Vulnerability Analysis Tools

During the process of producing software products, vendors unintentionally create vulnerabilities that are later discovered and mitigated. By paying greater attention to the early phases of the development lifecycle, we can change the nature of the engineering process to detect and eliminate-and later avoid-vulnerabilities before products ship.

We help you understand how vulnerabilities are created and discovered. Our open source tools help you find vulnerabilities so that you can eliminate them from your software before you release it. Contact us if you want to discuss these tools or if you need more information about our tools or work.

Basic Fuzzing Framework (BFF)

Basic Fuzzing Framework (BFF) is a mutational file fuzz testing tool that consists of a Debian Linux virtual machine, the zzuf fuzzer, and a few associated scripts. A version of the BFF that runs natively on Mac OS X is also available. Learn more about this tool, and download a copy to begin fuzzing on your own.

Failure Observation Engine (FOE)

Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.

CERT Triage Tools

CERT Triage Tools consist of a triage script and a GNU Debugger (GDB) extension named 'exploitable' that classify Linux application defects by severity. We originally developed the CERT Triage Tools in order to assist software vendors and analysts in identifying the impact of defects discovered through techniques such as fuzz testing. As of May 2014, the CERT Triage Tools project has been transitioned to the  GDB 'exploitable' plugin project on GitHub.

CERT Tapioca

CERT Tapioca is a virtual machine appliance (OVA) for performing man-in-the-middle network traffic analysis of software and devices.


Dranzer discovers certain classes of vulnerabilities in Microsoft Windows ActiveX controls. Several prominent information technology vendors are already using Dranzer to help discover vulnerabilities in the ActiveX controls they produce before the products are shipped. We are applying and expanding what we learned from developing that tool to develop tools and techniques that address other technologies.

Explore Our Knowledgebase

The CERT Knowledgebase houses the Vulnerability Notes Database, which includes summaries, technical details, coordination information, and lists of affected vendors.