🚧 FuzzForge is under active development

AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security

_{Overview • Features • Installation • Quickstart • AI Demo • Contributing • Roadmap}

---

🚀 Overview

FuzzForge helps security researchers and engineers automate application security and offensive security workflows with the power of AI and fuzzing frameworks.

• Orchestrate static & dynamic analysis
• Automate vulnerability research
• Scale AppSec testing with AI agents
• Build, share & reuse workflows across teams

FuzzForge is open source, built to empower security teams, researchers, and the community.

🚧 FuzzForge is under active development. Expect breaking changes.

Note: Fuzzing workflows (atheris_fuzzing, cargo_fuzzing, ossfuzz_campaign) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use: security_assessment, gitleaks_detection, trufflehog_detection, or llm_secret_detection.

---

Demo - Manual Workflow Setup

Setting up and running security workflows through the interface

👉 More installation options in the Documentation.

---

✨ Key Features

• 🤖 AI Agents for Security – Specialized agents for AppSec, reversing, and fuzzing
• 🛠 Workflow Automation – Define & execute AppSec workflows as code
• 📈 Vulnerability Research at Scale – Rediscover 1-days & find 0-days with automation
• 🔗 Fuzzer Integration – Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns
• 🌐 Community Marketplace – Share workflows, corpora, PoCs, and modules
• 🔒 Enterprise Ready – Team/Corp cloud tiers for scaling offensive security

---

⭐ Support the Project

If you find FuzzForge useful, please star the repo to support development 🚀

---

🔍 Secret Detection Benchmarks

FuzzForge includes three secret detection workflows benchmarked on a controlled dataset of 32 documented secrets (12 Easy, 10 Medium, 10 Hard):

Tool	Recall	Secrets Found	Speed
LLM (gpt-5-mini)	84.4%	41	618s
LLM (gpt-4o-mini)	56.2%	30	297s
Gitleaks	37.5%	12	5s
TruffleHog	0.0%	1	5s

📊 Full benchmark results and analysis

The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.

---

📦 Installation

Requirements

Python 3.11+ Python 3.11 or higher is required.

uv Package Manager

curl -LsSf https://astral.sh/uv/install.sh | sh

Docker For containerized workflows, see the Docker Installation Guide.

Configure AI Agent API Keys (Optional)

For AI-powered workflows, configure your LLM API keys:

cp volumes/env/.env.example volumes/env/.env
# Edit volumes/env/.env and add your API keys (OpenAI, Anthropic, Google, etc.)

This is required for:

• llm_secret_detection workflow
• AI agent features (ff ai agent)

Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.

CLI Installation

After installing the requirements, install the FuzzForge CLI:

# Clone the repository
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai

# Install CLI with uv (from the root directory)
uv tool install --python python3.12 .

---

⚡ Quickstart

Run your first workflow with Temporal orchestration and automatic file upload:

# 1. Clone the repo
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai

# 2. Copy the default LLM env config
cp volumes/env/.env.example volumes/env/.env

# 3. Start FuzzForge with Temporal
docker compose up -d

# 4. Start the Python worker (needed for security_assessment workflow)
docker compose up -d worker-python

The first launch can take 2-3 minutes for services to initialize ☕

Workers don't auto-start by default (saves RAM). Start the worker you need before running workflows.

# 5. Run your first workflow (files are automatically uploaded)
cd test_projects/vulnerable_app/
fuzzforge init                           # Initialize FuzzForge project
ff workflow run security_assessment .    # Start workflow - CLI uploads files automatically!

# The CLI will:
# - Detect the local directory
# - Create a compressed tarball
# - Upload to backend (via MinIO)
# - Start the workflow on vertical worker

What's running:

• Temporal: Workflow orchestration (UI at http://localhost:8080)
• MinIO: File storage for targets (Console at http://localhost:9001)
• Vertical Workers: Pre-built workers with security toolchains
• Backend API: FuzzForge REST API (http://localhost:8000)

AI-Powered Workflow Execution

AI agents automatically analyzing code and providing security insights

📚 Resources

• 🌐 Website
• 📖 Documentation
• 💬 Community Discord
• 🎓 FuzzingLabs Academy

---

🤝 Contributing

We welcome contributions from the community!
There are many ways to help:

• Report bugs by opening an issue
• Suggest new features or improvements
• Submit pull requests with fixes or enhancements
• Share workflows, corpora, or modules with the community

See our Contributing Guide for details.

---

🗺️ Roadmap

Planned features and improvements:

• 📦 Public workflow & module marketplace
• 🤖 New specialized AI agents (Rust, Go, Android, Automotive)
• 🔗 Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
• ☁️ Multi-tenant SaaS platform with team collaboration
• 📊 Advanced reporting & analytics

👉 Follow updates in the GitHub issues and Discord

---

📜 License

FuzzForge is released under the Business Source License (BSL) 1.1, with an automatic fallback to Apache 2.0 after 4 years.
See LICENSE and LICENSE-APACHE for details.