Skip to content
Home DAST Tools Mayhem
MA

Mayhem

NEW ACQUIRED
Category: DAST
License: commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated March 23, 2026
6 min read
Key Takeaways
  • Mayhem won the 2016 DARPA Cyber Grand Challenge for autonomous vulnerability discovery and became the first non-human DEF CON Black Badge recipient — now exhibited at the Smithsonian.
  • Combines coverage-guided fuzzing with symbolic execution to find vulnerabilities that traditional DAST scanners miss. Mayhem finds 2x more bugs than fuzzing alone, according to ForAllSecure.
  • Zero false positives: every finding includes a proof-of-vulnerability — a concrete input that reproduces the issue on your own machine. Unlike traditional DAST scanners, no triage is needed.
  • Dynamic SBOM reduces SCA noise by up to 80% by showing only runtime-reachable vulnerabilities, compared to traditional SCA tools that flag every known CVE in the dependency tree.
  • Acquired by Bugcrowd in November 2025. Founder David Brumley now serves as Bugcrowd's Chief AI and Science Officer, with the Mayhem platform being integrated into Bugcrowd's security testing platform.

Mayhem is an AI-driven security testing platform that uses coverage-guided fuzzing and symbolic execution to find vulnerabilities in APIs, compiled binaries, and containerized applications. Built by Carnegie Mellon University researchers who won the 2016 DARPA Cyber Grand Challenge, Mayhem takes a fundamentally different approach to dynamic application security testing (DAST) than traditional scanners: it generates thousands of targeted inputs per minute using code coverage feedback, and every reported finding includes a proof-of-vulnerability with zero false positives.

Overview

The story behind Mayhem starts at Carnegie Mellon’s CyLab. In 2012, professor David Brumley and graduate students Thanassis Avgerinos and Alex Rebert founded ForAllSecure to turn their research on automated vulnerability discovery into a product. In 2016, their system won the DARPA Cyber Grand Challenge, a competition where autonomous machines had to find, diagnose, and patch software vulnerabilities in real time with no human intervention. Mayhem became the first non-human competitor to earn a DEF CON Black Badge and was exhibited at the Smithsonian National Museum of American History.

The technology moved from defense research to commercial product in 2019 when ForAllSecure launched Mayhem as a SaaS platform. In October 2024, the company rebranded from ForAllSecure to Mayhem Security to align with its product identity.

In November 2025, Bugcrowd acquired Mayhem Security. All 11 employees joined Bugcrowd, and David Brumley became Bugcrowd’s Chief AI and Science Officer. The Mayhem platform is being integrated into Bugcrowd’s crowdsourced security testing platform to combine autonomous AI testing with human hacker expertise.

Product Screenshots

Mayhem Security platform overview showing Code Security, API Security, and SBOM Security testing modes with defect tracking sidebar and 90% SBOM noise reduction metric Mayhem platform overview — three testing modes (Code Security, API Security, SBOM Security) with defect tracking, SBOM noise reduction gauge showing 90%, and industry verticals served. Source: mayhem.security

Mayhem API defect detail showing a SQL Injection finding with CWE classification, proof-of-vulnerability cURL request, and server error response Mayhem API defect detail — SQL injection finding with CWE-89 classification, severity rating, proof-of-vulnerability showing the exact HTTP request and 500 Internal Server Error response that confirms the bug. Source: mayhem.security

Mayhem Dynamic SBOM noise reduction visualization showing 90% reduction across High (256 to 46), Medium (321 to 31), and Low (423 to 23) severity vulnerabilities Mayhem Dynamic SBOM noise reduction — reachability analysis reduces vulnerability noise by 90%, filtering High severity from 256 to 46, Medium from 321 to 31, and Low from 423 to 23 actionable findings. Source: mayhem.security

Key Features

FeatureDetails
Fuzzing EngineCoverage-guided fuzzing with symbolic execution
False PositivesZero: every finding includes a proof-of-vulnerability
API TestingREST (OpenAPI), gRPC, Postman collections
Code TestingLinux, Windows, ARM, MIPS, PPC binaries
SBOM AnalysisDynamic reachability analysis, CycloneDX and SPDX support
PerformanceP50/P90/P99 latency metrics for API endpoints
CI/CDGitHub, GitLab, Jenkins, Azure DevOps, CircleCI, Travis CI
ReportingSARIF format, CWE labeling, predictive CVSS scoring
Container SupportDocker and Kubernetes cluster analysis
DARPA-Proven Fuzzing
Mayhem combines over a dozen testing methods including coverage-guided fuzzing, symbolic execution, and behavioral analysis. The engine generates thousands of test cases per minute, exploring code paths that manual testing and signature-based scanners miss.
Zero False Positives
Every vulnerability Mayhem reports includes a proof-of-vulnerability: a concrete input that triggers the issue. You get the exact command to reproduce the bug on your own machine. No triage meetings debating whether a finding is real.
Dynamic SBOM
Stop chasing phantom CVEs. Mayhem’s reachability analysis determines which vulnerable packages in your dependency tree are actually invoked at runtime. Customers report cutting 80% of the noise from their SCA and SBOM tools, so remediation focuses on the vulnerabilities that actually matter.

Use Cases

Mayhem serves teams that need deeper vulnerability discovery than signature-based DAST scanners provide, especially in environments where false positives are expensive to triage.

  • API security testing for teams building REST or gRPC services. Mayhem parses OpenAPI specs and Postman collections, generates intelligent test cases, and verifies both positive behavior (API does what it should) and negative behavior (API rejects what it should not accept). Supports OWASP API Top 10 coverage.
  • Embedded systems and IoT firmware testing. Mayhem’s support for ARM, MIPS, and PowerPC binaries makes it one of the few DAST tools that can fuzz native firmware without recompilation. Unlike traditional web-focused DAST scanners like Burp Suite, Mayhem can test compiled binaries directly.
  • SBOM noise reduction for organizations drowning in SCA alerts. Dynamic SBOM shows only vulnerabilities reachable during runtime, reducing noise by up to 80% compared to traditional SCA tools like Snyk or Grype.
  • CI/CD pipeline integration for teams that want continuous fuzz testing on every code change. Mayhem links findings to specific commits and runs regression tests against previously discovered issues.
Bugcrowd Acquisition

Bugcrowd acquired Mayhem Security in November 2025. The Mayhem platform continues to operate and is being integrated into Bugcrowd’s crowdsourced security testing platform.

If you are evaluating Mayhem, check with Bugcrowd for the latest licensing and availability information, as the product roadmap may evolve as integration progresses.

Strengths & Limitations

Strengths:

  • Proven technology with DARPA Cyber Grand Challenge pedigree and real-world CVE discoveries at companies like Cloudflare and Roblox
  • Zero false positives through proof-of-vulnerability for every finding — unlike traditional DAST scanners where 20-40% of findings may be false alarms
  • Coverage-guided fuzzing finds 2x more bugs than fuzzing alone, detecting vulnerability classes that signature-based DAST scanners structurally cannot detect
  • Dynamic SBOM reachability analysis cuts SCA noise by up to 80%, showing only runtime-reachable vulnerabilities
  • Native binary testing supports Linux, Windows, ARM, MIPS, and PPC without recompilation or source code access
  • Strong CI/CD integration with SARIF output for interoperability with GitHub Code Scanning, VS Code, and other tools
  • Built-in ZAP integration for API testing provides supplementary DAST coverage alongside fuzzing

Limitations:

  • Acquisition by Bugcrowd creates uncertainty about future standalone availability and pricing
  • Fuzzing requires more setup than traditional DAST scanners: you need to provide build artifacts or container images, not just a URL
  • Not a traditional web application crawler; it does not spider HTML pages looking for forms and links like Burp Suite or Acunetix
  • Small team (11 employees at acquisition) means the platform’s future now depends on Bugcrowd’s integration priorities
  • API fuzzing requires an OpenAPI spec or Postman collection; cannot test undocumented API endpoints without a specification
  • No built-in WAF, DDoS protection, or runtime shielding. Mayhem is purely an offensive testing tool

Getting Started

1
Request access — Visit mayhem.security or contact Bugcrowd to get access to the Mayhem platform. A free trial has historically been available for API testing.
2
Prepare your target — For API testing, provide an OpenAPI specification or Postman collection along with the target URL. For code testing, containerize your application or provide the compiled binary.
3
Configure authentication — Set up API authentication using Basic Auth, Bearer Tokens, or Cookie-based methods. Mayhem supports custom authentication flows for complex scenarios.
4
Run a test — Launch a fuzz run. Mayhem automatically generates test cases, measures code coverage, and reports findings with proof-of-vulnerability for each issue.
5
Integrate into CI/CD — Add Mayhem to your pipeline using the native CLI (macOS, Linux, Windows) or Docker image. Configure it to fail builds on high-severity findings and run regression tests against previous results.

How Mayhem Compares

Mayhem sits in a distinct spot among DAST tools as a fuzzing-first platform rather than a traditional web scanner.

Against conventional DAST tools like Burp Suite, Acunetix, or Invicti, Mayhem trades breadth for depth. It does not crawl websites or fill out HTML forms. Instead, it generates thousands of targeted inputs per minute using code coverage feedback, finding memory corruption, crashes, and logic errors that signature-based scanners miss. The tradeoff: it requires compiled artifacts or API specs as input, not just a URL.

Compared to other API testing tools like StackHawk or Escape, Mayhem’s coverage-guided approach provides deeper testing but requires more initial setup. StackHawk is faster to configure for OpenAPI-based scanning; Mayhem finds more nuanced issues but demands build pipeline integration.

For teams that need both traditional web DAST and fuzzing, running Mayhem alongside a crawler-based scanner like ZAP or Nuclei covers both dimensions. Mayhem’s built-in ZAP integration for API testing already follows this complementary approach.

The Dynamic SBOM capability competes with SCA tools rather than DAST tools. Its runtime reachability analysis reduces noise from tools like Snyk, Dependabot, or Grype.

Note: Founded as ForAllSecure in 2012. Acquired by Bugcrowd in November 2025. David Brumley serves as Bugcrowd's Chief AI and Science Officer.

Frequently Asked Questions

What is Mayhem?
Mayhem is an AI-driven security testing platform originally built by ForAllSecure, a Carnegie Mellon University spinoff. It uses coverage-guided fuzzing and symbolic execution to autonomously discover vulnerabilities in APIs, compiled code, and container images. Mayhem won the 2016 DARPA Cyber Grand Challenge and was acquired by Bugcrowd in November 2025.
How does Mayhem differ from traditional DAST scanners?
Traditional DAST scanners send predefined attack payloads and check responses. Mayhem uses coverage-guided fuzzing that generates test cases based on code coverage feedback, exploring deep code paths that signature-based scanners miss. It also combines fuzzing with symbolic execution to reason about program behavior mathematically, finding 2x more bugs than fuzzing alone according to ForAllSecure.
What does zero false positives mean in Mayhem?
Every vulnerability Mayhem reports comes with a proof-of-vulnerability (POV): a concrete test case that triggers the issue. You can reproduce the bug using the exact command Mayhem provides. If the POV triggers the issue, the finding is confirmed real. This eliminates time wasted triaging false alarms.
What is Mayhem Dynamic SBOM?
Dynamic SBOM is Mayhem’s approach to Software Bill of Materials analysis. Instead of flagging every known CVE in your dependency tree, it uses runtime reachability analysis to determine which vulnerable packages are actually invoked when your application runs. Customers report an average 80% reduction in SBOM noise compared to traditional SCA tools.
Was Mayhem acquired by Bugcrowd?
Yes. Bugcrowd announced the acquisition of Mayhem Security (formerly ForAllSecure) on November 4, 2025. All 11 Mayhem employees joined Bugcrowd. Founder David Brumley became Bugcrowd’s Chief AI and Science Officer. The Mayhem platform is being integrated into Bugcrowd’s security testing platform.
Can Mayhem test APIs?
Yes. Mayhem for API parses OpenAPI specifications and Postman collections to automatically generate test cases. It supports REST APIs and gRPC, tests for OWASP API Top 10 weaknesses, and measures endpoint latency at P50/P90/P99 levels. It also includes built-in ZAP integration for supplementary scanning.
How we review tools Suggest an edit

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

AP
AppTrana

Fully managed WAAP with integrated DAST and WAF

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

Bright Security
Bright Security

Developer-First CI/CD DAST

See all DAST tools

Complement with IAST

Pair dynamic testing with runtime instrumentation for broader coverage.

Contrast Security
Contrast Security

Runtime-Powered Application Security

Acunetix AcuSensor
Acunetix AcuSensor

Line-of-Code Details

See all IAST tools

Learn More

Free DAST Tools What is DAST?

Explore all DAST guides and tools