Day 31 of 60
·
Dynamic, fuzz & dynamic security
Symbolic / concolic execution
Where ordinary fuzzing can't get past a magic-number check, symbolic engines walk through the door, and produce concrete inputs that hit every reachable path.
ProblemCode paths fuzzers can't reach because they require structured inputs (parsers, file formats).
How it works
Treat inputs as symbolic variables; the engine explores all feasible paths and produces concrete inputs that hit each.
What it catches
Deep parser bugs, format-string vulnerabilities, path coverage that ordinary fuzzing misses. Niche; high setup cost.
Tools
KLEE · OSS Manticore · OSS angr · OSS
Verdict by project size
Small
Skip
Medium
Skip
Large
Opt
Extra-large
Rec
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 5d | 2h | $0 | , |
| Medium 10–100k LOC | 15d | 10h | $0 | , |
| Large 100k–1M LOC | 50d | 40h | $0 | , |
| Extra-large >1M LOC | 150d | 200h | $0 | , |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Test
Per merge · Runs after merge to main; nightly heavy jobs.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer
Reference implementations
-
KLEE tutorials
Symbolic-execution walkthroughs that generate concrete failing inputs.
-
angr examples
Binary analysis and symbolic-execution examples.
-
Manticore examples
Symbolic execution examples for binaries and smart contracts.
Quick check
Symbolic / concolic execution shines where ordinary fuzzing struggles, namely…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.