FuzzForge OSS

AI-Powered Security Research Orchestration via MCP

Let AI agents orchestrate your security research workflows locally

_{Overview • Features • Installation • Usage Guide • Modules • Contributing}

---

🚧 FuzzForge OSS is under active development. Expect breaking changes and new features!

---

🚀 Overview

FuzzForge OSS is an open-source runtime that enables AI agents (GitHub Copilot, Claude, etc.) to orchestrate security research workflows through the Model Context Protocol (MCP).

The Core: Modules

At the heart of FuzzForge are modules - containerized security tools that AI agents can discover, configure, and orchestrate. Each module encapsulates a specific security capability (static analysis, fuzzing, crash analysis, etc.) and runs in an isolated container.

• 🔌 Plug & Play: Modules are self-contained - just pull and run
• 🤖 AI-Native: Designed for AI agent orchestration via MCP
• 🔗 Composable: Chain modules together into automated workflows
• 📦 Extensible: Build custom modules with the Python SDK

The OSS runtime handles module discovery, execution, and result collection. Security modules (developed separately) provide the actual security tooling - from static analyzers to fuzzers to crash triagers.

Instead of manually running security tools, describe what you want and let your AI assistant handle it.

🎬 Use Case: Rust Fuzzing Pipeline

Scenario: Fuzz a Rust crate to discover vulnerabilities using AI-assisted harness generation and parallel fuzzing.

1️⃣ Analyze, Generate & Validate Harnesses	2️⃣ Run Parallel Continuous Fuzzing
AI agent analyzes code, generates harnesses, and validates they compile	Multiple fuzzing sessions run in parallel with live metrics

---

⭐ Support the Project

If you find FuzzForge useful, please star the repo to support development! 🚀

---

✨ Features

Feature	Description
🤖 AI-Native	Built for MCP - works with GitHub Copilot, Claude, and any MCP-compatible agent
📦 Containerized	Each module runs in isolation via Docker or Podman
🔄 Continuous Mode	Long-running tasks (fuzzing) with real-time metrics streaming
🔗 Workflows	Chain multiple modules together in automated pipelines
🛠️ Extensible	Create custom modules with the Python SDK
🏠 Local First	All execution happens on your machine - no cloud required
🔒 Secure	Sandboxed containers with no network access by default

---

🏗️ Architecture

┌─────────────────────────────────────────────────────────────────┐
│                     AI Agent (Copilot/Claude)                   │
└───────────────────────────┬─────────────────────────────────────┘
                            │ MCP Protocol (stdio)
                            ▼
┌─────────────────────────────────────────────────────────────────┐
│                     FuzzForge MCP Server                        │
│  ┌─────────────┐  ┌──────────────┐  ┌────────────────────────┐  │
│  │list_modules │  │execute_module│  │start_continuous_module │  │
│  └─────────────┘  └──────────────┘  └────────────────────────┘  │
└───────────────────────────┬─────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────────┐
│                     FuzzForge Runner                            │
│                  Container Engine (Docker/Podman)               │
└───────────────────────────┬─────────────────────────────────────┘
                            │
        ┌───────────────────┼───────────────────┐
        ▼                   ▼                   ▼
┌───────────────┐   ┌───────────────┐   ┌───────────────┐
│  Module A     │   │  Module B     │   │  Module C     │
│  (Container)  │   │  (Container)  │   │  (Container)  │
└───────────────┘   └───────────────┘   └───────────────┘

---

📦 Installation

Prerequisites

• Python 3.12+
• uv package manager
• Docker (Install Docker) or Podman

Quick Install

# Clone the repository
git clone https://github.com/FuzzingLabs/fuzzforge_ai.git
cd fuzzforge_ai

# Install dependencies
uv sync

# Build module images
make build-modules

Configure MCP for Your AI Agent

# For GitHub Copilot
uv run fuzzforge mcp install copilot

# For Claude Code (CLI)
uv run fuzzforge mcp install claude-code

# For Claude Desktop (standalone app)
uv run fuzzforge mcp install claude-desktop

# Verify installation
uv run fuzzforge mcp status

Restart your editor and your AI agent will have access to FuzzForge tools!

---

📦 Modules

FuzzForge modules are containerized security tools that AI agents can orchestrate. The module ecosystem is designed around a simple principle: the OSS runtime orchestrates, enterprise modules execute.

Module Ecosystem

	FuzzForge OSS	FuzzForge Enterprise Modules
What	Runtime & MCP server	Security research modules
License	Apache 2.0	BSL 1.1 (Business Source License)
Compatibility	✅ Runs any compatible module	✅ Works with OSS runtime

Enterprise modules are developed separately and provide production-ready security tooling:

Category	Modules	Description
🔍 Static Analysis	Rust Analyzer, Solidity Analyzer, Cairo Analyzer	Code analysis and fuzzable function detection
🎯 Fuzzing	Cargo Fuzzer, Honggfuzz, AFL++	Coverage-guided fuzz testing
💥 Crash Analysis	Crash Triager, Root Cause Analyzer	Automated crash deduplication and analysis
🔐 Vulnerability Detection	Pattern Matcher, Taint Analyzer	Security vulnerability scanning
📝 Reporting	Report Generator, SARIF Exporter	Automated security report generation

💡 Build your own modules! The FuzzForge SDK allows you to create custom modules that integrate seamlessly with the OSS runtime. See Creating Custom Modules.

Execution Modes

Modules run in two execution modes:

One-shot Execution

Run a module once and get results:

result = execute_module("my-analyzer", assets_path="/path/to/project")

Continuous Execution

For long-running tasks like fuzzing, with real-time metrics:

# Start continuous execution
session = start_continuous_module("my-fuzzer", 
    assets_path="/path/to/project",
    configuration={"target": "my_target"})

# Check status with live metrics
status = get_continuous_status(session["session_id"])

# Stop and collect results
stop_continuous_module(session["session_id"])

---

🛠️ Creating Custom Modules

Build your own security modules with the FuzzForge SDK:

from fuzzforge_modules_sdk import FuzzForgeModule, FuzzForgeModuleResults

class MySecurityModule(FuzzForgeModule):
    def _run(self, resources):
        self.emit_event("started", target=resources[0].path)
        
        # Your analysis logic here
        results = self.analyze(resources)
        
        self.emit_progress(100, status="completed", 
            message=f"Analysis complete")
        return FuzzForgeModuleResults.SUCCESS

📖 See the Module SDK Guide for details.

---

📁 Project Structure

fuzzforge_ai/
├── fuzzforge-cli/           # Command-line interface
├── fuzzforge-common/        # Shared abstractions (containers, storage)
├── fuzzforge-mcp/           # MCP server for AI agents
├── fuzzforge-modules/       # Security modules
│   └── fuzzforge-modules-sdk/   # Module development SDK
├── fuzzforge-runner/        # Local execution engine
├── fuzzforge-types/         # Type definitions & schemas
└── demo/                    # Demo projects for testing

---

🤝 Contributing

We welcome contributions from the community!

• 🐛 Report bugs via GitHub Issues
• 💡 Suggest features or improvements
• 🔧 Submit pull requests
• 📦 Share your custom modules

See CONTRIBUTING.md for guidelines.

---

📄 License

Apache 2.0 - See LICENSE for details.

---

Built with ❤️ by FuzzingLabs