# Trail of Bits > Since 2012, Trail of Bits has helped secure some of the world's most targeted organizations and products. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code. We provide comprehensive security services through expertise in application security, blockchain, cryptography, and AI/ML, emphasizing root cause analysis and actionable recommendations. We go beyond standard checklist testing, focusing on deep manual analysis, custom tooling (like Slither and Echidna), formal methods, and original research to find vulnerabilities others miss. We believe in transparency and contribute heavily to open-source security tools and research publications. For historical publications prior to 2022, see our [GitHub repository](https://github.com/trailofbits/publications). ## Application Security Services - [Application Security Overview](https://www.trailofbits.com/services/software-assurance/appsec/): Full-spectrum services including design review, threat modeling, code assessment, cloud/infra, mobile, web/API, and penetration testing (white-box). - [Design Assessment](https://www.trailofbits.com/services/software-assurance/appsec/): Early-stage (1-2 week) architectural analysis to find flaws & verify security properties/standards. - [Threat Modeling](https://www.trailofbits.com/services/software-assurance/appsec/): Systematic design risk analysis (NIST 800-154 based) identifying structural risks, attack paths; Full & Lightweight options. - [Comprehensive Code Assessment](https://www.trailofbits.com/services/software-assurance/appsec/): Hybrid manual & automated source code review (various languages) for deep vulnerability analysis. Uses Semgrep/CodeQL + custom rules. - [Cloud/Infrastructure Assessment](https://www.trailofbits.com/services/software-assurance/appsec/): Security review of cloud-native architectures (AWS, GCP, Azure), IaC, Kubernetes, containers, and CI/CD pipelines. - [Cloud-native Reviews List](https://github.com/trailofbits/publications?tab=readme-ov-file#cloud-native-reviews): Public reports on KEDA, Terraform, Nomad, Tekton, Linkerd, CoreDNS. - [Web & API Security Assessment](https://www.trailofbits.com/services/software-assurance/appsec/): Testing for web apps, APIs (REST, SOAP), and related frameworks. - [Mobile Application Security Review](https://www.trailofbits.com/services/software-assurance/appsec/): Security testing for iOS and Android apps. - [Penetration Testing / Integrated Security Review](https://www.trailofbits.com/services/software-assurance/appsec/): White/grey-box testing combining code review with live environment analysis. ## Blockchain Security Services - [Blockchain Security Overview](https://www.trailofbits.com/services/software-assurance/blockchain/): Advanced security for smart contracts (EVM, Solana, Cosmos, Starknet, Move etc.), L1/L2 nodes, bridges, and protocols. - [Design Assessment (Blockchain)](https://www.trailofbits.com/services/software-assurance/blockchain/): Early-stage review of protocol architecture, component specs, and risk mitigation. - [Comprehensive Code Assessment (Blockchain)](https://www.trailofbits.com/services/software-assurance/blockchain/): Deep audits using Slither, Echidna, manual review for vulnerabilities & logic flaws. Includes L1/L2 nodes, bridges, off-chain components. - [Invariant Testing & Development](https://www.trailofbits.com/services/software-assurance/blockchain/): Identification, development, & integration of protocol invariants using fuzzing (Echidna). - [Invariant Testing Reports List](https://github.com/trailofbits/publications?tab=readme-ov-file#invariant-testing-and-development): Public reports for Panoptic, Curvance, ParaSpace, Lindylabs. - [Blockchain Reviews List (by Chain/Type)](https://github.com/trailofbits/publications?tab=readme-ov-file#blockchain-security-reviews): Access public reports for Wallets, Algorand, Avalanche, Bitcoin, Ethereum/EVM, NervOS, Starknet, Solana, Substrate, Tendermint/Cosmos, Tezos, TON. ## Cryptography Services - [Cryptography Overview](https://www.trailofbits.com/services/software-assurance/cryptography/): Expert cryptographic design review, code assessment, and engineering for protocols & implementations. - [Cryptographic Design Assessment](https://www.trailofbits.com/services/software-assurance/cryptography/): Analysis of crypto protocol specs (E2EE, MPC, TSS, ZKP), proofs & design using manual review & formal verification (Verifpal, etc.). - [Cryptographic Code Assessment](https://www.trailofbits.com/services/software-assurance/cryptography/): Implementation review (Rust, Go, C++) for bugs, side channels, API misuse. Covers ZKP, TSS, MPC, E2EE, PQC, Cloud/Hardware crypto. - [Cryptographic Engineering](https://www.trailofbits.com/services/software-assurance/cryptography/): Design & implementation of custom crypto protocols & libraries. - [Cryptography Reviews List](https://github.com/trailofbits/publications?tab=readme-ov-file#cryptography-reviews): Public reports for Aligned, Lit Protocol, Discord DAVE, Scroll, Iron Fish, Ockam, Aleo, Microsoft Go-COSE. ## AI/ML Security Services - [AI/ML Security Overview](https://www.trailofbits.com/services/software-assurance/ai-ml/): Security reviews covering AI models, MLOps pipelines, data provenance, risk assessment, and deployment security. - [AI Risk Assessment](https://www.trailofbits.com/services/software-assurance/ai-ml/): Threat modeling, operational design domain analysis, scenario analysis for AI systems. - [ML-Ops and Pipeline Assessment](https://www.trailofbits.com/services/software-assurance/ai-ml/): Evaluation of AI/ML pipeline components, architecture (PyTorch etc.), CI/CD, data provenance, hardware stacks. - [Model Capabilities Evaluation](https://www.trailofbits.com/services/software-assurance/ai-ml/): Testing first/third-party models, performance benchmarking, AI red teaming. - [Security & Safety Training (AI/ML)](https://www.trailofbits.com/services/software-assurance/ai-ml/): Training covering AI risks, failure modes, adversarial attacks, safety principles. - [Blog: Announcing AI/ML safety and security trainings](https://blog.trailofbits.com/2024/06/07/announcing-ai-ml-safety-and-security-trainings/) - [AI/ML Reviews List](https://github.com/trailofbits/publications?tab=readme-ov-file#aiml-reviews): Public reports for YOLOv7, SafeTensors, Gradio. ## Security Reviews (General Tech Products) - [Technology Product Reviews List](https://github.com/trailofbits/publications?tab=readme-ov-file#technology-product-reviews): Public reports for RubyGems, Kraken Wallet, Hugging Face Gradio, Eclipse Temurin, Arch Linux Pacman, cURL HTTP3, Lisk SDK, DragonFly2, Eclipse JKube. ## Research & Publications - [GitHub Publications Repository](https://github.com/trailofbits/publications): Main repository for all public reports, papers, guides, talks. - [Academic Papers List](https://github.com/trailofbits/publications?tab=readme-ov-file#academic-papers): Links to our peer-reviewed research publications (USENIX, IEEE S&P, ISSTA, EuroLLVM etc.). - [Conference Presentations List](https://github.com/trailofbits/publications?tab=readme-ov-file#conference-presentations): Slides and videos from technical talks at security conferences. - [Guides and Handbooks List](https://github.com/trailofbits/publications?tab=readme-ov-file#guides-and-handbooks): Access to guides like the CTF Field Guide, AppSec Testing Handbook, Building Secure Contracts. - [Vulnerability Disclosures List](https://github.com/trailofbits/publications?tab=readme-ov-file#disclosures): Information on vulnerabilities discovered by Trail of Bits. - [Trail of Bits Blog](https://blog.trailofbits.com/): Latest research findings, technical deep dives, tool releases, and security commentary. - [Recent Blog Post: Key Derivation Best Practices](https://blog.trailofbits.com/2025/01/28/best-practices-for-key-derivation/) - [Recent Blog Post: Auditing RubyGems.org](https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/) - [Recent Blog Post: Evaluating Solidity Support in AI Assistants](https://blog.trailofbits.com/2024/11/19/evaluating-solidity-support-in-ai-coding-assistants/) - [Recent Blog Post: Attestations on PyPI](https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/) - [Recent Blog Post: AWS Nitro Enclaves Attack Surface](https://blog.trailofbits.com/2024/09/24/notes-on-aws-nitro-enclaves-attack-surface/) - [*Note: See full blog for hundreds more posts across all security domains.*](https://blog.trailofbits.com/) ## Open Source Tools - [Tools Overview Page](https://www.trailofbits.com/tools): Summary of major open source tools. - [GitHub Organization](https://github.com/trailofbits/): Main repository for most tools. - [Crytic GitHub Organization](https://github.com/crytic/): Home of blockchain security tools like Slither and Echidna. - **Popular Blockchain Tools**: - [Slither](https://github.com/crytic/slither): Solidity/Vyper static analysis framework. - [Echidna](https://github.com/crytic/echidna): Smart contract property-based fuzzer. - [Medusa](https://github.com/crytic/medusa): General blockchain fuzzing platform. - **Popular Cryptography Tools**: - [Circomspect](https://github.com/trailofbits/circomspect): Circom static analyzer and linter. - [ZKDocs](https://www.zkdocs.com/): Zero-knowledge proof documentation resource (contribution). - **Popular AI/ML Tools**: - [PrivacyRaven](https://github.com/trailofbits/PrivacyRaven): ML privacy testing framework. - [Fickling](https://github.com/trailofbits/fickling): Python Pickle security scanner for ML models. - **Popular Application Security Tools**: - [Semgrep Rules](https://github.com/trailofbits/semgrep-rules): Curated collection for various languages. - [Ruzzy](https://github.com/trailofbits/ruzzy): Coverage-guided Ruby fuzzer. - [PolyTracker](https://github.com/trailofbits/polytracker): Whole-input dynamic information flow tracing. - [It-Depends](https://github.com/trailofbits/it-depends): Dependency graph generator. - **Binary Analysis Tools**: - [Manticore](https://github.com/trailofbits/manticore): Symbolic execution platform. - [McSema](https://github.com/lifting-bits/mcsema): Binary to LLVM lifter. - [Remill](https://github.com/lifting-bits/remill): Machine code to LLVM bitcode lifter (part of lifting-bits). - **Other Popular Tools**: - [Algo VPN](https://github.com/trailofbits/algo): Personal VPN server setup. - [Osquery Extensions](https://github.com/trailofbits/osquery-extensions): Collection of extensions for osquery. ## Optional - [About Trail of Bits](https://www.trailofbits.com/about): Our mission, team, and approach. - [Careers](https://www.trailofbits.com/careers/): Opportunities to join our team. - [Contact Us](https://www.trailofbits.com/contact/): Inquire about services or partnership. - [Resources](https://www.trailofbits.com/resources/): Access guides and other materials. - [Twitter @trailofbits](https://twitter.com/trailofbits): Follow for updates and research highlights. - [LinkedIn](https://www.linkedin.com/company/trail-of-bits): Professional network updates. - [Community Forum (Empire Hacking Slack)](https://slack.empirehacking.nyc/): Engage with the security community.