Open Source
Most security findings repeat across the industry. Rather than rediscover them one engagement at a time, we build the tooling, publish the methodology, and let everyone reuse the work.
Featured projects
Slither
Static analysis for Solidity and Vyper with built-in detectors and an API for custom checks.
View toolEchidna
Property-based fuzzing for Ethereum smart contracts driven by contract ABI grammars.
View toolMedusa
Parallel smart-contract fuzzing built on go-ethereum and designed for large-scale test campaigns.
View toolManticore
Symbolic execution engine for binaries, smart contracts, and WebAssembly programs.
View toolDeepState
Common interface for C and C++ tests across multiple fuzzing and symbolic-execution backends.
View toolCircomspect
Static analysis and linting for Circom circuits, aimed at catching risky patterns in zero-knowledge code.
View toolFull catalog
Every tool is grouped by what it's used for, not what language it's written in. Pick a group to narrow the catalog; clear it to see everything we maintain in the open.
Slither
Solidity / Vyper
Static analysis for Solidity and Vyper with built-in detectors and an API for custom checks.
Best for · Fast pre-audit triage and continuous contract scanning.
Echidna
EVM testing
Property-based fuzzing for Ethereum smart contracts driven by contract ABI grammars.
Best for · Invariant testing when the question is whether a contract can be pushed into a bad state.
Medusa
EVM / Go
Parallel smart-contract fuzzing built on go-ethereum and designed for large-scale test campaigns.
Best for · Teams that want higher-throughput fuzzing than a single local harness.
Etheno
Ethereum testing
JSON-RPC multiplexer and test-integration layer for contract analysis tools.
Best for · Large multi-contract systems where tool orchestration becomes the problem.
Tealer
Algorand / TEAL
Static analysis for Algorand TEAL programs with CFG construction and vulnerability detectors.
Best for · Reviewing contracts outside the Ethereum stack without giving up automation.
Circomspect
Circom circuits
Static analysis and linting for Circom circuits, aimed at catching risky patterns in zero-knowledge code.
Best for · Protocol teams building zk systems that need early circuit review feedback.
Remill
x86 / ARM / SPARC
Machine-code lifter that translates instructions into LLVM bitcode for later analysis and transformation.
Best for · Recovering analyzable program structure from raw instructions.
Anvill
Machine code to LLVM
Lifting primitives that aim for Clang-like bitcode quality so decompiled output is easier to reason about.
Best for · When downstream decompilation quality matters as much as correctness.
VMill
Execution snapshots
Snapshot-based process emulator for executing lifted binaries and instrumenting them in LLVM form.
Best for · Reproducing binary behavior from captured process state.
Manticore
Binaries / EVM / Wasm
Symbolic execution engine for binaries, smart contracts, and WebAssembly programs.
Best for · Custom analyses where you need path exploration rather than point tooling.
Maat
Binary analysis
Dynamic symbolic execution and binary-analysis framework with taint analysis, environment simulation, and constraint solving.
Best for · Research-heavy workflows that need more control than a single-purpose UI.
Codex Decompiler
Ghidra plugin
Ghidra plugin that uses language models to improve decompilation and reverse-engineering workflows.
Best for · Analysts experimenting with assisted lifting and vulnerability-oriented code explanation.
DeepState
C / C++
Common interface for C and C++ tests across multiple fuzzing and symbolic-execution backends.
Best for · Teams that want one harness to travel across several testing engines.
gosentry
Go fuzzing
Security-focused Go toolchain fork that adds LibAFL fuzzing, structured inputs, grammar mode, and fuzz-time bug detectors.
Best for · Running stronger Go fuzzing campaigns through the familiar go test -fuzz workflow.
zfuzz
Snapshots / memory dumps
Emulation-based snapshot fuzzer that can load arbitrary memory dumps and attack them directly.
Best for · Firmware or embedded targets where standing up a normal harness is too expensive.
KRF
Kernel testing
Kernel fault-injection tool for Linux and FreeBSD designed to force error paths and expose weak handling.
Best for · Assessing whether system software fails safely under stress.
ProtoFuzz
Protocol Buffers
Grammar-aware fuzzer for Protocol Buffers that derives inputs from format definitions rather than hand-written generators.
Best for · Message-based systems where structure matters more than raw byte mutation.
test-fuzz
Rust
Rust macros and Cargo tooling that automate corpus creation and harness setup for fuzzing.
Best for · Lowering the setup cost enough that fuzzing becomes a normal part of development.
Necessist
Rust test suites
Mutation-style tool that removes statements and calls to uncover tests that look healthy but are actually weak.
Best for · Finding false confidence in existing tests rather than just adding more coverage.
rekor-monitor
Sigstore / provenance
Transparency-log monitoring for Sigstore's Rekor so maintainers can watch for suspicious signing events.
Best for · Alerting on compromised release identities instead of discovering problems after distribution.
It-Depends
SBOM / dependencies
Dependency-graph and SBOM builder for packages and arbitrary source repositories.
Best for · Understanding third-party exposure before software ships.
cargo-unmaintained
Cargo
Identifies unmaintained packages in Rust projects before they quietly become inherited risk.
Best for · Catching dependency drift during review instead of after abandonment is obvious.
Dylint
Rust policy
Runs custom Rust lints from dynamic libraries rather than a single fixed lint set.
Best for · Encoding organization-specific security rules directly into the toolchain.
semgrep-rules
Static analysis
Public Semgrep queries developed during audits, research, and internal engineering work.
Best for · Fast pattern-based checks you can drop into CI with minimal scaffolding.
codeql-queries
CodeQL
Public CodeQL query packs used to express deeper code and data-flow policies.
Best for · Teams that need richer semantic checks than regex-shaped rules can offer.
Linuxevents
Linux / eBPF
eBPF-based monitoring without shipping kernel headers or a stack of environment-specific bytecode artifacts.
Best for · Collecting process and network telemetry with fewer deployment assumptions.
ebpfpub
Linux / eBPF
Monitors system and library calls across multiple kernel versions with minimal runtime dependencies.
Best for · Users who need compatibility with older kernels as well as newer ones.
ebpf-verifier
Kernel CI
Research prototype for running the eBPF verifier outside the live kernel to make cross-version testing practical.
Best for · Reducing verifier-specific surprises before deployment.
winchecksec
PE security
Static inspection of Windows binaries for mitigations like DEP, ASLR, and code integrity.
Best for · Quickly checking whether release artifacts actually picked up the hardening you expect.
pe-parse
Portable Executable
Minimal, security-focused parser for Portable Executable files built to survive malicious or malformed inputs.
Best for · Toolchains that need reliable PE introspection as a foundation.
osquery-extensions
Endpoint telemetry
Collection of Trail of Bits extensions that expand what osquery can inspect and expose.
Best for · Teams already invested in osquery who want deeper endpoint coverage.
Graphtage
Structured data
Semantic diff and merge tooling for tree-shaped data such as JSON, YAML, HTML, plist, and CSS.
Best for · Cases where text diffs hide the actual meaning of a change.
Polyfile
File formats
Maps the semantic structure of files, including polyglots and other intentionally confusing inputs.
Best for · Investigating weird files before trusting a parser chain.
PolyTracker
Data provenance
LLVM-based data-flow and control-flow analysis that records how program logic touches specific input bytes.
Best for · Understanding how parsers and binary-processing code actually consume untrusted inputs.
Umberto
Grammar-based mutation
Structured-data mutator for JSON, XML, X.509, and other grammar-shaped inputs.
Best for · Fuzzing scenarios where preserving structure is more valuable than raw noise.
mishegos
Instruction decoders
Differential fuzzer for x86 decoders built to expose disagreements between analysis tools.
Best for · Finding gaps in the binary-analysis stack itself.
Honeybee
Trace decoding
Intel Processor Trace capture and decoding suite tuned for high-throughput source and blackbox fuzzing.
Best for · Research-grade tracing workflows where normal instrumentation is too slow.
Fickling
Python pickle
Decompiler, static analyzer, and bytecode rewriter for Python pickle serializations.
Best for · Reviewing model and package artifacts that move through unsafe serialization channels.
PrivacyRaven
ML privacy
Privacy-testing library for deep-learning systems and privacy-preserving ML techniques.
Best for · Measuring whether a model leaks more than a team expects.
MPC-learning
ML / cryptography
Multi-party computation library for machine-learning workflows built around a three-party protocol.
Best for · Research contexts where privacy-preserving model computation matters.
abi3audit
Python packaging
Scans Python extensions and wheels for abi3 compatibility violations across package histories.
Best for · Catching binary-compatibility mistakes before they become user breakage.
CVEdb
Vulnerability lookup
Library and CLI for consuming NVD data directly without leaning on third-party APIs.
Best for · Offline-friendly triage and local enrichment workflows.
No tools match the current filter.
Blockchain
Trail of Bits maintains a dense set of blockchain and protocol-security tools for static analysis, fuzzing, test orchestration, compilation, and secure development guidance.
Systems
Trail of Bits publishes lifting, decompilation, symbolic-execution, and binary-analysis infrastructure for researchers who need to recover behavior from compiled artifacts.
Year in review
2025
375+ merged PRs · 90+ projects
Celebrating our 2025 open-source contributions
Upstream work across Sigstore, Rust tooling, PyPI, cryptography libraries, and debugging infrastructure.
Read Recap2024
750+ merged PRs · 80+ projects
Celebrating our 2024 open-source contributions
Broad ecosystem maintenance across package infrastructure, language tooling, and security engineering workflows.
Read Recap2023
450+ merged PRs
Celebrating our 2023 open-source contributions
Survey of Trail of Bits work across first-party tools and upstream security projects.
Read Recap2022
Year-end roundup
Another prolific year of open-source contributions
Year-end roundup of tooling, audits-adjacent research, and ecosystem contributions.
Read Recap2021
Earlier annual archive
Celebrating our 2021 Open Source Contributions
Earlier archive for long-term context on Trail of Bits' open-source practice.
Read RecapRecent upstream highlights
Release provenance
Rekor / rekor-monitor
Trail of Bits used its 2025 contribution recap to spotlight custom-CA support, Rekor v2 readiness, and identity monitoring for Sigstore's transparency log.
Impact · Strengthens supply-chain defense by making suspicious signing activity easier to detect.
Language tooling
Rust compiler and rust-clippy
The 2025 post highlights lint fixes, replacement suggestions, configuration validation, and nondeterminism-related improvements in the compiler pipeline.
Impact · Improves the tools developers already rely on for day-to-day review and build workflows.
Cryptography library
pyca/cryptography
Work on the new ASN.1 API and related follow-on changes made Python's most-used cryptography library easier to express complex structures with.
Impact · Reduces brittle byte-level work in a widely used cryptography dependency.
Blockchain execution
hevm
Performance work and compatibility updates in 2025 improved the execution engine underneath Echidna's contract fuzzing workflows.
Impact · Improves the execution layer underneath Echidna and related contract-analysis workflows.
Package ecosystem
PyPI Warehouse
Trail of Bits' long-running work with PyPI and Alpha-Omega shipped project archival support and aggressively reduced test-suite runtime.
Impact · Delivers direct operator value in one of the software ecosystem's most important package indexes.
Debugger workflows
pwndbg and adjacent reversing tools
The 2025 recap highlights distribution support, decompiler integration, and related work in pwntools, angr, and Binary Ninja APIs.
Impact · Shows how Trail of Bits' reversing work extends across both first-party and upstream tooling.
Guides & datasets
Guide
CTF Field Guide
Walkthroughs, toolkit advice, and case studies for offensive security learning.
When · Use it to turn the catalog into hands-on practice rather than passive reading.
Guide
Building Secure Contracts
Best practices, patterns, and reference material for secure smart-contract development.
When · Start here before you drop a team directly into Slither or Echidna.
Guide
ZKDocs
Detailed documentation on zero-knowledge proof systems and related primitives.
When · Pair with Circomspect when the project needs both concept grounding and tooling.
Tutorial
LLVM Sanitizer Tutorial
Step-by-step reference on building an LLVM sanitizer such as ASAN.
When · Useful when the question is not only how to fuzz, but how to instrument a codebase correctly.
Training ground
Not Go-ing Anywhere
Intentionally vulnerable Go programs for finding, fixing, and demonstrating common issues.
When · Good for teams that need realistic practice material before they aim tools at production code.
Challenge set
ctf-challenges
Collection of CTF problems with explanations and supporting material.
When · Use it when learning has to stay interactive and skill-based.
Dataset
Trail of Bits fork of AnghaBench
Large corpus of C programs, plus tooling to build and retrieve precompiled benchmarks.
When · Best when you need scale for analysis, benchmarking, or training experiments.
Test corpus
pegoat
Windows binaries with a mix of effective and ineffective mitigations for security-tool validation.
When · Use it to exercise mitigation-checking workflows before trusting them in the field.