Skip to main content

Security work that outlasts the engagement

Every engagement leaves something behind on purpose: open-source tools, published research, and defenses that keep working long after the work is done. We are here to raise the security bar for the whole field, not just the client in front of us.

Meet the team Browse open source

What sets us apart

Three things together that almost no one else does.

Plenty of firms do one of these well. We do all three at once: we run original research, we build the tools that research produces, and we share what we find. Each one feeds the others, and it is the combination that shapes where the field goes next.

The engineer

You grow security engineers, you don't train them.

Security engineering is compositional. It draws on systems, cryptography, compilers, and program analysis at once, and that depth takes years to build. So we hire for a desire for mastery and low-level curiosity rather than a resume, and we give people the time and the mentors to get there.

A rare density of seniority
We concentrate senior security engineers on small teams, staffed by technical need rather than billable headcount.
Hiring for curiosity, not credentials
The process runs in under three weeks: a take-home reviewed by a practice lead, with no whiteboard puzzles or algorithm trivia.
An apprenticeship that compresses years
Our apprenticeship pairs new engineers one-on-one with a senior mentor on real audits, packing roughly two years of experience into three months.
Time to stay sharp
We run lower utilization than the industry so engineers get dedicated time to build tools and research, with bi-weekly lunch-and-learns and a paper reading group.
Read: a day in the life of an engineer

The report

A report should tell you a story, not hand you a bug dump.

An engagement is not a scan with a PDF stapled to it. We scope the work, review the code, explain every finding in context, and come back to verify the fixes. If we do not understand a finding, we do not ship it.

Every finding is human-validated
We do not forward tool output. A person reproduces and explains each issue, with the root cause and the path to a fix.
Public by default
Most of our reports are published in the open at github.com/trailofbits/publications, so the work stands up to scrutiny.
Leave-behind tooling
Engagements ship custom CI guardrails (Semgrep and CodeQL rules, fuzzers) so the same class of bug is caught automatically next time.
Multi-disciplinary teams
We pull cryptographers, compiler people, and systems engineers onto the same review, and we take work that teaches us something new.
See the anatomy of a report

The reach

We work across every domain a secure foundation depends on.

Application security, cryptography, blockchain, AI/ML, low-level systems, and software supply chain. We run one of the largest consulting cryptography teams in the world, and the people who maintain our open-source tools are the same people who show up on your engagement.

Six security domains
From smart contracts to post-quantum cryptography to AI/ML evaluation, under one roof.
Tools the field standardized on
We maintain Slither, Echidna, and Manticore alongside the Building Secure Contracts guide.
Public-good products
iVerify and Algo VPN started as Trail of Bits projects and went out to everyone.
Continuity from research to delivery
There is no junior bench. The researchers publishing the work are the ones doing yours.
Explore our services

The record

A decade of work you can verify.

Almost everything here is public: the programs we have run for the government, the research we have put through peer review, and where the work has been recognized. The full evidence lives in our library and on GitHub.

Government & research

06 entries

  • DARPA · Cyber Grand Challenge

    Ranked 2nd among Cyber Reasoning Systems in 2016.

    We built one of the autonomous systems that found, proved, and patched vulnerabilities with no human in the loop, finishing second among the competing Cyber Reasoning Systems.

  • DARPA · AI Cyber Challenge

    Selected for AIxCC with a $1M semifinal award.

    Chosen as one of seven small-business-track teams to build an AI-powered Cyber Reasoning System, and awarded $1M at the AIxCC semifinal.

  • DARPA · Cyber Fast Track

    Three funded proposals at founding in 2012.

    Within our first year we won three DARPA Cyber Fast Track proposals, and have carried multi-year DARPA subcontract work since.

  • ARPA-H

    Advising on security for health research.

    We work with ARPA-H on the security challenges that come with advancing health research infrastructure.

  • UK · Frontier AI Taskforce

    Assessed frontier-model offensive capability.

    We evaluated how far a frontier large language model could go in offensive security tasks for the UK's Frontier AI Taskforce.

  • US RFIs · OSTP / CISA / ONCD

    Public responses on national security policy.

    We file public comments on US government requests for information, from secure-by-design to open-source software security.

Academic & standards

03 entries

  • USENIX Security

    Published VulChecker.

    Peer-reviewed research on locating vulnerabilities in source code, presented at USENIX Security.

  • Cryptography

    Guidance the field cites.

    One of the largest consulting cryptography teams in the world, publishing reviews and guidance on the primitives modern systems depend on.

  • Open standards

    Moving osquery to the Linux Foundation.

    We ported osquery to Windows for Facebook and helped move the project under the Linux Foundation so the whole ecosystem could steward it.

Recognition

03 entries

  • Forrester

    Cybersecurity Consulting Services Wave, Q1 2024.

    Included as a participating vendor in Forrester's evaluation of cybersecurity consulting services.

  • Forrester

    Cybersecurity Consulting Landscape, 2025.

    Featured in Forrester's 2025 landscape report for the cybersecurity consulting market.

  • DARPA

    Top finish in the Cyber Grand Challenge.

    A second-place result among Cyber Reasoning Systems against the strongest autonomous-security teams assembled.

Community & open source

We built the community we wanted to be part of.

The publish-first model only works in public. So we run a meetup, keep the blog open, and ship our tools where anyone can use, fork, and improve them.

Timeline

A decade of building in the open.

The milestones that shaped how we work, from a three-person founding to autonomous-security research at national scale.

  1. 2012

    Trail of Bits founded

    We set out to publish security research and tooling to raise the bar for everyone.

  2. 2015

    Qualified for DARPA's Cyber Grand Challenge

    Competed to build autonomous vulnerability discovery systems as part of DARPA's Cyber Grand Challenge.

  3. 2016

    Partnered with Facebook to port osquery to Windows

    Expanded osquery to support cross-platform endpoint security monitoring.

  4. 2017

    Open-sourced Manticore

    Open-sourced Manticore, a symbolic execution framework used in DARPA research.

  5. 2018

    Released Slither and Echidna

    Released Slither and Echidna, now industry-standard tools for smart contract security.

  6. 2019

    Launched iVerify for iPhone

    Launched iVerify and co-founded the osquery Foundation with the Linux Foundation.

  7. 2024

    Selected for DARPA's AI Cyber Challenge (AIxCC)

    Selected for AIxCC and awarded $1M to build an AI-powered Cyber Reasoning System.

  8. 2025

    Won $3M second-place prize at DARPA AIxCC finals

    Won second place at DEF CON 33 and open-sourced Buttercup.

Meet the people, the roles, and the work.

Everything here comes back to the team. See who does the work, where we are hiring, and how to bring a problem to us.

Meet the team View open roles Get in touch