FuzzForge AI is an open-source platform designed to automate application security (AppSec), fuzzing, and offensive security workflows using AI agents and orchestration. It empowers security researchers and engineers to scale vulnerability discovery, build reusable security testing pipelines, and share security tools and knowledge through a community marketplace.

How It Works

FuzzForge orchestrates security workflows as code, integrating static and dynamic analysis tools with AI agents specialized for tasks like AppSec, reversing, and fuzzing. It leverages Temporal for workflow orchestration and MinIO for artifact storage. The platform's novel approach includes AI-driven secret detection, where LLMs provide superior recall for obfuscated secrets through semantic analysis, complementing traditional pattern-based tools like Gitleaks and TruffleHog.

Quick Start & Requirements

• Installation: Requires Python 3.11+ and the uv package manager. Install the CLI via uv tool install --python python3.12 . after cloning the repository. Docker installation is also supported.
• Prerequisites: API keys for LLMs (OpenAI, Anthropic, Google) are optional but necessary for AI-powered features like llm_secret_detection.
• Setup: Initial Docker Compose setup takes 2-3 minutes for services to initialize.
• Resources: Documentation, Website, Discord.

Highlighted Details

• AI Agents: Specialized agents for AppSec, reversing, and fuzzing tasks.
• Workflow Automation: Define and execute complex AppSec workflows programmatically.
• Vulnerability Research: Aims to automate the discovery of 1-day and 0-day vulnerabilities.
• Fuzzer Integration: Supports Atheris (Python), cargo-fuzz (Rust), and OSS-Fuzz campaigns (early development).
• Secret Detection Benchmarks: LLM (gpt-5-mini) achieved 84.4% recall, significantly outperforming Gitleaks (37.5%) and TruffleHog (0.0%) on a controlled dataset.

Maintenance & Community

FuzzForge is under active development, with a roadmap including a public marketplace, new specialized AI agents, expanded fuzzer integrations, and a SaaS platform. Contributions are welcomed via issues, pull requests, and sharing community assets. A Discord server is available for community interaction.

Licensing & Compatibility

The project is licensed under the Business Source License (BSL) 1.1, which converts to Apache 2.0 after four years. BSL 1.1 may impose restrictions on usage, particularly for commercial offerings that compete with the core service, requiring careful review of the LICENSE file for compatibility with closed-source or commercial applications.

Limitations & Caveats

The project is in active development, and users should expect breaking changes. Specific fuzzing workflows (e.g., atheris_fuzzing, cargo_fuzzing, ossfuzz_campaign) are in early development stages, and OSS-Fuzz integration is under heavy active development.