Day 24 of 60
·
Dynamic, fuzz & dynamic security
Formal verification & model checking
Reserved for the bugs no other technique can find, distributed protocols, cryptographic correctness, the parts of your system where being wrong is unrecoverable. AWS, Microsoft, and Cloudflare run it on their riskiest cores.
ProblemFor safety-critical systems, "extensive testing" isn't enough; you need a proof.
How it works
TLA+ / Alloy for protocol design; Coq / Lean / F* for proven implementations; Liquid Haskell for refinement types. Used at AWS, Microsoft, Cloudflare for the riskiest cores.
What it catches
Concurrency bugs, distributed-protocol violations, cryptographic correctness. Bugs discoverable no other way.
Tools
TLA+ · OSS Alloy · OSS Coq · OSS Lean · OSS
Verdict by project size
Small
Skip
Medium
Skip
Large
Opt
Extra-large
Rec
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 0h | 0h | $0 | , |
| Medium 10–100k LOC | 0h | 0h | $0 | , |
| Large 100k–1M LOC | 30d | 40h | $0 | , |
| Extra-large >1M LOC | 150d | 300h | $0 | , |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Test
Per merge · Runs after merge to main; nightly heavy jobs.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer
Reference implementations
-
TLA+ examples
Model-checking examples for distributed systems, protocols, and algorithms.
-
Alloy examples
Model-checking examples for relational specifications.
-
AWS TLA+ examples
Cloud-system modeling example using TLA+ style verification.
Quick check
Formal verification (TLA+, Coq, Lean) is reserved for…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.