AI/ML

WE’VE BEEN
AUDITING AI
SYSTEMS SINCE BEFORE IT
WAS TRENDY
We’ve been working with ML systems since 2016, building attack tools, finding novel vulnerability classes, and competing in DARPA’s AI Cyber Challenge. When you hire us, you get engineers who’ve published research on adversarial ML, not consultants who just added “AI” to their LinkedIn skills list.

What We Do

We audit the entire AI/ML system, from the threat model through to code, the supply chain, and deployed infrastructure. We understand that AI introduces attack surfaces that traditional security assessments miss entirely: poisoned training data, malicious payloads hidden in serialized model files, prompt injection that can manipulate internal services, and autonomous agents that can go rogue. We find these problems before attackers do, whether through design reviews, code audits, supply chain analysis or red teaming.
CONTACT US

RELATED SERVICES

Application Security

Deep-dive assessments that go beyond checklists. We analyze your code, architecture, and development practices to find vulnerabilities others miss to help you fix them for good.

Research & Engineering

Deep-dive assessments that go beyond checklists. We analyze your code, architecture, and development practices to find vulnerabilities others miss to help you fix them for good.

OUR APPROACH

We combine manual expert review with custom tooling we’ve built specifically for ML security. Our threat models map both infrastructure vulnerabilities and model-specific attack paths. Our code reviews trace data flows from ingestion through inference.
Our supply chain assessments verify provenance for every dependency, dataset, and pre-trained model in your pipeline. And, our red team engagements test your defenses with real attacks from prompt injection, and adversarial examples, to sandbox escapes.

DELIVERABLES

AI/ML Threat Model & Design Review
  • Application architecture diagram with annotated threat vectors
  • ML lifecycle risk diagram covering training, deployment, and inference
  • Prioritized threat catalog with exploitation scenarios
  • Remediation roadmap tied to your development timeline
AI/ML Code Security Assessment
  • Detailed findings report with proof-of-concept demonstrations
  • Severity-ranked vulnerabilities with exploitation scenarios
  • Code and architecture-level remediation guidance
  • Recommendations for secure development practices specific to ML
AI/ML Supply Chain Security Assessment
  • Complete supply chain map of your ML system
  • Risk assessment for each external component
  • Specific vulnerabilities in dependency management and model loading
  • Hardening recommendations with implementation guidance
AI Red Team Services
  • Detailed attack narratives documenting successful exploitation paths
  • Proof-of-concept code for demonstrated vulnerabilities
  • Prioritized remediation recommendations
  • Retest validation after fixes are implemented
FEATURED
DARPA AI Cyber Challenge

DARPA’s AI Cyber Challenge

AIxCC was a two-year competition open to the public to see who could build the best fully automated system for securing open-source software. The scoring algorithm rewarded teams for finding vulnerabilities, proving that vulnerabilities existed, and correctly applying patches to open-source software. Speed and accuracy were also rewarded. Human interaction was strictly prohibited. Out of a field of hundreds of participants, Trail of Bits took the $3M, second-place prize.
read more

Popular Open Source AI/ML tools

Buttercup

A fully automated, AI-driven system for discovering and patching vulnerabilities in open-source software.
VIEW

Datasig

generate compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy, without needing access to the raw data itself.
VIEW

Fickling

our pickle file scanner and decompiler
VIEW

PajaMAS

a series of multi-agent system (MAS) exploits demonstrations, centered around MAS hijacking (attacks that manipulate the control flow of a MAS). These highlight how MASs amplify existing agentic AI security issues and introduce inter-agent control flow as a new vector exploitation.
VIEW

PrivacyRaven

a machine-learning assurance and research tool that simulates privacy attacks against trained machine-learning models. It supports model extraction and label-only membership inference attacks, with support for model inversion currently in development.
VIEW
EXPLORE ALL OUR TOOLS

What sets Trail of Bits apart

Cross-disciplinary experience:
Most AI security assessments are checkbox exercises run by teams that understand either ML or security, but not both. Our team includes ML engineers who became security researchers and security researchers who specialize in ML—that cross-disciplinary depth is why we find vulnerabilities that live at the intersection, the ones pure ML teams and pure security teams both miss.
Tooling:
We built Fickling to detect malicious payloads in serialized ML models and PrivacyRaven for model extraction attacks.
More than a report:
We don’t just report problems. We explain why they exist, how they’re exploited in practice, and exactly what you need to do to fix them. Our reports become engineering specifications, not shelf decorations.

FEATURED RESEARCH

VIEW ALL RESOURCES

see how we can help you

Tell us about your hardest security problems

Contact us to build more secure software.

For secure communications, please use SendSafely or PGP.

Mailing Address

228 Park Ave S #80688

New York, NY 10003

What services are you interested in?