| Website | https://trailofbits.com |
| Podcast | https://trailofbits.audio |
| GitHub | https://github.com/trailofbits |
| Blog | https://blog.trailofbits.com |
Go's fuzzer can't solve path constraints, fuzz typed inputs, or catch data races and goroutine leaks.
gosentry is our fork of the Go toolchain that brings a LibAFL engine in Rust, Nautilus grammar fuzzing, struct-aware mutation, and race/leak detection into `go test -fuzz`.
Same harness, stronger engine. We already used it to disclose 4 bugs in Optimism and Revm. https://blog.trailofbits.com/2026/05/12/go-fuzzing-was-missing-half-the-toolkit.-we-forked-the-toolchain-to-fix-it./
We submitted SequenceHash to C2SP. It's a new cryptography spec that prevents a common class of bugs by safely combining multiple inputs into a single hash with any hash function.
Think TupleHash, generalized so it works on top of SHA-256, BLAKE2, or any underlying hash function. The draft is open for review on C2SP, part of our ongoing contributions to open cryptographic standards. https://c2sp.org/sequencehash
30 readers took our C/C++ challenge. Some solved the Linux warmup, but nobody cracked the Windows driver bug. Even LLM-assisted submissions came up short.
The walkthrough explains both, including the Windows escalation from local DoS to kernel code execution.
Best 10 submissions are still getting swag. If you won, we'll be in contact.
https://blog.trailofbits.com/2026/05/05/c/c-checklist-challenges-solved/
RE: https://fosstodon.org/@ostifofficial/116494100549474783
libVLC powers VLC media player, which has been downloaded more than 6 billion times. Our audit produced structural improvements, not just bug fixes. HTTPS for self-update and build dependencies, three new fuzzing harnesses for URL, CSS, and JSON parsing. More in the report.
libFuzzer is in maintenance mode. We added LibAFL support to Ruzzy so Ruby devs and security researchers can run their next fuzzing campaign without harness modifications.
Adding LibAFL support to Ruzzy took longer than expected. We took detours in ELF file internals, .init_array DSO sections, SanitizerCoverage interceptors, lazy vs. eager loading, and Ruby C extensions. https://blog.trailofbits.com/2026/04/29/extending-ruzzy-with-libafl/
The fastest way to get a team to adopt AI is to make them put in reps. We run hackathons as a forcing function.
2-3 day sprints, one objective. Last time, we told every engineer to use Claude Code in bypass permissions mode. It's now the default for our org.
The full playbook: https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/
When Claude reasons about code, it reasons about lists, but the questions that actually matter are graph questions.
We just open-sourced Trailmark, a library that parses source code into a call graph using tree-sitter and rustworkx across 17 languages.
8 Claude skills built on its API. On Ed448, one classified 73% of surviving mutants as equivalent. Flat lists can't see that. https://blog.trailofbits.com/2026/04/23/trailmark-turns-code-into-graphs/
If you market a machine that “cooks for you,” a chef will never buy it.
This is called identity threat, one of the four reasons why people resist adopting AI.
Reframed: The machine doesn't cook for you. It makes you a faster, more efficient chef.
Our CEO Dan Guido's full playbook on how we went from 95% resistance to 80-95% weekly Claude usage within a year: https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/
"Human plus LLM is vastly vastly better than either one alone."
Our Blockchain Engineering Director Ben Samuels explains why security auditors aren't going anywhere.
