| Documentation | Blog | Paper |
FuzzingBrain is an AI-driven automated vulnerability detection and remediation framework built upon the OSS-Fuzz infrastructure. Developed by the team "all_you_need_is_a_fuzzing_brain" for the 2025 DARPA AIxCC (Artificial Intelligence Cyber Challenge) finals.
- LLM-Powered Analysis: Leverages multiple LLM providers (OpenAI, Anthropic, Google, xAI) for intelligent vulnerability detection
- Multi-Strategy Framework: 23+ specialized strategies for POV generation and patch synthesis
- Automated Patch Generation: Generates and validates patches automatically
- OSS-Fuzz Integration: Seamless integration with Google's fuzzing infrastructure
- Multi-Language Support: C/C++ and Java vulnerability detection
- Delta Scan: Analyze specific commits for introduced vulnerabilities
- Full Scan: Comprehensive repository-wide vulnerability analysis
- SARIF Analysis: Validate and patch vulnerabilities from static analysis reports
The easiest way to get started is using our pre-built Docker image:
# Pull the image
docker pull ghcr.io/o2lab/fuzzingbrain:latest
# Run FuzzingBrain
docker run -it --rm \
-e OPENAI_API_KEY=your-key-here \
-e ANTHROPIC_API_KEY=your-key-here \
-v $(pwd)/output:/app/output \
ghcr.io/o2lab/fuzzingbrain:latest \
<repo_url>Docker Run Options:
-e: Set API keys as environment variables (at least one required)-v: Mount a local directory to save scan results- Add
-b <base_commit> -d <delta_commit>for delta scans
git clone https://github.com/aixcc-sc/afc-crs-all-you-need-is-a-fuzzing-brain.git
cd afc-crs-all-you-need-is-a-fuzzing-braincd crs && cp .env.example .envEdit crs/.env and add your API keys (at least one required):
OPENAI_API_KEY=sk-proj-your-key-here
ANTHROPIC_API_KEY=sk-ant-your-key-here
GEMINI_API_KEY=your-key-here
XAI_API_KEY=xai-your-key-here# Delta Scan - analyze changes between commits
./FuzzingBrain.sh -b <base_commit> -d <delta_commit> <repo_url>
# Full Scan - analyze entire repository
./FuzzingBrain.sh <repo_url>Visit our documentation to learn more:
If you use FuzzingBrain for your research, please cite our papers:
@misc{sheng2025needfuzzingbrainllmpowered,
title={All You Need Is A Fuzzing Brain: An LLM-Powered System for Automated Vulnerability Detection and Patching},
author={Ze Sheng and Qingxiao Xu and Jianwei Huang and Matthew Woodcock and Heqing Huang and Alastair F. Donaldson and Guofei Gu and Jeff Huang},
year={2025},
eprint={2509.07225},
archivePrefix={arXiv},
primaryClass={cs.CR},
url={https://arxiv.org/abs/2509.07225},
}
@article{10.1145/3769082,
author = {Sheng, Ze and Chen, Zhicheng and Gu, Shuning and Huang, Heqing and Gu, Guofei and Huang, Jeff},
title = {LLMs in Software Security: A Survey of Vulnerability Detection Techniques and Insights},
year = {2025},
publisher = {Association for Computing Machinery},
volume = {58},
number = {5},
url = {https://doi.org/10.1145/3769082},
doi = {10.1145/3769082},
journal = {ACM Comput. Surv.},
}Built with determination and caffeine ☕