Skip to main content

Application Security

Threat modeling, code review, cloud assessments

Overview

We audit the applications millions of people depend on, going past the bug list to the design and process flaws that keep producing bugs. Our work has secured open-source infrastructure the whole industry runs on, including the Linux kernel release-signing process, cURL, and PyPI, much of it through the Open Source Technology Improvement Fund and the Open Technology Fund.

We publish what we find, so you never pay to rediscover the same bug twice.

Why work with Trail of Bits

  • 01

    Depth where it counts

    We go past the surface scan into the design, the trust boundaries, and the assumptions the code is built on. That is where the bugs that matter live, and where a checklist audit never looks.

  • 02

    We publish everything

    Methodologies, tools, and findings end up in public reports, papers, or open-source repos. The Testing Handbook (appsec.guide), our CodeQL rules, our Semgrep packs, and our public assessment reports are free for the industry to use, and for your team to learn from.

  • 03

    Deliverables your team can run with

    Every engagement ships fixes you can drop into CI: Semgrep and CodeQL rules tuned to your code, fuzzing harnesses, and short- and long-term SDLC recommendations your team can act on after we leave.

Services & deliverables

Design Assessment

Service

Our Design Assessment offers a focused one- to two-week security analysis of your system during the early design phase. We evaluate your security architecture to identify potential vulnerabilities and foundational weaknesses, helping you build a robust and resilient system from the ground up.

01
Proactive Vulnerability Prevention
02
Strategic Architectural Alignment
03
Early Risk Identification
04
Comprehensive Design Evaluation

A design review provides immediate feedback, minimizing project risks, saving development time and costs by reducing the need for late-stage refactoring.

Threat Modeling

Service

Our data-centric threat models provide a comprehensive risk assessment that identifies specific system risks and potential threat actors, both internal and external. We use a proven methodology to help you develop more secure applications and systems.

01
Security Control Maturity Assessment
02
Comprehensive Threat Landscape Mapping
03
Trust Zone Analysis
04
Threat Actor Profiling

Threat modeling helps you proactively identify risks, understand potential attack vectors, and develop targeted mitigation strategies.

Cloud/Infrastructure Assessment

Service

We evaluate the infrastructure used to deploy and operate cloud-hosted applications and environments. Our assessment identifies key threats and develops a comprehensive understanding of your cloud-native environment's security posture.

01
Advanced Automated Analysis
02
Container and Orchestration Security
03
Infrastructure Configuration Review
04
Cloud Deployment Risk Assessment

Our Cloud Assessment provides comprehensive security insights, helping you identify and mitigate infrastructure vulnerabilities before they become critical issues.

Comprehensive Code Assessment

Service

Our Comprehensive Code Assessment adopts a hybrid approach, combining manual review, static analysis, and dynamic testing to evaluate high-risk components across your entire project, including core code, infrastructure, front end, back end, APIs, and SDKs.

01
Strategic Security Improvement
02
Advanced Testing Methodologies
03
Multi-Language Vulnerability Analysis
04
Comprehensive Code Quality Evaluation

Our Comprehensive Code Assessment provides a holistic review of your system, delivering insights into potential vulnerabilities and architectural risks with actionable guidance for improving your project's security and integrity.

What ships with every engagement

Most pen-test firms hand you a PDF and walk away. Every Trail of Bits engagement ships a deliverable set your engineering team can plug into their workflow on day one and keep using long after we're gone.

Deliverable Trail of Bits Status Quo

Written findings report

Severity, difficulty, and exploit scenario for every finding.

Short- and long-term SDLC recommendations

Not just bug fixes, but process changes that prevent the next class of bug.

Codebase maturity evaluation

Structured review of testing, documentation, access controls, and supply-chain hygiene.

Exploit PoCs + code artifacts

Runnable demonstrations for each finding so your engineers can reproduce and verify fixes.

Sometimes

CI-ready Semgrep / CodeQL rules

Custom static-analysis rules tuned to the patterns we found in your code.

Fuzzing harnesses

Drop-in fuzzers your team keeps running after we leave.

LLM and Claude-skill harnesses

Agent skills and prompts to help your team triage findings and pre-flight the next review.

Live walkthrough + fix-review retest

We read out findings in person and re-test patches when they land.

Sometimes

Open publication of generalizable findings

Novel issues turn into public research so the whole industry benefits.

Comparison based on the standard published deliverables of major application-security firms, as of 2026.

Public work

Public AppSec assessments

Browse library →
Public engagements
74
Person-weeks logged
411
Distinct groups
2
With effort reported
74

Recent public engagements

Date Engagement Client / group Effort
Apr 2026 PyPI Warehouse Technology Product Reviews 6 wks
Oct 2025 X XChat Technology Product Reviews 4 wks
Oct 2025 Edera Runtime Container Technology Product Reviews 4 wks
Aug 2025 Meta WhatsApp Private Processing Technology Product Reviews 12 wks
Jun 2025 Discord E2EE WebAssembly Technology Product Reviews 3 wks
May 2025 libVLC Technology Product Reviews 5 wks
Feb 2025 NATS Server Technology Product Reviews 6 wks
Dec 2024 Istio Ztunnel Technology Product Reviews 2 wks
Dec 2024 RubyGems.org Technology Product Reviews 5 wks
Nov 2024 Kraken Wallet In-App Browser Technology Product Reviews 4 wks

Get in touch

Book a technical office hours session

Spend a free hour with one of our engineers on a specific technical problem: an architecture you're unsure about, a tool you want to stand up, a finding you can't reproduce. No pitch and no sales engineer, just a working session with someone who does this every day.

Book a session