After a great response on Twitter I’ve scheduled another offering of Fuzzing For Vulnerabilities! This public offering is not part of a conference which means we can offer it at a significant discount. After talking with a number of interested folks we decided on a location in Columbia, Maryland. Hopefully this location works for most everyone. If you would like us to host the training in your area or at your company please contact us.


This is the same course we taught at Blackhat USA 2016 and we received great feedback. We’ve added a number of exercises including fuzzing with AFL (American Fuzzy Lop) and Radamsa.

For a complete list of topics, prerequisites, and trainer biographies, check out the course details page

Day 1

Students start the course by learning fuzzing fundamentals. We find it’s best if everyone understands all the parts to a successful and scalable fuzzing framework. Once all of those parts have been discussed and setup, the students will write their first fuzzer (dumbfuzz). After running this fuzzer against the most recent release of VLC Media Player students will find a 0-day vulnerability! All this on the first day.

Day 2

Day 2 picks up where we left off and continues to build upon whats already been taught as we dive into format-aware (smart) fuzzers. The remainder of day 2 is where we cover a number of advanced topics to get students on the path to mastery. We will discuss AddressSanitizer; how it works, how it can help find additional vulnerabilities, and how to set it up. We also cover a number of other topics including: code coverage, corpus distillation, in-memory fuzzing, and differential fuzzing. Finally we will discuss crash analysis to automate analysis for thousands of crashes to determine unique vulnerabilities.


  • Location: ANRC Training Center, 6716 Alexander Bell Dr #100, Columbia, MD 21046
  • Dates: October 20th-21st
  • Seats: 20/20
  • Cost: $1950 (until 10/14) ; $2150 (after 10/14)
  • Schedule:
    • 0800 - Start
    • 1030 - Break
    • 1200 - Lunch (provided)
    • 1430 - Break
    • 1700 - End


To register or for additional information, please contact me at or through twitter @chrisbisnett