When Claude reasons about code, it reasons about lists, but the questions that actually matter are graph questions.

We just open-sourced Trailmark, a library that parses source code into a call graph using tree-sitter and rustworkx across 17 languages.

8 Claude skills built on its API. On Ed448, one classified 73% of surviving mutants as equivalent. Flat lists can't see that. https://blog.trailofbits.com/2026/04/23/trailmark-turns-code-into-graphs/

If you market a machine that “cooks for you,” a chef will never buy it.

This is called identity threat, one of the four reasons why people resist adopting AI.

Reframed: The machine doesn't cook for you. It makes you a faster, more efficient chef.

Our CEO Dan Guido's full playbook on how we went from 95% resistance to 80-95% weekly Claude usage within a year: https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/

"Human plus LLM is vastly vastly better than either one alone."

Our Blockchain Engineering Director Ben Samuels explains why security auditors aren't going anywhere.

Our sales team's AI Maturity Matrix. Scored from 0-3, defining what AI-enabled work looks like at each level.

Adoption is a ladder. Every team has clear levels, clear expectations, a clear path up, and real consequences for staying stuck.

Every org's matrix should look different. Copy the system, not the specifics.
https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/

Google used a ZK proof to disclose a quantum breakthrough that cuts the cost of breaking cryptocurrency by 20x without handing attackers the circuit.

The Rust code behind the proof had memory safety bugs. We used this new attack surface to forge a proof that beats Google’s on every metric.

Google patched it within days. Their quantum claims are unaffected. https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/

RE: https://fosstodon.org/@pypi/116414611218430369

4 billion downloads a day run through @pypi. A missing permission check let any org member invite new owners. One of 14 findings from our second audit.

Our C/C++ code review challenge closes April 17.

The new Testing Handbook chapter covers memory safety, integer errors, type confusion, kernel modules, Windows usermode, and seccomp sandbox escapes through manual code review.

Analyze the vulnerable programs, explain how to exploit them, and submit a writeup. First 10 correct entries win swag.

https://trailofbits.com/c-whats-wrong-challenge/

Most companies use AI to do the same work slightly faster. We call that level one adoption. Companies at level three do fundamentally different work. We're somewhere between level two and level three, and it took us a year to get there.

80-95% of our team use Claude weekly. We have 94 plugins containing 201 skills, 84 specialized agents, 29 commands, 125 scripts, and 414+ reference files encoding domain expertise.

The full six-step playbook we used to get there:
https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/

We open-sourced the system we built to make Trail of Bits AI-first. A six-step playbook for embedding AI into how your team actually works, not just what tools they have access to.

In 8 weeks we went from 5% to 67% Claude Code co-authorship on merged PRs across 59 contributors and 35 repos, from security engineers to PMs to sales. All through systematized adoption any exec can copy.
https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/

C and C++ run your OS, your browser, your database, and your critical infrastructure. They're also the easiest languages to get catastrophically wrong.

We wrote down everything a security auditor should check: language-level bug classes, stdlib pitfalls, Linux and Windows issues from usermode to kernel, seccomp sandbox escapes, and ptrace handler race conditions.

One checklist, hundreds of checks. https://appsec.guide/docs/languages/c-cpp/