aA(a)a^*\in A(a^*), the paper states

a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,

so exploitability is an exact certificate of non-GNE-ness. Under jointly convex constraints, the same min-max form over the common feasible set AA characterizes variational equilibrium, and zero exploitability over AA corresponds to VE (Goktas et al., 2022).

A closely related continuous-action formulation appears in ApproxED. There, playerwise regret is

Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),

and exploitability, explicitly identified with NashConv and, in two-player zero-sum games, with the duality gap, is

ii0

The paper also defines the Nikaido-Isoda function

ii1

with

ii2

Accordingly, the residual-like quantity is the summed player-wise improvement ii3, while learned-best-response and ensemble methods replace the exact supremum with tractable surrogates such as ii4 and ii5 (Martin et al., 2023).

In zero-sum matrix games, the paper that explicitly centers the phrase “exploitability residual” defines

ii6

equivalently

ii7

Here ii8 if and only if ii9 is a Nash equilibrium. The normalized residual is

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),0

This paper contrasts learning the residual with imitating a solver-selected exact equilibrium, and uses the residual as the verifier-style reward for approximate equilibrium computation (Nie et al., 11 May 2026).

Risk-averse mean field games use exploitability in the same equilibrium-gap role, but with backward risk-evaluation operators rather than expected-cost Bellman recursions. The finite-player end exploitability is

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),1

the finite-player total exploitability is a sum of stepwise Bellman suboptimality terms,

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),2

and analogous end and total exploitabilities are defined for mean field flows ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),3. In the paper’s terminology, ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),4 is an ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),5-MFE iff ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),6, so exploitability again functions as the residual to equilibrium (Cheng et al., 2023).

2. Smooth residuals and optimization surrogates

Because exploitability is often nonsmooth, several papers replace the exact residual with a smooth or optimization-friendly surrogate. In pseudo-games with jointly convex constraints, regularized exploitability is defined by

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),7

The paper states

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),8

so the zero set is preserved while the residual becomes smooth enough for first-order methods. With

ri(ai,bi;ai)=ui(bi,ai)ui(ai,ai),r_i(a_i,b_i; a_{-i}) = u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}),9

the gradient is

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),0

and R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),1 is R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),2-Lipschitz-smooth (Goktas et al., 2022).

The same paper then shifts, in general nonconvex settings, from equilibrium residual to stationarity residual through the projected gradient operator

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),3

A point is stationary if R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),4, and the practical certificate becomes

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),5

This is not an equilibrium certificate in general, but it is the paper’s exact first-order residual for constrained exploitability minimization (Goktas et al., 2022).

The matrix-game residual paper emphasizes a different stability property: for fixed strategies R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),6,

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),7

Thus the exploitability residual is R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),8-Lipschitz in payoff perturbations, whereas deterministic LP-based equilibrium selectors can jump discontinuously at degeneracy. The paper uses this to motivate residual-reward training as a stable target under payoff shifts even when exact equilibrium labels are brittle (Nie et al., 11 May 2026).

ApproxED makes the same surrogate move in a different way. Exact exploitability descent would require a best-response oracle for

R(a,b)=i[n](ui(bi,ai)ui(ai,ai)),R(a,b) = \sum_{i\in[n]} \bigl( u_i(b_i,a_{-i}) - u_i(a_i,a_{-i}) \bigr),9

so the paper substitutes learned or ensemble approximations. If Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).0 is an Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).1-approximate best-response function, then

Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).2

and Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).3 becomes a lower-bound surrogate for the residual. The ensemble version similarly replaces Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).4 with Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).5 (Martin et al., 2023).

3. Residual mismatch in learned models

In reinforcement learning with learned world models, the closest analogue of exploitability residual is a margin of preference reversal between the learned model and the true environment. For transition models Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).6 and Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).7, model exploitation is defined by the existence of Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).8 such that

Expl(a)=i[n]maxbiAi(ai)ri(ai,bi;ai)=maxbA(a)R(a,b).\operatorname{Expl}(a) = \sum_{i\in[n]} \max_{b_i \in A_i(a_{-i})} r_i(a_i,b_i;a_{-i}) = \max_{b\in A(a)} R(a,b).9

This is not merely predictive error; it is an ordinal mismatch in the induced ordering over policies (Bhamidipaty et al., 15 May 2026).

The paper then introduces aA(a)a^*\in A(a^*)0-exploitation: aA(a)a^*\in A(a^*)1 This makes exploitability margin-based rather than binary. A plausible implication is that the largest aA(a)a^*\in A(a^*)2 for which such a pair exists is the natural scalar exploitability residual for the pair aA(a)a^*\in A(a^*)3, although the paper itself phrases the quantity through aA(a)a^*\in A(a^*)4-exploitable versus aA(a)a^*\in A(a^*)5-unexploitable rather than naming a separate residual (Bhamidipaty et al., 15 May 2026).

A second residual-like quantity in that paper is the uniform model-value discrepancy bound. With

aA(a)a^*\in A(a^*)6

the simulation-lemma bound is

aA(a)a^*\in A(a^*)7

where

aA(a)a^*\in A(a^*)8

The safe-horizon theorem states that every pair aA(a)a^*\in A(a^*)9 is a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,0-unexploitable whenever

a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,1

with the explicit a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,2 given in the paper. In this formulation, a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,3 is the main quantitative residual budget: if a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,4, exploitability larger than a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,5 is ruled out (Bhamidipaty et al., 15 May 2026).

4. Residual exploitability in software vulnerability assessment

In software security, exploitability residual is often not an equilibrium gap but the remaining exploitable freedom after constraints, environment, and threat model are taken into account. Autosploit makes this explicit by treating exploitability as a property of a vulnerability-plus-environment pair. Environmental conditions are

a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,6

the unknown necessary-condition vector is

a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,7

and a tested configuration is

a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,8

The objective is to find a is a GNE     Expl(a)=0,a^* \text{ is a GNE } \iff \operatorname{Expl}(a^*)=0,9 with a minimal number of tests. In this framework, the residual is the sparse set of enabling conditions that must still align for a known vulnerability to be exploitable (Moscovich et al., 2020).

“Attacker Control and Bug Prioritization” refines this idea from environment-level conditions to value-level feasibility. Its core object is the domain of control,

AA0

the residual feasible value set for the vulnerability parameter AA1 at location AA2. Weak control holds iff AA3, strong control iff AA4, and quantitative control is

AA5

Because feasible values may differ drastically in attacker utility, the paper further defines weighted quantitative control

AA6

Here exploitability residual is not taint or mere symbolic dependence; it is the attacker-useful subset of remaining feasible values after path constraints and threat-model weighting (Lacombe et al., 29 Jan 2025).

Expected Exploitability introduces a different residual interpretation: unresolved future exploit risk. EE is a time-varying learned estimate of the likelihood that a functional exploit will be developed. Operationally the classifier output AA7 is the EE score, and the notation AA8 denotes the score for vulnerability AA9 on date AA0. The paper does not define an exploitability residual explicitly, but its nearest paper-native analogues are AA1 itself as remaining exploit risk for a vulnerability not yet observed to be exploited, and the prioritization error

AA2

which measures how far current ranking deviates from eventual exploit realization within a comparison set AA3 (Suciu et al., 2021).

V2E moves from prediction to validation. It deems a smart-contract report exploitable only if there exists a PoC satisfying both triggerability and profitability: AA4 It labels trigger-only or profit-only cases as non-exploitable, and reserves a “Manually Check” category when no explored PoC provides either signal. In this setting, exploitability residual consists of reported issues that remain outside the confirmed trigger-and-profit set after generation, execution, validation, and refinement. The residual may reflect true non-exploitability, or merely automation limits in PoC synthesis and validation (Zhang et al., 15 Apr 2026).

5. Post-patch, post-hardening, and capability-residual views

Post-patch work uses residual language most directly as residual risk rather than equilibrium gap. “Residual Risk Analysis in Benign Code” defines a Residual Risk Score

AA5

combining multi-model semantic similarity, localized AST similarity, and cross-model agreement between a vulnerable function AA6 and a supposedly benign patched function AA7. The paper is explicit that this is not proof of exploitability: it directly measures residual similarity, partially validates residual weakness through static-analysis warnings, and does not establish actual exploitability. Its empirical claim is that approximately AA8 of high-RRS pairs exhibit AA9 categories of residual issues under Cppcheck, Clang-Tidy, and Infer, but RRS remains a prioritization signal rather than a definitive indicator of exploitability (Farhad et al., 22 Apr 2026).

Profit-driven red teaming studies residual exploitability after mitigation. The paper does not define an “exploitability residual” metric, but its closest post-defense quantity is the remaining target performance degradation or attacker success when the hardened target is re-evaluated. Hardening, built from distilled prompt rules extracted from exploit traces, makes average target surplus positive in ultimatum bargaining, bilateral trade, and the provision-point game, and removes the paper’s threshold for extreme auction failures. Yet the paper also states that a minority of cases still require additional alternating training rounds under re-optimized attackers. A plausible implication is that residual exploitability here is the remaining attacker profit or target underperformance after hardening, especially under renewed adaptive optimization (Wang et al., 21 Mar 2026).

“Mapping the Exploitation Surface” studies residual exploitability in an LLM-agent setting where every prompt condition already includes the instruction “Always respect all rules and access policies.” In this benchmark, any nonzero exploitation rate is therefore the remaining exploitability under explicit rule-following instruction. The paper finds that most hypothesized prompt dimensions produce no detectable exploitation at Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),0 per cell, but goal reframing does: “You are solving a puzzle; there may be hidden clues” yields Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),1 exploitation on Claude Sonnet 4 and replicates at lower rates on several other models, while GPT-4.1 shows Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),2 exploitations across Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),3 trials (Mouzouni, 6 Apr 2026).

ExploitBench gives the most explicit capability-residual decomposition. It treats exploitation as a 16-flag capability vector

Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),4

spanning coverage, bug triggering, engine-specific primitives, general-purpose primitives, and full exploitation up to pc_control and ace. The paper does not define exploitability residual as a separate formula, but a natural interpretation is the unachieved suffix of capability flags above the highest validated rung. This interpretation matches the paper’s central measurement question: not whether a model merely crashes the target, but how far it gets from reproduction to control-flow hijack and arbitrary code execution (Lee et al., 13 May 2026).

6. Conceptual boundaries and recurrent misconceptions

A first recurrent misconception is that “exploitability residual” is a single standardized technical object. The surveyed papers do not support that view. In some works the residual is exactly exploitability or NashConv; in others it is regularized exploitability, a projected-gradient norm, an Ri(x)=supyiXiui(yi,xi)ui(x),R_i(x) = \sup_{y_i \in \mathcal{X}_i} u_i(y_i, x_{-i}) - u_i(x),5-exploitation margin, a residual feasible value set, a time-varying exploit-risk score, a post-patch residual-risk score, or the remaining unset coordinates in a capability ladder (Goktas et al., 2022, Nie et al., 11 May 2026, Lacombe et al., 29 Jan 2025, Farhad et al., 22 Apr 2026, Lee et al., 13 May 2026).

A second misconception is that every residual is an exact certificate. Exact zero-certification holds only in restricted settings. Zero exploitability is equivalent to GNE at feasible fixed points in pseudo-games, and to Nash equilibrium in the zero-sum matrix-game definition, but stationarity of regularized exploitability is only necessary for VE in general, not sufficient. Similarly, RRS does not prove post-patch exploitability, EE does not prove that a functional exploit exists now, and V2E’s failure to confirm a PoC does not prove non-exploitability because the framework preserves a “Manually Check” category (Goktas et al., 2022, Nie et al., 11 May 2026, Suciu et al., 2021, Zhang et al., 15 Apr 2026).

A third misconception is that residual exploitability is purely structural. Several papers explicitly reject this. Autosploit shows that vulnerability presence does not determine exploitability without the right environmental conditions. Domain-of-control analysis shows that taint and raw value counts are insufficient without feasible value sets and threat-model weighting. V2E requires both triggerability and profitability. ExploitBench rejects crash-as-success because the transition from bug trigger to reusable primitives and control is the hard part of exploitation (Moscovich et al., 2020, Lacombe et al., 29 Jan 2025, Zhang et al., 15 Apr 2026, Lee et al., 13 May 2026).

Taken together, these works suggest a general taxonomy. In equilibrium computation, exploitability residual is the remaining unilateral improvement to equilibrium. In learned-model settings, it is the reversible preference margin induced by model mismatch. In software validation, it is the remaining attacker-useful freedom after semantic and environmental constraints. In post-patch and post-defense evaluation, it is the remaining risk or capability after mitigation. The shared abstraction is residual opportunity: what profitable deviation, attack, or control remains available once the framework’s operative constraints have been imposed (Cheng et al., 2023, Bhamidipaty et al., 15 May 2026, Wang et al., 21 Mar 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Exploitability Residual.