Security Engineering

WE BUILD THE
SECURITY
CAPABILITIES YOUR TEAM CAN'T
BUY OFF THE SHELF.
Most security tools assume your problem looks like everyone else’s. When it doesn’t, when you need custom tooling, hardened infrastructure, or fixes that actually stick, you need engineers who write secure code, not consultants who write reports about it.
Start a project

What We Do

Trail of Bits Security Engineering exists because assessments alone don’t ship secure software. Our engineers embed with your team to build custom security tools, fix vulnerabilities at their source, harden your infrastructure, and contribute to the open source projects your stack depends on.
We’re not a staff augmentation firm. Our engineers have built security features used by millions (PyPI’s two-factor authentication, pip-audit, sigstore-python) and created internal tools that became industry standards. When we write code for you, it reflects that same standard: peer-reviewed, documented, and designed to solve the problem permanently rather than patch over symptoms.
This service is for organizations that have already identified a security gap and need someone to close it. If you’re looking for an assessment to find problems, start with our Software Assurance practice. If you already know what’s broken and need it built or fixed, we’re your team.

RELATED SERVICES

Custom Software
Development

You need secure software built, whether that’s a new security tool, a hardened component, or capabilities your team doesn’t have time to develop in-house. You want confidence that the code will hold up under adversarial conditions.

Open Source Ecosystem
Security

Your organization depends on open source, and you want to improve the security of the ecosystems you rely on. Or you’re building tooling for a community and want it done right.

Vulnerability
Remediation

You’ve completed an assessment, from us or someone else, and now you have a list of findings. Your team doesn’t have the bandwidth or specialized expertise to fix them properly.

Proactive
Security

You want to prevent vulnerabilities before they reach production through better architecture, automated testing, or hardened build pipelines.

DevOps/Operational
Security

Your DevOps team moves fast, and security can’t slow them down. But you also can’t ignore the risks in your deployment pipeline, key management, and infrastructure configuration.
CONTACT US

HOW WE WORK

Regardless of whether we’re building new tools, fixing vulnerabilities, or hardening your infrastructure, every Security Engineering engagement follows the same core approach.

01

Understand the problem and environment.

We start by learning your systems, constraints, and threat model. Security engineering that ignores context produces solutions that don’t fit. If you don’t have a documented threat model, we help you build one.

02

Identify root causes, not just symptoms.

Before we write any code or configuration, we dig into why the problem exists. A vulnerability might indicate a missing pattern across your codebase. A DevOps gap might reflect unclear ownership. Solving the surface issue without addressing the underlying cause means you’ll see the same problem again.

03

Design before building.

We document our approach, architecture decisions, and acceptance criteria before implementation begins. You review and approve the plan. No surprises.

04

Build with an adversarial mindset.

Our engineers have spent years finding vulnerabilities in systems like yours. When we write code or configure infrastructure, we assume someone hostile will eventually examine every line. Peer review by a second Trail of Bits engineer is standard.

05

Validate that it
works.

We test our work through fuzzing, static analysis, manual review, or retesting, depending on the engagement. Security controls that look good on paper but fail in practice aren’t security controls.

06

Hand off knowledge, not just deliverables.

You receive documentation, training, and the rationale behind our decisions. Our goal is for your team to maintain and extend what we’ve built without needing us. If a solution requires Trail of Bits to stick around forever, it’s not a good solution.

OUR APPROACH

We write code, not just reports.
Most security consultancies stop at findings. We have a dedicated engineering team that builds production software, contributes to major open source projects, and has shipped security features used by millions of developers. When you need something built, we build it.
Our engineers find bugs in the systems they build.
The same team that develops custom tools and fixes vulnerabilities also conducts security assessments. That means our engineers know what attackers look for, because they’ve spent years looking for it themselves. Code we write reflects that adversarial mindset.
We've built the tools the industry uses.
PyPI’s two-factor authentication. pip-audit. sigstore-python. winchecksec. Slither. Echidna. Our open source contributions aren’t side projects. They’re core to how we work, and they demonstrate what we can build for you.
We solve problems permanently.
We’re not interested in fixes that break in six months or security controls that get disabled because nobody understood them. Every engagement focuses on root causes and sustainable solutions your team can maintain after we’re gone.

Popular Open Source Security Engineering tools

BUTTERCUP

Static analysis framework for Solidity & Vyper. Detects vulnerabilities, optimizes gas, and integrates seamlessly into CI/CD.

A fully automated, AI-driven system for discovering and patching vulnerabilities in open-source software.
VIEW

DATASIG

Static analysis framework for Solidity & Vyper. Detects vulnerabilities, optimizes gas, and integrates seamlessly into CI/CD.

generate compact, unique fingerprints for AI/ML datasets that let you compare training data with high accuracy, without needing access to the raw data itself.
VIEW

FICKLING

Static analysis framework for Solidity & Vyper. Detects vulnerabilities, optimizes gas, and integrates seamlessly into CI/CD.

our pickle file scanner and decompiler
VIEW

pajamas

Static analysis framework for Solidity & Vyper. Detects vulnerabilities, optimizes gas, and integrates seamlessly into CI/CD.

a series of multi-agent system (MAS) exploits demonstrations, centered around MAS hijacking (attacks that manipulate the control flow of a MAS). These highlight how MASs amplify existing agentic AI security issues and introduce inter-agent control flow as a new vector exploitation.
VIEW

PRIVACYRAVEN

Static analysis framework for Solidity & Vyper. Detects vulnerabilities, optimizes gas, and integrates seamlessly into CI/CD.

a machine-learning assurance and research tool that simulates privacy attacks against trained machine-learning models. It supports model extraction and label-only membership inference attacks, with support for model inversion currently in development.
VIEW
EXPLORE ALL OUR TOOLS

see how we can help you

Tell us about your hardest security problems

Contact us to build more secure software.

For secure communications, please use SendSafely or PGP.

Mailing Address

228 Park Ave S #80688

New York, NY 10003

What services are you interested in?