Are you fuzzing?

CyTAL experts outline how finding your own vulnerabilities is a strength, not a weakness.

Cyber attackers are using ever more sophisticated methods to exploit software and system design weaknesses and vulnerabilities, inflicting reputational damage and causing severe customer disruption. Every day, millions of assets are targeted by attackers to extort, destabilise, or steal from companies, leaving them with crippling costs to resolve.

In this modern connected world, more and more systems communicate with each other over the internet and corporate networks, requiring increasingly advanced security designs to protect assets from attack.


Fuzzing, or fuzz testing, is an automated testing technique that finds vulnerabilities by feeding invalid, malformed and random data into a test system with the aim of causing faults, system crashes and unexpected responses forcing the system into an unstable state.

When systems can be forced into an unstable state, it presents an opportunity for attackers to take control or extract information, making fuzzing one of the key methods used by hackers to find unknown software vulnerabilities and weaknesses.

Cyber security requirements are continually being enhanced based on best practice, and fuzzing is increasingly recommended (or mandated) in a plethora of regulations and standards. It can be applied to any system with a communication interface, and should be a key component of any developer’s cyber security toolkit. Fuzzing communicates with both external interfaces, exposing systems to users and systems such as the internet or messaging channels, and internal interfaces that are components of the system itself, enabling much higher levels of coverage than other testing solutions. Tell me more.

How it works

Fuzzed messages containing random, malformed or invalid data are sent to communications interfaces with the aim of causing faults and system crashes. This forces the system into an unstable state allowing any vulnerabilities, which would not have otherwise been exposed using traditional testing methods, to be discovered and resolved. By finding and fixing these vulnerabilities early in the  lifecycle, it minimises the disruption and costs that would be involved in fixing them post deployment.

Fuzzing is primarily focused on discovering the causes of previously unidentified vulnerabilities that could lead to cyber-attacks and is complimentary to conventional functional testing and vulnerability scanning tools that focus on searching for known issues.

Fuzzing is an inherently complex and computationally intensive process requiring the systematic generation of large numbers of test cases and analysis of their outcomes. To execute this process of testing manually would be impossibly difficult and prohibitively costly.

The solution

ProtoCrawler, a unique vulnerability testing solution from CyTAL, uses advanced fuzzing techniques to discover and identify unknown weaknesses by generating automated and highly structured intelligence-based tests. Ready-to-fuzz straight out of the box, ProtoCrawler produces results immediately, with minimal knowledge or training.

ProtoCrawler can be applied at any stage of system implementation, irrespective of the development methodology, meaning it can be easily integrated into a developer’s existing workflow and test environment without impacting their system architecture or testing approach.

The core activity of ProtoCrawler is the automatic generation, execution and analysis of test cases. The challenge ProtoCrawler confronts is how to build anticipation of attacks into development and deployment lifecycles, allowing developers to improve the robustness of their system against the more sophisticated attacker methods it might encounter.

Remember, cyber attackers will find vulnerabilities in your systems. Don’t make it easy for them, improve your security and resilience against attacks today!