Tooling

Binary & Protocol Fuzzing

AFL++, libFuzzer, Honggfuzz, Boofuzz — finding bugs by feeding garbage in.

Fuzzing is the highest-leverage way to find memory-safety and logic bugs in code you don't want to read. Coverage-guided fuzzing (AFL family) revolutionised the field; differential / structure-aware fuzzers are now mainstream. For web / HTTP-shaped fuzzing see Web Fuzzing & Content Discovery. For SAST see Security Scanning.

Coverage-guided fuzzers (the core)

  • AFL++ — community fork that rolled together every AFL improvement (LLVM mode, QEMU-mode, frida-mode, persistent-mode, redqueen, lafintel). The 2024–26 default. Free.
  • libFuzzer — in-process fuzzer that ships with Clang / LLVM; trivial to integrate into a C/C++ codebase via LLVMFuzzerTestOneInput. Pairs with sanitizers. Free.
  • Honggfuzz (Google) — coverage-guided; software / hardware (Intel PT) feedback; multi-process; fast at process-spawn workloads. Free.
  • AFL.rs / cargo-fuzz — Rust integration over libFuzzer / honggfuzz.
  • go-fuzz / native Go fuzz (1.18+)go test -fuzz=; built into the Go toolchain.
  • jazzer — Java / JVM coverage-guided fuzzer; libFuzzer-compatible.
  • Atheris — Python libFuzzer port (Google).
  • fuzzilli — JavaScript-engine fuzzer (V8, JSC, SpiderMonkey).
  • OSS-Fuzz (Google) — free continuous fuzzing for OSS projects; runs your harnesses against AFL++ / libFuzzer / honggfuzz / centipede.

Structure-aware / grammar-based

  • Centipede (Google) — distributed coverage-guided; OSS-Fuzz uses it.
  • Nautilus / Grimoire — grammar-aware mutators on top of AFL.
  • libprotobuf-mutator — protobuf-aware mutations; pairs with libFuzzer.
  • Domato (Google) — DOM / HTML grammar fuzzer.
  • Peach Fuzzer Community — protocol fuzzer; legacy.

Network / protocol fuzzers

  • Boofuzz — Python network protocol fuzzer; spike / sulley successor. Free.
  • AFLNet — AFL extension for stateful network protocols.
  • mutiny-fuzzer (Cisco Talos) — replay-and-mutate from .pcap.
  • Frida-fuzzer — instrument any binary, fuzz with Frida hooks.
  • See Web Fuzzing & Content Discovery — ffuf, feroxbuster, Gobuster, dirsearch, wfuzz.
  • RESTler (Microsoft) — stateful REST API fuzzer.
  • Schemathesis — property-based OpenAPI fuzzer; finds security issues incidentally. See OpenAPI Tooling.

Symbolic execution / hybrid

  • angr — Python symbolic execution; pair with AFL via driller.
  • KLEE — academic symbolic exec for LLVM bitcode.
  • Manticore (Trail of Bits) — symbolic / concolic for x86, ARM, EVM.
  • fuzzgen / SymCC / SymQEMU — concolic add-ons to coverage fuzzers.

Sanitizers (the multiplier)

  • AddressSanitizer (ASan) — heap / stack out-of-bounds; turn on for every fuzz harness.
  • UndefinedBehaviorSanitizer (UBSan) — undefined behaviour.
  • MemorySanitizer (MSan) — uninit reads.
  • ThreadSanitizer (TSan) — data races.
  • HWASan — ARM hardware-tagged ASan; cheaper.
  • libcheck / Valgrind — older equivalents.

Corpus & seed handling

  • AFL_TMIN / afl-tmin — minimise crashing inputs.
  • afl-cmin — minimise corpus to coverage-equivalent set.
  • fuzzbench (Google) — benchmark fuzzers against each other.
  • -x dictionaries/ — token dictionaries for AFL/libFuzzer dramatically improve discovery.
  • Magic value strings — ship dicts for PNG / JPEG / PDF / HTML / SQL / your protocol.

Continuous fuzzing in CI

  • OSS-Fuzz (Google) — free, continuous, for OSS projects — open an issue if you maintain a C / C++ / Rust / Go / Java / Python library.
  • ClusterFuzzLite — self-hosted; sit beside your CI for closed-source / private code.
  • Mayhem (ForAllSecure) — paid commercial fuzzing platform.
  • Code Intelligence CI Sense — paid; CI-native fuzzing.

Pick this if…

  • C / C++ library, default modern fuzzer: AFL++ + libFuzzer harnesses + ASan.
  • Continuous OSS fuzzing, free: OSS-Fuzz.
  • Network protocol black-box: Boofuzz or AFLNet.
  • Rust / Go: built-in fuzz support (cargo-fuzz / go test -fuzz).
  • REST API: Schemathesis or RESTler.
  • Closed source binary: AFL++ qemu-mode or frida-mode.
  • Burn extra coverage: add Centipede + structure-aware mutators.

On this page